Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

RADIUS/TLS: Using radsecproxy as an add-on to an existing RADIUS server

Goals and Prerequisites

This section describes a trimmed-down installation of radsecproxy which enables it to augment any RADIUS
server with RADIUS/TLS transport. More precisely, with this setup radsecproxy will:

  • Accept requests from a RADIUS server running on the same host
  • Unconditionally forward the requests via RADIUS/TLS to an upstream server (typically a federation-level or a regional proxy server)
  • Accept requests via RADIUS/TLS from the upstream server
  • Unconditionally forward these requests to a RADIUS server running on the same host

The prerequisites for this deployment are:

  • radsecproxy version 1.4.2 or higher
  • The local RADIUS server's DEFAULT realm is configured to forward requests to the radsecproxy port on localhost.
  • The local RADIUS server has configured localhost as a client (this is typically the case).
  • The deployment requires a server certificate and a private key for that certificate to establish the RadSec connection which designates the server as an eduroam SP and IdP. For further information regarding eduroam certificates see this section.
Include Page

Sample configuration

Most of the radsecproxy configuration file is static. Therefore, a template configuration file is provided at A detailed explanation of this configuration file follows, but if you are unwilling to read it all, the comments should make the configuration file almost self-explanatory and you can start and experiment with it right after the initial installation, which is explained below.

Detailed explanation of configuration

This section goes through the template radsecproxy.conf line by line and explains the meaning of each stanza.

Code Block
ListenUDP                     localhost:11812
ListenTCP                     *:2083

Since there is a RADIUS server on the same host that occupies UDP/1812, radscproxy has to listen on a nonstandard port. It only needs to listen on the loopback device since it will only communicate with the RADIUS server on the same machine. The choice of 11812 is arbitrary and can be adapted if that port is in use. Since radsecproxy will also accept requests from an upstream RadSec-enabled server, it listens on the default TCP port for RadSec (2083) for requests from outside (the * meaning: all interfaces). If you want radsecproxy to listen only on specific interfaces, enter the interface names here. Beware: in this case you may also have to set the more exotic option SourceTCP (see the man page of radsecproxy for details).

Include Page

Client definition and request forwarding

To accept requests from the RADIUS server on localhost, this server needs to be listed as a client. That server may either use IPv4 or IPv6 for its communication, so both variants are defined. If your system is not IPv6-enabled, simply delete the stanza about client ::1. The _LOCAL_SECRET_ must match the secret which you configured in your RADIUS server for the server catering the DEFAULT realm.

Code Block
client localhost {
        type        udp
        secret      __LOCAL_SECRET__

client ::1 {
        type        udp
        secret      __LOCAL_SECRET__

To accept requests from the upstream RADIUS/TLS-enabled server, this other server needs to be listed. Replace _RADSEC_PEER_ with the hostname of your upstream server. The traditional RADIUS shared secret has no meaning in RADIUS/TLS, and must instead be statically set to "radsec" throughout eduroam. This has no security implications.

Code Block
client _RADSEC_PEER_ {
        type        TLS
        secret     radsec

To deliver requests to the local RADIUS server, this server needs to be configured. See above for the
parameter _LOCAL_SECRET_.

Code Block
server localhost {
        type         UDP
        port         1812
        secret       __LOCAL_SECRET__

This server needs to be configured to deliver requests to the upstream RadSec-enabled server. See above for
the configuration item _RADSEC_PEER_.

Code Block
server _RADSEC_PEER_ {
        type         TLS
        secret      radsec
        statusserver on

There are some known client-side misconfigurations. If they were not already caught by the local RADIUS
server, it does not make sense for the proxy to send these requests up to the eduroam infrastructure. These
requests are immediately rejected.

Note: if you need to blacklist an existing realm for some reason, you can follow the example,
copying and replacing it with the realm to be blacklisted.

Code Block
realm /myabc\.com$ {
         replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant!"

realm /^$/ {
          replymessage "Misconfigured client: empty realm!"

Requests that are coming in from upstream and are supposed to be handled by the own RADIUS server are
listed in _OWN_REALM_. Create multiples of these stanzas if your local server serves more than one realm.

Code Block
realm /_OWN_REALM_$ {
             server localhost

The configuration stanza above will terminate all requests that end in _OWN_REALM_ but which were not caught by previous realm definitions, which prevents a possible loop. This is achieved by having the client name = localhost and the server name = localhost, and LoopPrevention enabled, which checks for this condition.

Finally, all other realms which are not to be authenticated locally are sent to the upstream RADIUS/TLS peer:

Code Block
realm * {
          server    __RADSEC_PEER__