General question about RadSec implementation on FR 3.2.x
Hi guys I know, there is a documentation page about RadSec: https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/proto... But I have some general questions about the RadSec implementation on FR 3.2.x, which I think are not answered in the above documentation page: 1. When I want to proxy RADIUS requests to other RADIUS servers over RadSec (TLS/2083): a) do I have to configure the home servers in /etc/freeradius/sites-enabled/tls as well, only in the tls file or only in the proxy.conf? --> I did a test with configuring them only in /etc/freeradius/proxy.conf and the requests were proxied over TLS/2083 to the configured RADIUS proxy servers: home_server xyz-TLS { type = auth+acct ipaddr = 1.2.3.4 proto = tcp port = 2083 secret = radsec tls { private_key_file = ${certdir}/radsec.key certificate_file = ${certdir}/radsec.pem ca_file = ${cadir}/radsec-ca.pem fragment_size = 8192 } response_window = 20 zombie_period = 40 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } b) what about a mixed deployment, where some of the RADIUS proxy / home servers are accessed over RADIUS (UDP/1812) and some others are access over RadSec (TCP/2083)? 2. When I want to answer RADIUS requests from other RADIUS proxy servers over RadSec (TCP/2083): a) do I have to configure the clients in /etc/freeradius/sites-enabled/tls as well or only in the tls file? If only in the tls file, I can remove them from the clients.conf file, correct? b) same as 1.a), what about a mixed deployment; some RADIUS clients are RADIUS (UDP/1812), some are RadSec (TCP/2083)? Thanks and regards Dominic _________________________________ Universität Bern Abteilung Informatikdienste Dominic Stalder Network Engineer Hochschulstrasse 6 CH-3012 Bern Tel. +41 (0)31 684 38 18 dominic.stalder@unibe.ch<mailto:dominic.stalder@unibe.ch> www.id.unibe.ch _________________________________
On Apr 16, 2025, at 10:19 AM, dominic.stalder@unibe.ch wrote:
I know, there is a documentation page about RadSec: https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/proto...
But I have some general questions about the RadSec implementation on FR 3.2.x, which I think are not answered in the above documentation page:=
Sure.
1. When I want to proxy RADIUS requests to other RADIUS servers over RadSec (TLS/2083):
a) do I have to configure the home servers in /etc/freeradius/sites-enabled/tls as well, only in the tls file or only in the proxy.conf?
It doesn't matter where the home servers are defined. if you put them somewhere and it works, then that's fine.
b) what about a mixed deployment, where some of the RADIUS proxy / home servers are accessed over RADIUS (UDP/1812) and some others are access over RadSec (TCP/2083)?
You can put the home servers almost anywhere. The only restriction is that they can't exist inside of another section. i.e. they can't go into a "listen" section, or an "authorize" section.
2. When I want to answer RADIUS requests from other RADIUS proxy servers over RadSec (TCP/2083):
a) do I have to configure the clients in /etc/freeradius/sites-enabled/tls as well or only in the tls file? If only in the tls file, I can remove them from the clients.conf file, correct?
You can put clients almost anywhere, too.
b) same as 1.a), what about a mixed deployment; some RADIUS clients are RADIUS (UDP/1812), some are RadSec (TCP/2083)?
The same as above. The server is fine with defining multiple clients in different files. Alan DeKok.
Hi Alan Thanks for the fast and informative feedback. When I get your answer correct, I can just can put: 1. all RADIUS [UDP] & RadSec [TCP] clients into clients.conf and it does work 2. all RADIUS [UDP] & RadSec [TCP] home servers into proxy.conf and it does work So I can "consolidate" all clients and all home servers in one location respectively? Regards Dominic Am 16.04.25, 17:12 schrieb "Freeradius-Users im Auftrag von Alan DeKok" <freeradius-users-bounces+dominic.stalder=unibe.ch@lists.freeradius.org <mailto:unibe.ch@lists.freeradius.org> im Auftrag von aland@deployingradius.com <mailto:aland@deployingradius.com>>: On Apr 16, 2025, at 10:19 AM, dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch> wrote:
I know, there is a documentation page about RadSec: https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/proto... <https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/protocols/proxy/enable_radsec.html>
But I have some general questions about the RadSec implementation on FR 3.2.x, which I think are not answered in the above documentation page:=
Sure.
1. When I want to proxy RADIUS requests to other RADIUS servers over RadSec (TLS/2083):
a) do I have to configure the home servers in /etc/freeradius/sites-enabled/tls as well, only in the tls file or only in the proxy.conf?
It doesn't matter where the home servers are defined. if you put them somewhere and it works, then that's fine.
b) what about a mixed deployment, where some of the RADIUS proxy / home servers are accessed over RADIUS (UDP/1812) and some others are access over RadSec (TCP/2083)?
You can put the home servers almost anywhere. The only restriction is that they can't exist inside of another section. i.e. they can't go into a "listen" section, or an "authorize" section.
2. When I want to answer RADIUS requests from other RADIUS proxy servers over RadSec (TCP/2083):
a) do I have to configure the clients in /etc/freeradius/sites-enabled/tls as well or only in the tls file? If only in the tls file, I can remove them from the clients.conf file, correct?
You can put clients almost anywhere, too.
b) same as 1.a), what about a mixed deployment; some RADIUS clients are RADIUS (UDP/1812), some are RadSec (TCP/2083)?
The same as above. The server is fine with defining multiple clients in different files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
On Apr 17, 2025, at 2:24 AM, <dominic.stalder@unibe.ch> <dominic.stalder@unibe.ch> wrote:
Hi Alan
Thanks for the fast and informative feedback. When I get your answer correct, I can just can put:
1. all RADIUS [UDP] & RadSec [TCP] clients into clients.conf and it does work
2. all RADIUS [UDP] & RadSec [TCP] home servers into proxy.conf and it does work
So I can "consolidate" all clients and all home servers in one location respectively?
Yes. The file names don't matter. All of the files are merged into one via $INCLUDE statements. So you can add clients to the bottom of a virtual server file if you want. What matters is the sections. If you put clients into a "name { ...} " section, then they won't be found. Each section has a pre-defined purpose, and a pre-defined content. Alan DeKok.
Hi Alan Thanks a lot, got it. Regards Am 17.04.25, 13:22 schrieb "Freeradius-Users im Auftrag von Alan DeKok" <freeradius-users-bounces+dominic.stalder=unibe.ch@lists.freeradius.org <mailto:unibe.ch@lists.freeradius.org> im Auftrag von aland@deployingradius.com <mailto:aland@deployingradius.com>>: On Apr 17, 2025, at 2:24 AM, <dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch>> <dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch>> wrote:
Hi Alan
Thanks for the fast and informative feedback. When I get your answer correct, I can just can put:
1. all RADIUS [UDP] & RadSec [TCP] clients into clients.conf and it does work
2. all RADIUS [UDP] & RadSec [TCP] home servers into proxy.conf and it does work
So I can "consolidate" all clients and all home servers in one location respectively?
Yes. The file names don't matter. All of the files are merged into one via $INCLUDE statements. So you can add clients to the bottom of a virtual server file if you want. What matters is the sections. If you put clients into a "name { ...} " section, then they won't be found. Each section has a pre-defined purpose, and a pre-defined content. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
participants (2)
-
Alan DeKok -
dominic.stalder@unibe.ch