General question about RadSec implementation on FR 3.2.x

[Alan DeKok]

On Apr 28, 2025, at 10:10 AM, Dominic Stalder <dominic.stalder at bluewin.ch> wrote:
> another follow-up question about the configuration of RadSec clients:
> 
> 1a) in the default FreeRADIUS tls configuration is a statement „clients = radsec“ under the listen{} subsection —> this references the clients {} subsection in the same file (/etc/freeradius/sites-available/tls)
> 
> —> if I configure the clients in /etc/freeradius/clients.conf directly, I can just remove / outcomment the statement „clients = radsec“ and it will just allow / accept all configured clients in clients.conf for RadSec; is this assumption correct?

  Yes.

  You can also try it and see.  Or, go through the comments and documentation which explain how it works:

* clients are in clients.conf
* BUT if you put "clients = foo" in a virtual server, then the clients for that server are all read from the "foo" section in that virtual server.

  All of this is extensively documented.  I'm not sure why it's necessary to repeat that here.

> 2a) in the default FreeRADIUS tls configuration there is a statement „proto = tcp“ under the listen{} subsection, see example below:
> ...
> 2b) in the FreeRADIUS RadSec configuration example online (https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/protocols/proxy/enable_radsec.html) is an example with „proto = tls“:

  There's no need to post configurations to the list.

> —> when I configure the „proto = tls“ in the client subsection in /etc/freeradius/clients.conf, the debug states:
>
> /etc/freeradius/clients.conf[32]: Client does not have the same TLS configuration as the listener
> 
> —> when I change this to „proto = tcp“ in the client subsection in /etc/freeradius/clients.conf as well, the FR service is started.

 Yes. 

  The entire purpose of the "proto = ..." and "tls" sections are to define properties of a client.  You can't use a UDP client for TCP.  You can't use a TCP client for TLS.

  Alan DeKok.