The FreeRADIUS server comes with native support of TLS and it can also be used with stunnel proxy which relays TCP packets to FreeRADIUS. Refer for stunnel specific configuration.
[radius] accept = 61514 connect = 1812
61514 is the SSL port configured on device. The FreeRADIUS server has a sites-available directory in which the file inner-tunnel has configuration, which represents the client with incoming requests. When using stunnel as a proxy server, with FreeRADIUS running on the same machine, inner-tunnel configuration is as following.
[root@rhel-105-201 sites-available]# vim inner-tunnel
listen {
ipaddr = 127.0.0.1
proto = tcp
port = 1812
type = auth+acct
}
The IP address is the local loopback since FreeRADIUS and stunnel processes run on the same machine and FreeRADIUS recieves the relayed requests from stunnel. The IP address on the device is considered, when stunnel is running on that specific device. When using FreeRADIUS server with direct TLS support the inner-tunnel have following configuration.
server inner-tunnel {
listen {
ipaddr = 10.24.12.65
port = 2083
type = auth+acct
proto = tcp
tls {
private_key_file = /root/tmanicka/NI/radius/rsakey2048.pem
certificate_file = /root/tmanicka/NI/radius/rsacert2048_days1095_sha256_SAN.pem
ca_file = /root/tmanicka/NI/radius/rsacert2048_days1095_sha256_SAN.pem
}
}
The IP address is the management IP of the device, port is the TLS port configured on device.
When using stunnel proxy the certificates and private key are imported in stunnel.conf as stunnel is the TLS server. But when using direct TLS with FreeRADIUS, the certificates and private key is imported via the inner tunnel file.
Note
All certificate chain validation process and certificate related parameters remain the same as in Syslog over TLS.The FreeRADIUS server contains a file client.conf which is updated with the client IP address and the same shared secret configured on device. When using stunnel as proxy the client.conf should have an entry as following.
client localhost{
ipaddr = 127.0.0.1
secret = Pass@123
proto = tcp
require_message_authenticator = no
nastype = "other"
}
The name of the entry namespace is not important, but the ipaddr, secret and proto must be correct. The ipaddr is the local loopback or the machine IP hosting stunnel, secret is the shared secret configured on device, and proto must be TCP as the default protocol for RADIUS is UDP.
When using native TLS support in FreeRADIUS the client.conf is as following.
client radsec{
ipaddr = 10.24.12.65
secret = Pass@123
proto = tcp
require_message_authenticator = no
nastype = "other"
}
Note
When using stunnel proxy and direct TLS with RADIUS the ipaddr can be generically assigned to character " *" .