Requesting guidance to understand all moving parts for RadSec + EAP-TLS

Sat Apr 19 17:47:41 UTC 2025

Hi Yoann
I've used RadSec with EAP-TLS on my FR (3.2 release). I have my own Radsec
client and did not use the opensource radsecproxy. I'll answer some of your
questions first
1 The cert+CA chain for Radsec is logically completely different than the
cert+CA chain for EAP-TLS. The former is used to secure the transport
(using TLS) between the NAS/Authenticator/Radius-client and FR. The latter
is used for wireless/wired clients to mutually authenticate with the FR. In
fact you can use the same CA for generating the Radsec server cert (for
authenticating to the NAS/AP) and the Radius server cert (for
authenticating to wireless clients). You may even use the same server cert
for both as long as the other party can validate the cert
2 There is no conflict here about requiring EAP-TLS to be PKI only. You may
have to setup OCSP/CRL on the FR side (I have not done it; others have).
This won't interfere with Radsec in any way
Here's my FR configs to support Radsec. I assume you already have the
support for EAP-TLS over plain Radius. If you don't, first get that working
over plain Radius before adding on Radsec
I've attached a tarball that has everything you need to build an image that
runs FR with Radsec support. To use this copy it into your ~/tmp folder
(say) and then do
cd ~/tmp
mkdir FR_Radsec; cd FR_Radsec
tar xzf ../FR_docker.tgz
docker build -t freeradius_radsec -f Dockerfile RADIUS_DOCKER_FILES
This will produce a Docker image freeradius_radsec
To run the Docker image do. This will create a container whose ID you can
get using the command 'docker ps'
docker run -dt freeradius_radsec

Then run cmd below to get a shell into the running container. <cid> is the
container ID
docker exec -it <cid> bash
# cd /etc/freeradius/3.0/sites-available/
# less tls
The very 1st section of the 'tls' file is the Radsec configuration. You
need to replace the following files
/etc/freeradius/3.0/certs/server.pem - This has already expired ! But you
need to use the Radsec server cert that you generated using your CA
server.key - Private key corresponding to cert above
ca.pem - This has also expired. Please replace with your own

The next section in the 'tls' fils is 'clients'. Replace the IP 20.20.20.20
with the IP of your NAS/AP/Controller

EAP-TLS configuration
This is in /etc/freeradius/3.0/mods-available/eap. Edit this file to match
yours

Hope this helps
-gopal raman

On Sat, Apr 19, 2025 at 8:28 AM Yoann Gini <yoann.gini at gmail.com> wrote:

> Hello,
>
> As said on the other thread, I’m trying to use RadSec to provide EAP-TLS
> authentication for remote site. I’m mainly a NPS user during last years,
> it’s been a while since I haven’t used Freeradius.
>
> I’m a little bit lost in the set of configuration to do here, especially
> since some parts seems redundant between RadSec and EAP-TLS.
>
> Especially, I will have different intermediate certificates authority to
> authenticate access points on one side and wireless client on the other.
>
> Also, the configuration for EAP-TLS will need to be PKI based only
> (authenticate and authorize if certificate based authentication works and
> if the certificate is not revoked). No per-user authorization expected, and
> the FreeRadius server is expected to not know the list of valid users,
> solely relying on PKI for that.
>
> So if someone can lead me to a clean article about the use of RadSec +
> EAP-TLS in FreeRadius, or if someone can take the time to explain it to me,
> I’m really interested.
>
> Thanks a lot
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>