TCP/TLS - radsec / application
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Fri Mar 23 20:57:19 CET 2012
Hi,
> I've been doing some research and it seems like there has been a lot of
> talk about radsec and some movement on the IETF standardization front, but
> I'm unclear about the state of radsec within the freeradius codebase. I've
> downloaded the current master source as of a few days ago and successfully
> compiled it on CentOS 6.2 64bit. Everything seems to work save some EAP
> stuff that I'm not using and was able to disable around, but I can't
> figure out if the radsec is there and not documented or if it isn't in
> there at all.
the 'RADSEC' (RADIUS over TLS/TCP) support is in the master branch:
git clone git://git.freeradius.org/freeradius-server.git
(read http://git.freeradius.org/)
the stuff you are looking for is in the 'tls' virtual server - which isnt
enabled by default IIRC - so just put a link from it int sites-enabled....and
read the 'tls' virtual server carefully.
I am a little concerned about the 'save some EAP stuff that I'm not using and was able
to disable around' - you will need to ensure that OpenSSL-devel packages are installed
so that you can compile in the TLS support.
once you have it running, simply get a 'CA' that your RADIUS servers all trust (I'd go for a
private self-signed one) and sign the servers with it....et voila! you can now do RADSEC
(oh, with the caveat that all yoru servers will have to have the TCP 2083 port open and firewalls
between sites sorted out etc....but i'd assume that work would get done)
alan
More information about the Freeradius-Users
mailing list