General question about RadSec implementation on FR 3.2.x

Dominic Stalder dominic.stalder at bluewin.ch
Mon Apr 28 14:10:35 UTC 2025 

Hi Alan

another follow-up question about the configuration of RadSec clients:

1a) in the default FreeRADIUS tls configuration is a statement „clients = radsec“ under the listen{} subsection —> this references the clients {} subsection in the same file (/etc/freeradius/sites-available/tls)

—> if I configure the clients in /etc/freeradius/clients.conf directly, I can just remove / outcomment the statement „clients = radsec“ and it will just allow / accept all configured clients in clients.conf for RadSec; is this assumption correct?

1b) and if so, will only clients be allowed for RadSec in /etc/freeradius/clients.conf, that have the proto statement configured for tls or tcp (please see next question as well)?

***

2a) in the default FreeRADIUS tls configuration there is a statement „proto = tcp“ under the listen{} subsection, see example below:

listen {
        ipaddr = *
        port = 2083

        #
        #  TCP and TLS sockets can accept Access-Request and
        #  Accounting-Request on the same socket.
        #
        #       auth      = only Access-Request
        #       acct      = only Accounting-Request
        #       auth+acct = both
        #       coa       = only CoA / Disconnect requests
        #
        type = auth+acct

        # For now, only TCP transport is allowed.
        proto = tcp

2b) in the FreeRADIUS RadSec configuration example online (https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/protocols/proxy/enable_radsec.html) is an example with „proto = tls“:

clients radsec {
   ...
       # Direct connections from the test client
       client radseccli {
               ipaddr = 172.23.0.2
               proto = tls
               virtual_server = default

—> when I configure the „proto = tls“ in the client subsection in /etc/freeradius/clients.conf, the debug states:

/etc/freeradius/clients.conf[32]: Client does not have the same TLS configuration as the listener

—> when I change this to „proto = tcp“ in the client subsection in /etc/freeradius/clients.conf as well, the FR service is started.

***

Thanks for the clarification on this in advance.

Regards
Dominic

More information about the Freeradius-Users mailing list