General question about RadSec implementation on FR 3.2.x

Alan DeKok aland at deployingradius.com
Mon Apr 28 15:03:51 UTC 2025 

On Apr 28, 2025, at 10:38 AM, Dominic Stalder <dominic.stalder at bluewin.ch> wrote:
>> All of this is extensively documented.  I'm not sure why it's necessary to repeat that here.
> 
> Not all of us „users“ from this mailing list are FreeRADIUS experts or RADIUS standards experts like you are - so please try to bring up some patience with some of us, not knowing each and every bit of the documentation starting freshly with FreeRADIUS.

  There have been repeated questions about the documentation.  "Does it really do what it says?"  and "Does it really work the way it says?"  And "I configured this, and it works.  Is that right?"

  Yes, yes, it does.  Yes, the documentation is correct.  Yes, if you test something and it works, then it works and you can use it.

  It is somewhat frustrating to get repeated questions about things which are already documented, and which are explained in great detail in the documentation.

> That’s were my confusion comes from:
> 
> 1. in the tls configuration file the comment says "# For now, only TCP transport is allowed“ and and proto is set to tcp, which make sense. I can not configure „proto = tls“ here. I get that.

  OK.

> 2. But then in the clients.conf documentation online, the statement shows „proto = tls“, but in this case the server won’t start because of the "/etc/freeradius/clients.conf[32]: Client does not have the same TLS configuration as the listener“ error

 See raddb/sites-available/tls.  The examples show how a TLS client and server are configured.  The example is tested, and works. You're modifying these examples, and then running into issues.

 The solution is to follow the examples.

> 3. And if you tell me "You can't use a TCP client for TLS“, then I would need to configure „proto = tls“ in clients.conf, which does not work?

   Maybe there are issues with TLS clients in the main clients.conf file.  It should work, but perhaps not.  If it doesn't, then just.... follow the examples.  The RADIUS/TLS configuration is tested in CI, and by many other people.  It works.

> I hope you get what I try to explain concerning the proto configuration and examples online?

  I get that your'e trying to do things which are not in the default configuration, and are running into issues.  So follow the examples.

  I also get that you're having difficult following basic documentation and error messages.  For example, using "radiusd -X" with TLS, gets you the following message, which you posted to the list:

> /etc/freeradius/sites-enabled/tls[44]: Threading must be enabled for TLS sockets to function properly
> /etc/freeradius/sites-enabled/tls[44]: You probably need to do 'radiusd -fxx -l stdout' for debugging

  Should your next action be:

(a) follow the instructions and get it working

(b) post the message to the list, and ask "What should I do"?

  Many of the questions in this thread have been at a similar level.  This is not an "expert" versus "beginner" issue.

  This comes across as you don't want to follow any documentation or error message until you get a personal email from me, reassuring you that it's OK to follow the documentation.
 
  This behavior is unproductive.  Unless you're reporting bugs, I don't see a need for me to continue to explain simple error messages.

  Alan DeKok.

More information about the Freeradius-Users mailing list