On 3/23/2013 3:54 PM, Alan DeKok wrote:
Thomas Hruska wrote:
<snip>
Read proxy.conf.
[Sigh] I have. It doesn't make sense to me. Why enable it as a
default if it isn't necessary for basic functionality? Hopefully you
can see how the average user might be confused, "Hey the authors enabled
this by default. Maybe there is a very important reason for that. I'll
go ahead and leave it alone because they know better." But I see an
open port and wonder if it is actually necessary. So I figured I would
ask to obtain some knowledge of why it is enabled by default, hence the
original questions. Here's the text from 'radiusd.conf':
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
Nowhere in there does it explain why proxying is on by default. It just
says that it can be turned off. I want to know why it is on by default
in the first place. From what I'm beginning to understand, based on
your reply, FreeRADIUS opens a port that isn't necessary for basic
functionality as part of its default installation. That sort of
behavior should at least raise an eyebrow if not a few red flags.
Not sure why I would need this either. Based on the 'secret' string's
value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
not 100% confident about that.
No. Clients have nothing to do with proxies.
Do you plan on testing your server? If so, that entry can be useful.
The default client secrets(s) should be different from the default proxy
secret(s) to avoid confusion for first-time users.
I missed that it is there for testing. And I see why:
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a
password - it can expire, but the message "Password Has Expired" seems
like it will never appear (or, if it does, it'll be confusing to a
user). I'm probably not going to use the 'logintime' features. 'exec'
might be useful since I probably will use the external 'openssl' based
'verify' method in 'eap.conf' (unless someone can suggest a better
approach).
So... delete the things you're not using. That's why there are
comments explaining what those modules do. So you can learn, and think
for yourself.
Again, defaults exist for a reason. The reasons for the defaults are
what I'm actually after here.
Some of the stuff in 'eap.conf' is confusing. I've commented
out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
uncommented and set 'default_eap_type = tls', but I'm not sure if that
is all I need to do. Documentation on setting up an "EAP-TLS only"
RADIUS server is limited.
I mean it's nonsense to *expect*
that there will be lots of documentation on setting up your exact
desired configuration.
All I was asking here was if commenting out those protocols in
'eap.conf' was all I have to do to disable them? A simple confirmation
would suffice.
You're looking for reassurance that editing the config files won't
cause the server to explode in flaming metal. It won't. Edit them.
I admit that there is a little of that, but I'm just trying to save
myself from breaking things too badly by understanding why the defaults
are the defaults before I go and blow away large portions of config.
--
Thomas Hruska
CubicleSoft President
I've got great, time saving software that you might find useful.
http://cubiclesoft.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
