TCP/TLS - radsec / application

[Jason Rohm]

I've been doing some research and it seems like there has been a lot of
talk about radsec and some movement on the IETF standardization front, but
I'm unclear about the state of radsec within the freeradius codebase. I've
downloaded the current master source as of a few days ago and successfully
compiled it on CentOS 6.2 64bit. Everything seems to work save some EAP
stuff that I'm not using and was able to disable around, but I can't
figure out if the radsec is there and not documented or if it isn't in
there at all.

I'm asking because I have a specific use-case that is somewhat similar to
how edu-roam is doing that I want to implement and was hoping someone can
steer me in the right direction.

I'm looking to implement a multi-tier radius hierarchy to deploy
centralized user logins to managed network devices in a number of my
managed IT customers (I'm the service provider).

What I want to accomplish is something similar to:
(pardon the ASCII Visio)

[NAS (Typically Cisco Router/Switch)]
    --Standard Radius Auth-->
        [Onsite FreeRadius as proxy/realm selector]
            --Standard Radius Auth--> @customer.domain
                [Customer's Server (typically MS IAS/NPS)
              Or
            --TCP/TLS Radius Auth--> @service_provider.domain
		[Internet facing FreeRadius]
                    --Standard Radius Auth or LDAP-->
                        [Our backend user database (currently AD)]


Right now our solution is to implement the same hierarchy but to use
standard UDP radius over SSH/socat tunnels for the onsite to off-site
communication. A radsec solution would be cleaner and probably more
reliable.

So my questions are:

-Is the radsec code included in the mainline git repo?
-If not, where do I get it?
-If so, does anyone have any quick and dirty doc somewhere or a working
example?
-Am I nuts for even trying this?
 
Jason Rohm
Communications Architect
SRC Technologies Inc.