Requesting guidance to understand all moving parts for RadSec + EAP-TLS

Alan DeKok aland at deployingradius.com
Sat Apr 19 17:41:46 UTC 2025 

On Apr 19, 2025, at 11:28 AM, Yoann Gini <yoann.gini at gmail.com> wrote:
> As said on the other thread, I’m trying to use RadSec to provide EAP-TLS authentication for remote site. I’m mainly a NPS user during last years, it’s been a while since I haven’t used Freeradius.

  FreeRADIUS is a lot more complex than NPS.  Plus, there's no GUI.

  The good news is that FreeRADIUS has had new features added since 2004.  NPS, not so much.

> I’m a little bit lost in the set of configuration to do here, especially since some parts seems redundant between RadSec and EAP-TLS.

  They both use TLS.  And since they both use TLS, they use the same configuration format.

  The reason for making two configurations is that you might not want to use the same certificates for RadSec and for EAP-TLS.  If there was only one TLS configuration, then you would have to use the same vets.

> Especially, I will have different intermediate certificates authority to authenticate access points on one side and wireless client on the other.
> 
> Also, the configuration for EAP-TLS will need to be PKI based only (authenticate and authorize if certificate based authentication works and if the certificate is not revoked). No per-user authorization expected, and the FreeRadius server is expected to not know the list of valid users, solely relying on PKI for that.

  Sure.  That's fine.

> So if someone can lead me to a clean article about the use of RadSec + EAP-TLS in FreeRadius, or if someone can take the time to explain it to me, I’m really interested.

  There's no "RadSec + EAP-TLS" guide.  There is, however, documentation for how to configure RADIUS/TLS.  And, documentation for how to configure EAP-TLS.  So just configure both.

  i.e. get EAP-TLS working with normal radius.  There are a few test tools out there, for Windows or OSX.  If you're comfortable with the command-line, there's eapol_test on Linux.

  Separately, get RadSec working, and test it with simple name / password packets.

  Once both of those work, try EAP-TLS over RadSec.  It will work.

  Alan DeKok.

More information about the Freeradius-Users mailing list