General question about RadSec implementation on FR 3.2.x

dominic.stalder at unibe.ch dominic.stalder at unibe.ch
Wed Apr 16 14:19:33 UTC 2025 

Hi guys

I know, there is a documentation page about RadSec: https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/protocols/proxy/enable_radsec.html

But I have some general questions about the RadSec implementation on FR 3.2.x, which I think are not answered in the above documentation page:


1. When I want to proxy RADIUS requests to other RADIUS servers over RadSec (TLS/2083):

a) do I have to configure the home servers in /etc/freeradius/sites-enabled/tls as well, only in the tls file or only in the proxy.conf?

--> I did a test with configuring them only in /etc/freeradius/proxy.conf and the requests were proxied over TLS/2083 to the configured RADIUS proxy servers:

home_server xyz-TLS {
        type = auth+acct
        ipaddr = 1.2.3.4
        proto = tcp
        port = 2083
        secret = radsec
        tls {
                private_key_file = ${certdir}/radsec.key
                certificate_file = ${certdir}/radsec.pem
                ca_file = ${cadir}/radsec-ca.pem
                fragment_size = 8192
        }
        response_window = 20
        zombie_period = 40
        status_check = status-server
        check_interval = 30
        num_answers_to_alive = 3
}

b) what about a mixed deployment, where some of the RADIUS proxy / home servers are accessed over RADIUS (UDP/1812) and some others are access over RadSec (TCP/2083)?


2. When I want to answer RADIUS requests from other RADIUS proxy servers over RadSec (TCP/2083):

a) do I have to configure the clients in /etc/freeradius/sites-enabled/tls as well or only in the tls file? If only in the tls file, I can remove them from the clients.conf file, correct?

b) same as 1.a), what about a mixed deployment; some RADIUS clients are RADIUS (UDP/1812), some are RadSec (TCP/2083)?

Thanks and regards
Dominic
_________________________________
Universität Bern
Abteilung Informatikdienste

Dominic Stalder
Network Engineer

Hochschulstrasse 6
CH-3012 Bern
Tel. +41 (0)31 684 38 18
dominic.stalder at unibe.ch<mailto:dominic.stalder at unibe.ch>
www.id.unibe.ch
_________________________________

More information about the Freeradius-Users mailing list