Setting Up FreeRADIUS TLS

The following is an example setup configuration of FreeRADIUS as a RADIUS TLS server.

  1. Edit the following CA config file (ca.cnf) to have key usage:
    /etc/freeradius/3.0/certs   (otherwise /etc/raddb/certs)  
    	subjectKeyIdentifier    = hash
    	authorityKeyIdentifier  = keyid:always,issuer:always
    	basicConstraints        = critical,CA:true
    	#crlDistributionPoints  = URI:
    	keyUsage = cRLSign, keyCertSign, digitalSignature
    	extendedKeyUsage = OCSP Signing
    	noCheck = yes


    ExtremeXOS requires key usage for a CA certificate.
  2. Edit the file /etc/freeradius/3.0/certs/xpextensions with the OCSP server address:
    [ xpserver_ext] extendedKeyUsage = 
    	authorityKeyIdentifier = keyid,issuer 
    	authorityInfoAccess = OCSP;URI:


    Use the IP of the machine in which the OCSP server runs. It can be the same machine where FreeRADIUS runs. DNS can also be used instead of the IP.
  3. Run the OCSP server using the following command in the same path where the certificates and index.txt are present:
    openssl ocsp -port 2561 -text -index index.txt -CA ca.pem -rkey ca.key -rsigner ca.pem
  4. Clean up by entering make destroycerts.
  5. Create the RADIUS TLS server key and certificate by entering make server.pem
  6. Create the ExtremeXOS switch key and certificate by entering make client.pem.
  7. Create the DH by entering make dh.
  8. Enable TLS in FreeRADIUS:
    File: etc/freeradius/3.0/sites-available/tls
    1. If you do not want the RADIUS server authenticating ExtremeXOS, search for the previous command line and set require_client_cert= no.
    2. Search for 'clients radsec' and add the ExtremeXOS switch IP:
      clients radsec {
      				client {
      						ipaddr =
      						proto = tls
      						secret = radsec
    3. Add a soft link for etc/freeradius/3.0/sites-available/tls at etc/freeradius/3.0/sites-available/tls by running ln -s <file>.
    4. Restart FreeRADIUS (or radiusd).
      EXOS Switch Setup:
  9. Copy the ca.pem to the TFTP server.
  10. Copy the client.pem to the TFTP server.
  11. Convert the private, encrypted client key to plain format:
    openssl rsa -in client.key -out clientPlain.key
  12. Copy the clientPlain.key to the TFTP server.
  13. Install the following to the switch:
    1. Download the ca.pem as a trusted ca in the switch by entering download ssl <ip> certificate trusted-ca <file>
    2. Download the client.pem as an ssl-cert in the switch by entering