A few questions about radsec

Alan DeKok aland at deployingradius.com
Fri Feb 15 22:33:14 CET 2019

On Feb 15, 2019, at 1:47 PM, work vlpl <thework.vlpl at gmail.com> wrote:
> Why "Initial implementation"
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/tls#L3
> something important is not supported yet?

  It's fully supported.  That text is just old and hadn't been updated.

> If I understand radsec rfc correctly there are 3 possible ways to
> identify clients
> https://tools.ietf.org/html/draft-ietf-radext-radsec-12#section-2.4 by

  See RFC 6615 for the final revision of the standard.

> rfc all 3 should use some part of client certificate or TLS
> identifier. But judging by configuration in `tls` file I assume that
> freeradius uses ip address + certificate.

  It can use both.

  Note that there is *no problem* with doing source IP filtering.  In fact, you likely want to do that, even for RadSec.  The alternative is to have random people hammer your RADIUS server with connection attempts.

> Or only ip address if `proto
> = tcp` https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/tls#L355
> Am I right?

  See RFC 6613 for a description of RADIUS over TCP.

  For that, FreeRADIUS uses the source IP, because there are no certificates available.  Just like with normal RADIUS / UDP.

> It is very unlikely, but what if I will have to, or I will want to
> proxy radsec request to home server without client certificate
> (TLS-PSK). I should removed only secret value from configuration
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/tls#L383
> ?

  No... the RFC says that the secret is always "radsec" for RadSec connections. 

> To test radsec I used radsecproxy + radlclient/eapol_test. Is there
> any other worthy utility for this?

  radsecproxy is fine.

> This is the quote from RFC Introduction
> https://tools.ietf.org/html/draft-ietf-radext-radsec-12#section-1
>> The new features in RADIUS over TLS obsolete the use of IP addresses and shared MD5 secrets to identify other peers and thus allow the use of more contemporary trust models, e.g. checking a certificate by inspecting the issuer and other certificate properties.
> I'm interested in radius clients identification. Is it possible to get
> radius client id in radius config section that support unlang? For
> example CN or fingerprint from radius client certificate, like its by
> done for EAP-TLS request.

  Yes.  See the GitHub issue Brian pointed you to.  I'll go update the documentation in the virtual server.

  Alan DeKok.

More information about the Freeradius-Users mailing list