tls-template

Initial implementation of RADIUS over TLS (radsec).

server TLSX

server TLSX {
listen {
       ipaddr = *
       port = ${my-port}
       type = acct
       proto = udp
}

listen {
	ipaddr = *
	port = ${my-port}
	type = acct
	proto = tcp
	virtual_server = default
	clients = radsec
	limit {
	      max_connections = 32
	      lifetime = 0
	      idle_timeout = 30
	}

This is exactly the same configuration as used by the EAP-TLS module. It’s OK for testing but not for production. For production use, it’s a good idea to use different server certificates for EAP and for RADIUS transport.

If only one TLS configuration will be used for multiple sockets, then putting "tls { …​}" into radiusd.conf is suggested. The subsection below can then be changed into a reference:

#	tls = ${tls}

In laymen’s terms, the above translates to "the tls sub-section is not here, but is instead in the top-level section called 'tls'".

If multiple tls configurations are present, they can be put into sub-sections of a top-level "tls" section. There’s no need to call them all "tls". The following can then be used:

#	tls = ${tls.site1}

to refer to the "site1" sub-section of the "tls" section.

tls {
	private_key_password = whatever
	private_key_file = ${certdir}/server.pem
	certificate_file = ${certdir}/server.pem
	ca_file = ${cadir}/ca.pem
	dh_file = ${certdir}/dh
#	random_file = ${certdir}/random
#	include_length = yes
#	check_crl = yes
	ca_path = ${cadir}
#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#	check_cert_cn = %{User-Name}
	cipher_list = "DEFAULT"
#	make_cert_command = "${certdir}/bootstrap"

cache

Session resumption / fast re-authentication cache.

The cache contains the following information:

session Id - unique identifier, managed by SSL
User-Name  - from the Access-Accept
Stripped-User-Name - from the Access-Request
Cached-Session-Policy - from the Access-Accept

The "Cached-Session-Policy" is the name of a policy that should be applied to the cached session. This policy can be used to assign VLANs, IP addresses, etc. It serves as a useful way to re-apply the policy from the original Access-Accept to the subsequent Access-Accept for the cached session.

On session resumption, these attributes are copied from the cache and placed into the reply list.

When using fast session resumption, set "use_tunneled_reply = yes".

cache {
	enable = no
	lifetime = 24 # hours
	max_entries = 255
	#name = "TLS ${..ipaddr} ${..port} ${..proto}"
	#persist_dir = "${logdir}/tlscache"
	}

Client certificate

require_client_cert = yes

verify

As of version 2.1.10, client certificates can be validated via an external command. This validation allows dynamic CRLs or OCSP to be used.

This configuration is commented out in the default configuration. Uncomment and configure the correct paths below to enable it.

verify {
#	tmpdir = /tmp/radiusd
#	client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
		}
	}
}
preacct {
	if ("%{Virtual-Server}" != "tls3") {
		update control {
	  		Proxy-To-Realm := TLSY
		}
	}
}

accounting {
	   ok
}

}


clients radsec {
	client 127.0.0.1 {
		ipaddr = 127.0.0.1
		proto = tls
		secret = radsec
		limit {
		      max_connections = 32
		      lifetime = 0
		      idle-timeout = 0
		}
	}
}

home_server TLSY {
	ipaddr = 127.0.0.1
	port = ${next-port}
	type = acct
	secret = radsec
	proto = tcp
	status_check = none

	limit {
	      max_connections = 32
	      lifetime = 0
	      idle-timeout = 0
	}

	tls {
		private_key_password = whatever
		private_key_file = ${certdir}/client.pem
		certificate_file = ${certdir}/client.pem
		ca_file = ${cadir}/ca.pem
		dh_file = ${certdir}/dh
		random_file = ${certdir}/random
		fragment_size = 8192
	#	include_length = yes
	#	check_crl = yes
		ca_path = ${cadir}
	#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
	#	check_cert_cn = %{User-Name}
		cipher_list = "DEFAULT"
	}

}

home_server_pool TLSY {
		 type = fail-over
		 home_server = TLSY
}

realm TLSY {
      acct_pool = TLSY
}

listen {
	type = control

	socket = ${confdir}/TLSX.sock

	#
	#  Access mode.
	#
	#  This can be used to give *some* administrators access to
	#  monitor the system, but not to change it.
	#
	#	ro = read only access (default)
	#	rw = read/write access.
	#
	mode = rw
}