[EXTERNAL] A few questions about radsec

Brian Julin BJulin at clarku.edu
Fri Feb 15 20:53:10 CET 2019

work vlpl <thework.vlpl at gmail.com> wrote:
> Hello,
> I successfully configured freeradius server to support radsec and
> using radsecproxy to test it.
> But I have a few questions. I tried to find answers in the example
> configuration files, but it looks like there aren’t

Reading https://github.com/FreeRADIUS/freeradius-server/issues/2292

...may provide you with some information about the status of some
of the features you are interested in.

> judging by configuration in `tls` file I assume that
> freeradius uses ip address + certificate.

FreeRADIUS lets you limit what source IP addresses you accept
RadSec connections from, in addition to certifying them with PKI.
If you want.  I've never tried it, but you can probably use a wildcard
client stanza with proto = tls.

> It is very unlikely, but what if I will have to, or I will want to
> proxy radsec request to home server without client certificate
> (TLS-PSK). I should removed only secret value from configuration?

I think you may be confusing the "secret" with the PSK.  The "secret"
in all RadSec should be set to "radsec" because the "secret" is obsolete
if you are using TLS.  You need to be removing the cert-related
directives and looking at the psk_query or psk_identity+psk_hexphrase
directives.  The comments in the sample config probably need some work.
When you figure it out, send a patch! :-)

> I'm interested in radius clients identification. Is it possible to get
> radius client id in radius config section that support unlang? For
> example CN or fingerprint from radius client certificate, like its by
> done for EAP-TLS request.

See the above github issue... support will vary depending on how close
to the bleeding edge your server is.

More information about the Freeradius-Users mailing list