work vlpl <thework.vlpl@gmail.com> wrote:
Hello, I successfully configured freeradius server to support radsec and using radsecproxy to test it. But I have a few questions. I tried to find answers in the example configuration files, but it looks like there aren’t
Reading https://github.com/FreeRADIUS/freeradius-server/issues/2292 ...may provide you with some information about the status of some of the features you are interested in.
judging by configuration in `tls` file I assume that freeradius uses ip address + certificate.
FreeRADIUS lets you limit what source IP addresses you accept RadSec connections from, in addition to certifying them with PKI. If you want. I've never tried it, but you can probably use a wildcard client stanza with proto = tls.
It is very unlikely, but what if I will have to, or I will want to proxy radsec request to home server without client certificate (TLS-PSK). I should removed only secret value from configuration?
I think you may be confusing the "secret" with the PSK. The "secret" in all RadSec should be set to "radsec" because the "secret" is obsolete if you are using TLS. You need to be removing the cert-related directives and looking at the psk_query or psk_identity+psk_hexphrase directives. The comments in the sample config probably need some work. When you figure it out, send a patch! :-)
I'm interested in radius clients identification. Is it possible to get radius client id in radius config section that support unlang? For example CN or fingerprint from radius client certificate, like its by done for EAP-TLS request.
See the above github issue... support will vary depending on how close to the bleeding edge your server is.