Hi Yoann I've used RadSec with EAP-TLS on my FR (3.2 release). I have my own Radsec client and did not use the opensource radsecproxy. I'll answer some of your questions first 1 The cert+CA chain for Radsec is logically completely different than the cert+CA chain for EAP-TLS. The former is used to secure the transport (using TLS) between the NAS/Authenticator/Radius-client and FR. The latter is used for wireless/wired clients to mutually authenticate with the FR. In fact you can use the same CA for generating the Radsec server cert (for authenticating to the NAS/AP) and the Radius server cert (for authenticating to wireless clients). You may even use the same server cert for both as long as the other party can validate the cert 2 There is no conflict here about requiring EAP-TLS to be PKI only. You may have to setup OCSP/CRL on the FR side (I have not done it; others have). This won't interfere with Radsec in any way Here's my FR configs to support Radsec. I assume you already have the support for EAP-TLS over plain Radius. If you don't, first get that working over plain Radius before adding on Radsec I've attached a tarball that has everything you need to build an image that runs FR with Radsec support. To use this copy it into your ~/tmp folder (say) and then do cd ~/tmp mkdir FR_Radsec; cd FR_Radsec tar xzf ../FR_docker.tgz docker build -t freeradius_radsec -f Dockerfile RADIUS_DOCKER_FILES This will produce a Docker image freeradius_radsec To run the Docker image do. This will create a container whose ID you can get using the command 'docker ps' docker run -dt freeradius_radsec Then run cmd below to get a shell into the running container. <cid> is the container ID docker exec -it <cid> bash # cd /etc/freeradius/3.0/sites-available/ # less tls The very 1st section of the 'tls' file is the Radsec configuration. You need to replace the following files /etc/freeradius/3.0/certs/server.pem - This has already expired ! But you need to use the Radsec server cert that you generated using your CA server.key - Private key corresponding to cert above ca.pem - This has also expired. Please replace with your own The next section in the 'tls' fils is 'clients'. Replace the IP 20.20.20.20 with the IP of your NAS/AP/Controller EAP-TLS configuration This is in /etc/freeradius/3.0/mods-available/eap. Edit this file to match yours Hope this helps -gopal raman On Sat, Apr 19, 2025 at 8:28 AM Yoann Gini <yoann.gini@gmail.com> wrote:
Hello,
As said on the other thread, I’m trying to use RadSec to provide EAP-TLS authentication for remote site. I’m mainly a NPS user during last years, it’s been a while since I haven’t used Freeradius.
I’m a little bit lost in the set of configuration to do here, especially since some parts seems redundant between RadSec and EAP-TLS.
Especially, I will have different intermediate certificates authority to authenticate access points on one side and wireless client on the other.
Also, the configuration for EAP-TLS will need to be PKI based only (authenticate and authorize if certificate based authentication works and if the certificate is not revoked). No per-user authorization expected, and the FreeRadius server is expected to not know the list of valid users, solely relying on PKI for that.
So if someone can lead me to a clean article about the use of RadSec + EAP-TLS in FreeRadius, or if someone can take the time to explain it to me, I’m really interested.
Thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html