server TLSX {
listen {
ipaddr = *
port = ${my-port}
type = acct
proto = udp
}
listen {
ipaddr = *
port = ${my-port}
type = acct
proto = tcp
virtual_server = default
clients = radsec
limit {
max_connections = 32
lifetime = 0
idle_timeout = 30
}tls-template
Initial implementation of RADIUS over TLS (radsec).
server TLSX
This is exactly the same configuration as used by the EAP-TLS module. It’s OK for testing but not for production. For production use, it’s a good idea to use different server certificates for EAP and for RADIUS transport.
If only one TLS configuration will be used for multiple sockets, then putting "tls { …}" into radiusd.conf is suggested. The subsection below can then be changed into a reference:
# tls = ${tls}In laymen’s terms, the above translates to "the tls sub-section is not here, but is instead in the top-level section called 'tls'".
If multiple tls configurations are present, they can be put into sub-sections of a top-level "tls" section. There’s no need to call them all "tls". The following can then be used:
# tls = ${tls.site1}to refer to the "site1" sub-section of the "tls" section.
tls {
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
# random_file = ${certdir}/random
# include_length = yes
# check_crl = yes
ca_path = ${cadir}
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
# make_cert_command = "${certdir}/bootstrap"cache
Session resumption / fast re-authentication cache.
The cache contains the following information:
session Id - unique identifier, managed by SSL
User-Name - from the Access-Accept
Stripped-User-Name - from the Access-Request
Cached-Session-Policy - from the Access-AcceptThe "Cached-Session-Policy" is the name of a policy that should be applied to the cached session. This policy can be used to assign VLANs, IP addresses, etc. It serves as a useful way to re-apply the policy from the original Access-Accept to the subsequent Access-Accept for the cached session.
On session resumption, these attributes are copied from the cache and placed into the reply list.
When using fast session resumption, set "use_tunneled_reply = yes".
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
#name = "TLS ${..ipaddr} ${..port} ${..proto}"
#persist_dir = "${logdir}/tlscache"
}Client certificate
require_client_cert = yesverify
As of version 2.1.10, client certificates can be validated via an external command. This validation allows dynamic CRLs or OCSP to be used.
This configuration is commented out in the default configuration. Uncomment and configure the correct paths below to enable it.
verify {
# tmpdir = /tmp/radiusd
# client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
}
}
preacct {
if ("%{Virtual-Server}" != "tls3") {
update control {
Proxy-To-Realm := TLSY
}
}
}
accounting {
ok
}
}
clients radsec {
client 127.0.0.1 {
ipaddr = 127.0.0.1
proto = tls
secret = radsec
limit {
max_connections = 32
lifetime = 0
idle-timeout = 0
}
}
}
home_server TLSY {
ipaddr = 127.0.0.1
port = ${next-port}
type = acct
secret = radsec
proto = tcp
status_check = none
limit {
max_connections = 32
lifetime = 0
idle-timeout = 0
}
tls {
private_key_password = whatever
private_key_file = ${certdir}/client.pem
certificate_file = ${certdir}/client.pem
ca_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 8192
# include_length = yes
# check_crl = yes
ca_path = ${cadir}
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
}
}
home_server_pool TLSY {
type = fail-over
home_server = TLSY
}
realm TLSY {
acct_pool = TLSY
}
listen {
type = control
socket = ${confdir}/TLSX.sock
#
# Access mode.
#
# This can be used to give *some* administrators access to
# monitor the system, but not to change it.
#
# ro = read only access (default)
# rw = read/write access.
#
mode = rw
}