General question about RadSec implementation on FR 3.2.x

Mon Apr 28 14:38:37 UTC 2025

Hi Alan

> All of this is extensively documented.  I'm not sure why it's necessary to repeat that here.

Not all of us „users“ from this mailing list are FreeRADIUS experts or RADIUS standards experts like you are - so please try to bring up some patience with some of us, not knowing each and every bit of the documentation starting freshly with FreeRADIUS. 

And at the end of the day, each and everyone on the list is here to learn about the great product FreeRADIUS. We just want to get better by asking questions: I get the concept of RTFM, but sometimes some concepts need to be understood first.

> The entire purpose of the "proto = ..." and "tls" sections are to define properties of a client.  You can't use a UDP client for TCP.  You can't use a TCP client for TLS.

That’s were my confusion comes from:

1. in the tls configuration file the comment says "# For now, only TCP transport is allowed“ and and proto is set to tcp, which make sense. I can not configure „proto = tls“ here. I get that.

2. But then in the clients.conf documentation online, the statement shows „proto = tls“, but in this case the server won’t start because of the "/etc/freeradius/clients.conf[32]: Client does not have the same TLS configuration as the listener“ error

3. And if you tell me "You can't use a TCP client for TLS“, then I would need to configure „proto = tls“ in clients.conf, which does not work?

I hope you get what I try to explain concerning the proto configuration and examples online?

Regards
Dominic

> Am 28.04.2025 um 16:20 schrieb Alan DeKok <aland at deployingradius.com>:
> 
> On Apr 28, 2025, at 10:10 AM, Dominic Stalder <dominic.stalder at bluewin.ch> wrote:
>> another follow-up question about the configuration of RadSec clients:
>> 
>> 1a) in the default FreeRADIUS tls configuration is a statement „clients = radsec“ under the listen{} subsection —> this references the clients {} subsection in the same file (/etc/freeradius/sites-available/tls)
>> 
>> —> if I configure the clients in /etc/freeradius/clients.conf directly, I can just remove / outcomment the statement „clients = radsec“ and it will just allow / accept all configured clients in clients.conf for RadSec; is this assumption correct?
> 
>  Yes.
> 
>  You can also try it and see.  Or, go through the comments and documentation which explain how it works:
> 
> * clients are in clients.conf
> * BUT if you put "clients = foo" in a virtual server, then the clients for that server are all read from the "foo" section in that virtual server.
> 
>  All of this is extensively documented.  I'm not sure why it's necessary to repeat that here.
> 
>> 2a) in the default FreeRADIUS tls configuration there is a statement „proto = tcp“ under the listen{} subsection, see example below:
>> ...
>> 2b) in the FreeRADIUS RadSec configuration example online (https://www.freeradius.org/documentation/freeradius-server/3.2.8/howto/protocols/proxy/enable_radsec.html) is an example with „proto = tls“:
> 
>  There's no need to post configurations to the list.
> 
>> —> when I configure the „proto = tls“ in the client subsection in /etc/freeradius/clients.conf, the debug states:
>> 
>> /etc/freeradius/clients.conf[32]: Client does not have the same TLS configuration as the listener
>> 
>> —> when I change this to „proto = tcp“ in the client subsection in /etc/freeradius/clients.conf as well, the FR service is started.
> 
> Yes. 
> 
>  The entire purpose of the "proto = ..." and "tls" sections are to define properties of a client.  You can't use a UDP client for TCP.  You can't use a TCP client for TLS.
> 
>  Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html