General question about RadSec implementation on FR 3.2.x

dominic.stalder at unibe.ch dominic.stalder at unibe.ch
Thu Apr 17 06:24:34 UTC 2025 

Hi Alan

Thanks for the fast and informative feedback. When I get your answer correct, I can just can put:

1. all RADIUS [UDP] & RadSec [TCP] clients into clients.conf and it does work

2. all RADIUS [UDP] & RadSec [TCP] home servers into proxy.conf and it does work

So I can "consolidate" all clients and all home servers in one location respectively?

Regards
Dominic

Am 16.04.25, 17:12 schrieb "Freeradius-Users im Auftrag von Alan DeKok" <freeradius-users-bounces+dominic.stalder=unibe.ch at lists.freeradius.org <mailto:unibe.ch at lists.freeradius.org> im Auftrag von aland at deployingradius.com <mailto:aland at deployingradius.com>>:


On Apr 16, 2025, at 10:19 AM, dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch> wrote:
> I know, there is a documentation page about RadSec: https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/protocols/proxy/enable_radsec.html <https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/protocols/proxy/enable_radsec.html>
>
> But I have some general questions about the RadSec implementation on FR 3.2.x, which I think are not answered in the above documentation page:=


Sure.


> 1. When I want to proxy RADIUS requests to other RADIUS servers over RadSec (TLS/2083):
>
> a) do I have to configure the home servers in /etc/freeradius/sites-enabled/tls as well, only in the tls file or only in the proxy.conf?


It doesn't matter where the home servers are defined. if you put them somewhere and it works, then that's fine.


> b) what about a mixed deployment, where some of the RADIUS proxy / home servers are accessed over RADIUS (UDP/1812) and some others are access over RadSec (TCP/2083)?


You can put the home servers almost anywhere. The only restriction is that they can't exist inside of another section. i.e. they can't go into a "listen" section, or an "authorize" section.


> 2. When I want to answer RADIUS requests from other RADIUS proxy servers over RadSec (TCP/2083):
>
> a) do I have to configure the clients in /etc/freeradius/sites-enabled/tls as well or only in the tls file? If only in the tls file, I can remove them from the clients.conf file, correct?


You can put clients almost anywhere, too.


> b) same as 1.a), what about a mixed deployment; some RADIUS clients are RADIUS (UDP/1812), some are RadSec (TCP/2083)?


The same as above. The server is fine with defining multiple clients in different files.


Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>

More information about the Freeradius-Users mailing list