Install the Module Files

To install the module files successfully make sure that you are inside the radsecproxy-1.11.2 directory and build the package by running the following commands in order:

1. Run the following commands in order:

   cd radsecproxy-1.11.2
   ./configure
   make
   make install
   

2. If your RadSec-enabled RADIUS server is configured with a fully qualified domain name (FQDN), add an entry to the /etc/hosts file in the following format. Otherwise, you can skip this step.

   <_RADSEC_SERVER_IP>    _RADSEC_SERVER_FQDN
   

   For Example,

   123.4.5.6 myradiusserver.com

3. Create a configuration file named radsecproxy.conf in /etc/ location,

   vi /etc/radsecproxy.conf

4. Add the following content to the /etc/radsecproxy.conf file:

   # Master config file, all possible config options are listed below
    
   # First you may define any global options, these are:
   #
   # You can optionally specify addresses and ports to listen on
   # Multiple statements can be used for multiple ports/addresses
   ListenTCP       *:2083
   ListenUDP       localhost:1812
    
    
   # Optional log level. 3 is default, 1 is less, 5 is more
   LogLevel        3
    
   # Optional LogDestination, else stderr used for logging
   # Logging to file
   LogDestination      file:///var/log/radsecproxy.log
    
    
   # If we have TLS clients or servers we must define at least one tls block.
   # You can name them whatever you like and then reference them by name when
   # specifying clients or servers later. There are however three special names
   # "default", "defaultclient" and "defaultserver". If no name is defined for
   # a client, the "defaultclient" block will be used if it exists, if not the
   # "default" will be used. For a server, "defaultserver" followed by "default"
   # will be checked.
   tls default {
       # You must specify at least one of CACertificateFile or CACertificatePath
       # for TLS to work. We always verify peer certificate (client and server)
       # CACertificatePath    /etc/radsecproxy/certs
       CACertificateFile    /etc/radsecproxy/certs/CA.pem
    
       # You must specify the below for TLS, we always present our certificate
       CertificateFile      /etc/radsecproxy/certs/CERT_PEM__
       CertificateKeyFile   /etc/radsecproxy/certs/CERT_KEY__
    
       # Optionally specify password if key is encrypted (not very secure)
       # CertificateKeyPassword  "_CERT_PASS"
    
       CipherList ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-CCM
        
       TLSVersion TLS1_2:TLS1_3
   }
    
    
   # Now we configure clients, servers and realms. Note that these and
   # also the lines above may be in any order, except that a realm
   # can only be configured to use a server that is previously configured.
    
   # A realm can be a literal domain name, * which matches all, or a
   # regexp. A regexp is specified by the character prefix /
    
    
   client 127.0.0.1 {
       type    udp
       secret  radsec
   }
    
    
   server _RADIUS_SERVER {
       type    tls
       secret  radsec
       StatusServer on
   # statusserver is optional, can be on or off. Off is default
   }
    
    
   # The realm below is equivalent to /.*
   realm * {
       server _RADIUS_SERVER
   }

   Table 6-2 Field descriptions

   Entry	Description
   CACertificateFile	CA certificate file used to verify the peers certificate with the complete path
   CertificateFile	Session Monitorclient certificate this radsecproxy will use
   CertificateKeyFile	Specify the private-key file for the Session Monitor client certificate specified in CertificateFile
   CertificateKeyPassword - (Optional)	The password to decrypt the private-key. Optionally specify password by replacing _CERT_PASS if key is encrypted (not very secure)
   _RADIUS_SERVER	Replace _RADIUS_SERVER with IP address of the RadSec-enabled RADIUS Server, or a domain name (FQDN)
   Secret	The secret must match the secret which you configured in your RadSec-enabled RADIUS server. Defaults to radsec as per RFC 6614.

   Note:

   Only the above mentioned configuration has been validated in Session Monitor lab testing. Any additional changes are considered experimental. For information on all the options available, see the official configuration file: radsecproxy.conf-example.

   WARNING:

   The name of the radius server must match the FQDN or IP address in the RADIUS server certificate.
5. Save the changes made.
6. Create a directory under the /etc folder to store the certificates (For example, /etc/radsecproxy/certs/),
7. Copy all certificate files referenced in the configuration into it and set secure ownership and permissions (private keys 600, certificates/CA bundles 644 and all files owned by root:root). For example:

   $ mkdir -p /etc/radsecproxy/certs/
    
    
   # After copying give necessary permissions to all certificates files
   $ chmod 644 /etc/radsecproxy/certs/ocsm_CA.pem
   $ chmod 644 /etc/radsecproxy/certs/ocsm_client.crt
   $ chmod 600 /etc/radsecproxy/certs/ocsm_client.key
   $ chown root:root /etc/radsecproxy/certs/*
    
    
   # Verify the ownership and permissions
   $ ls -lrRt /etc/radsecproxy/certs/
   -rw-------. 1 root root 1679 Apr 17 13:06 ocsm_client.key
   -rw-r--r--. 1 root root 1281 Apr 17 13:06 ocsm_client.crt
   -rw-r--r--. 1 root root 1395 Apr 17 13:06 ocsm_CA.pem

   Note:

   Ensure the directories holding the certificates and radsecproxy.conf have secure permissions and ownership.
8. To load radsecproxy as a systemd service, create the file: /usr/lib/systemd/system/radsecproxy.service.

   vi /usr/lib/systemd/system/radsecproxy.service

9. Paste the following contents into the radsecproxy.service file:

   [Unit]
   Description=RADIUS proxy with RadSec support
   After=syslog.target network-online.target
   Documentation=man:radsecproxy(1)
   
   [Service]
   Type=forking
   User=root
   Group=root
   ExecStart=/usr/local/sbin/radsecproxy -c /etc/radsecproxy.conf
   ExecReload=/bin/kill -HUP $MAINPID
   ProtectSystem=full
   ProtectHome=true
   PrivateDevices=true
   PrivateTmp=true
   
   [Install]
   WantedBy=multi-user.target

10. Reload systemd and start the radsecproxy service by running the following commands:

    systemctl daemon-reload
    systemctl enable radsecproxy
    systemctl start radsecproxy

11. Check the radsecproxy status and verify that it is up and running:

    systemctl status radsecproxy

12. Continue configuring RADIUS authentication as you normally would. Depending on your setup, follow the typical steps for:
    • Internal RADIUS authentication (via nginx ) or
    • External RADIUS authentication (via httpd)

    During the configuration of the RADIUS authentication:

    • use localhost IP 127.0.0.1 as the IP addresss of the RADIUS server.
    • Set radsec as the shared secret for RADIUS authentication.

    This configuration ensures that all outgoing RADIUS communication over UDP is directed to radsecproxy, which then converts it into RadSec requests over TLS.