1 # Using RadSec (RADIUS/TLS)
3 ### Make sure that libradsec is at bae5640d (or later)
5 ### Get radsecproxy built
6 cd ~/moonshot-tlv/libradsec
8 ./configure --prefix=/usr/local/moonshix=/usr/local/moonshot --enable-tls
10 git checkout libradsec
12 ### Configure radsecproxy like this:
13 cat > /usr/local/moonshot/etc/radsecproxy.conf << EOF
15 CACertificateFile /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem
16 CertificateFile /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/02.pem
17 CertificateKeyFile /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/private/c2key.pem
22 certificateNameCheck off
35 /usr/local/moonshot/sbin/radsecproxy -c /usr/local/moonshot/etc/radsecproxy.conf
37 ### Configure /usr/local/moonshot/etc/radsec.conf as
40 cacertfile = "/home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem"
41 certfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/03.pem"
42 certkeyfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/private/c3key.pem"
44 hostname = "localhost"
50 Note that this adds a second "realm" called gss-eap-tls. In order to
51 make mech_eap use this instead of the ordinare gss-eap, edit
52 createRadiusHandle() in mech_eap/accept_sec_context.c to read
54 const char *configStanza = "gss-eap-tls";
56 If you intend to switch to RadSec entirely, name the realm "gss-eap"
57 in radsec.conf and don't make the change createRadiusHandle().
59 ### Test with a simple RadSec client
60 lib/examples/client /usr/local/moonshot/etc/radsec.conf gss-eap-tls
61 Code: 2, Identifier: 0, Lenght: 20
64 ### Test with gss-server and gss-client
65 ~/krb5-1.9/src/appl/gss-sample/gss-server host@moonshot-test.project-moonshot.org &
66 ~/krb5-1.9/src/appl/gss-sample/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" -user steve@local -pass testing 127.0.0.1 host@localhost bar
68 This should produce lots of interesting output, ending with
70 Received message: "bar"