A few questions about radsec

work vlpl thework.vlpl at gmail.com
Fri Feb 15 19:47:11 CET 2019


Hello,

I successfully configured freeradius server to support radsec and
using radsecproxy to test it.
But I have a few questions. I tried to find answers in the example
configuration files, but it looks like there aren’t

Why "Initial implementation"
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/tls#L3
something important is not supported yet?


If I understand radsec rfc correctly there are 3 possible ways to
identify clients
https://tools.ietf.org/html/draft-ietf-radext-radsec-12#section-2.4 by
rfc all 3 should use some part of client certificate or TLS
identifier. But judging by configuration in `tls` file I assume that
freeradius uses ip address + certificate. Or only ip address if `proto
= tcp` https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/tls#L355
Am I right?


It is very unlikely, but what if I will have to, or I will want to
proxy radsec request to home server without client certificate
(TLS-PSK). I should removed only secret value from configuration
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/tls#L383
?

To test radsec I used radsecproxy + radlclient/eapol_test. Is there
any other worthy utility for this?

This is the quote from RFC Introduction
https://tools.ietf.org/html/draft-ietf-radext-radsec-12#section-1

> The new features in RADIUS over TLS obsolete the use of IP addresses and shared MD5 secrets to identify other peers and thus allow the use of more contemporary trust models, e.g. checking a certificate by inspecting the issuer and other certificate properties.

I'm interested in radius clients identification. Is it possible to get
radius client id in radius config section that support unlang? For
example CN or fingerprint from radius client certificate, like its by
done for EAP-TLS request.

--
Vladimir



More information about the Freeradius-Users mailing list