tls

The following example is exactly the same configuration as used by the EAP-TLS module. It’s OK for testing, but for production use it’s a good idea to use different server certificates for EAP and for RADIUS transport.

listen {
	ipaddr = *
	port = 2083
	type = auth+acct
	proto = tcp
	virtual_server = default
	clients = radsec
	limit {
	      max_connections = 16
	      lifetime = 0
	      idle_timeout = 30
	}

If there is only one TLS configuration for multiple sockets, then putting "tls { …​}" into radiusd.conf is suggested. The subsection below can then be changed into a reference:

#	tls = ${tls}

The above means that "the tls sub-section is not here, but is, instead, in the top-level section called 'tls'".

For multiple tls configurations, they can be placed into sub-sections of a top-level "tls" section. There’s no need to call them all "tls". The following can then be used to refer to the "site1" sub-section of the "tls" section:

#	tls = ${tls.site1}
tls {
	private_key_password = whatever
	private_key_file = ${certdir}/server.pem
	certificate_file = ${certdir}/server.pem
	ca_file = ${cadir}/ca.pem
	dh_file = ${certdir}/dh
#	random_file = ${certdir}/random
	fragment_size = 8192
#	include_length = yes
#	check_crl = yes
	ca_path = ${cadir}
#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#	check_cert_cn = %{User-Name}
	cipher_list = "DEFAULT"

Session resumption / fast reauthentication cache.

The cache contains the following information:

session Id

unique identifier, managed by SSL

User-Name

from the Access-Accept

Stripped-User-Name

from the Access-Request

Cached-Session-Policy

from the Access-Accept

The "Cached-Session-Policy" is the name of a policy that is be applied to the cached session. This policy can be used to assign VLANs, IP addresses, etc. It serves as a useful way to reapply the policy from the original Access-Accept to the subsequent Access-Accept for the cached session.

On session resumption, these attributes are copied from the cache and placed into the reply list.

When using fast session resumption, set "use_tunneled_reply = yes".

cache {
	enable = no
	lifetime = 24 # hours
	max_entries = 255
	#name = "TLS ${..ipaddr} ${..port} ${..proto}"
	#persist_dir = "${logdir}/tlscache"
}

Client certificate.

require_client_cert = yes

As of version 2.1.10, client certificates can be validated via an external command. This allows dynamic CRLs or OCSP to be used.

This configuration is commented out in the default configuration. Uncomment and configure the correct paths below to enable it.

verify {
#	tmpdir = /tmp/radiusd
#	client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
		}
	}
}
clients radsec {
	client 127.0.0.1 {
		ipaddr = 127.0.0.1
		proto = tls
		secret = radsec
	}
}
home_server tls {
	ipaddr = 127.0.0.1
	port = 2083
	type = auth
	secret = radsec
	proto = tcp
	status_check = none

	tls {
		private_key_password = whatever
		private_key_file = ${certdir}/client.pem
		certificate_file = ${certdir}/client.pem
		ca_file = ${cadir}/ca.pem
	#	psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
		dh_file = ${certdir}/dh
		random_file = ${certdir}/random
		fragment_size = 8192
	#	include_length = yes
	#	check_crl = yes
		ca_path = ${cadir}
	#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
	#	check_cert_cn = %{User-Name}
		cipher_list = "DEFAULT"
	}

}
home_server_pool tls {
		 type = fail-over
		 home_server = tls
}
realm tls {
      auth_pool = tls
}