General question about RadSec implementation on FR 3.2.x

[Alan DeKok]

On Apr 16, 2025, at 10:19 AM, dominic.stalder at unibe.ch wrote:
> I know, there is a documentation page about RadSec: https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/protocols/proxy/enable_radsec.html
> 
> But I have some general questions about the RadSec implementation on FR 3.2.x, which I think are not answered in the above documentation page:=

  Sure.

> 1. When I want to proxy RADIUS requests to other RADIUS servers over RadSec (TLS/2083):
> 
> a) do I have to configure the home servers in /etc/freeradius/sites-enabled/tls as well, only in the tls file or only in the proxy.conf?

  It doesn't matter where the home servers are defined.  if you put them somewhere and it works, then that's fine.

> b) what about a mixed deployment, where some of the RADIUS proxy / home servers are accessed over RADIUS (UDP/1812) and some others are access over RadSec (TCP/2083)?

  You can put the home servers almost anywhere.  The only restriction is that they can't exist inside of another section.  i.e. they can't go into a "listen" section, or an "authorize" section.

> 2. When I want to answer RADIUS requests from other RADIUS proxy servers over RadSec (TCP/2083):
> 
> a) do I have to configure the clients in /etc/freeradius/sites-enabled/tls as well or only in the tls file? If only in the tls file, I can remove them from the clients.conf file, correct?

  You can put clients almost anywhere, too.

> b) same as 1.a), what about a mixed deployment; some RADIUS clients are RADIUS (UDP/1812), some are RadSec (TCP/2083)?

  The same as above.  The server is fine with defining multiple clients in different files.

  Alan DeKok.