Hello, I successfully configured freeradius server to support radsec and using radsecproxy to test it. But I have a few questions. I tried to find answers in the example configuration files, but it looks like there aren’t Why "Initial implementation" https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-avai... something important is not supported yet? If I understand radsec rfc correctly there are 3 possible ways to identify clients https://tools.ietf.org/html/draft-ietf-radext-radsec-12#section-2.4 by rfc all 3 should use some part of client certificate or TLS identifier. But judging by configuration in `tls` file I assume that freeradius uses ip address + certificate. Or only ip address if `proto = tcp` https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-avai... Am I right? It is very unlikely, but what if I will have to, or I will want to proxy radsec request to home server without client certificate (TLS-PSK). I should removed only secret value from configuration https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-avai... ? To test radsec I used radsecproxy + radlclient/eapol_test. Is there any other worthy utility for this? This is the quote from RFC Introduction https://tools.ietf.org/html/draft-ietf-radext-radsec-12#section-1
The new features in RADIUS over TLS obsolete the use of IP addresses and shared MD5 secrets to identify other peers and thus allow the use of more contemporary trust models, e.g. checking a certificate by inspecting the issuer and other certificate properties.
I'm interested in radius clients identification. Is it possible to get radius client id in radius config section that support unlang? For example CN or fingerprint from radius client certificate, like its by done for EAP-TLS request. -- Vladimir