Way to verify RADIUS status-server of proxy server over RadSec / TLS
Dominic Stalder
dominic.stalder at bluewin.ch
Thu May 8 18:31:40 UTC 2025
Hi guys
Recently, we migrated some of our RADIUS proxy servers from RADIUS (UDP) to RadSec (TCP) and I would like to still be able to monitor the upstream proxy servers.
When we were still using RADIUS (UDP), I was able to send a status-server RADIUS message to the upstream server directly, like this and report that back to PRTG (our monitoring tool):
echo 'Message-Authenticator = 0x00' | radclient -x 1.2.3.4 status secret
Now I would like to achieve something similar, after we migrated the proxy server 1.2.3.4 to TLS only.
My initial try was to setup something like this:
1. start a local socat listener on port UDP/11812 and tunnel it to
socat -v OPENSSL:1.2.3.4:2083,cert=/etc/freeradius/certs/radsec.pem,key=/etc/freeradius/certs/radsec.key,cafile=/etc/freeradius/certs/edupki-root-ca-cert.pem,verify=0 UDP-RECV:11812
2. send a standard RADIUS (UDP) status-server packet to the localhost port UDP/11812:
echo 'Message-Authenticator = 0x00' | radclient -x localhost:11812 status radsec -t 1
3. unfortunately, this isn’t straight forward:
You’re trying to receive UDP packets on port 11812 and send them via TLS/TCP using socat. That conceptually makes sense — it’s what RADIUS-over-TLS (RadSec) does — but unfortunately, RADIUS over TLS is not just “UDP in TLS over TCP”. RadSec uses a specific framing: each RADIUS packet must be prefixed with a 2-byte length field when encapsulated over TCP/TLS (per RFC 6614).
Based on the documentation of radclient, it does not support RadSEC / TLS natively. And no, I don’t know, how to implement it…
Does anybody have an idea, how to implement a simple RadSec / TLS status-server test, maybe with a „workaround“ or a detour over the FreeRADIUS configuration?
Regards
Dominic
More information about the Freeradius-Users
mailing list