Way to verify RADIUS status-server of proxy server over RadSec / TLS

Alan DeKok aland at deployingradius.com
Thu May 8 18:49:36 UTC 2025 

On May 8, 2025, at 2:31 PM, Dominic Stalder <dominic.stalder at bluewin.ch> wrote:
> Recently, we migrated some of our RADIUS proxy servers from RADIUS (UDP) to RadSec (TCP) and I would like to still be able to monitor the upstream proxy servers.
> 
> When we were still using RADIUS (UDP), I was able to send a status-server RADIUS message to the upstream server directly, like this and report that back to PRTG (our monitoring tool):
> 
> echo 'Message-Authenticator = 0x00' | radclient -x 1.2.3.4 status secret
> 
> Now I would like to achieve something similar, after we migrated the proxy server 1.2.3.4 to TLS only.

  It's a little more complex, but it shouldn't be hard.

> My initial try was to setup something like this:
> 
> 1. start a local socat listener on port UDP/11812 and tunnel it to 
> 
> socat -v OPENSSL:1.2.3.4:2083,cert=/etc/freeradius/certs/radsec.pem,key=/etc/freeradius/certs/radsec.key,cafile=/etc/freeradius/certs/edupki-root-ca-cert.pem,verify=0 UDP-RECV:11812
> 
> 
> 2. send a standard RADIUS (UDP) status-server packet to the localhost port UDP/11812:
> 
> echo 'Message-Authenticator = 0x00' | radclient -x localhost:11812 status radsec -t 1

  That should be fine.

> 3. unfortunately, this isn’t straight forward:
> 
> You’re trying to receive UDP packets on port 11812 and send them via TLS/TCP using socat. That conceptually makes sense — it’s what RADIUS-over-TLS (RadSec) does — but unfortunately, RADIUS over TLS is not just “UDP in TLS over TCP”. RadSec uses a specific framing: each RADIUS packet must be prefixed with a 2-byte length field when encapsulated over TCP/TLS (per RFC 6614).

  Uh, what?

  No.  They're just RADIUS packets over TLS.  There is no 2 byte length prefix.

> Does anybody have an idea, how to implement a simple RadSec / TLS status-server test, maybe with a „workaround“ or a detour over the FreeRADIUS configuration?

  socat might work.  Did you try it?  If so, what happened?

  Or, set up a local RADIUS proxy which accepts UDP, and sends packets over TLS to the remote server.

  But this doesn't really tell you a lot.  If your proxy is sending packets to the remote server, just check the stats and logs on your local proxy.  It will complain if the remote server is down.

  Alan DeKok.

More information about the Freeradius-Users mailing list