# Using RadSec (RADIUS/TLS)

### Make sure that libradsec is at bae5640d (or later), branch 'libradsec'
    git log | egrep bae5640d  || echo you need to pull

### Get radsecproxy built
    cd ~/moonshot-tlv/libradsec
    git checkout master
    ./configure --prefix=/usr/local/moonshix=/usr/local/moonshot --enable-tls
    make all install
    git checkout libradsec

### Configure radsecproxy like this:
    cat > /usr/local/moonshot/etc/radsecproxy.conf << EOF
    tls default {
        CACertificateFile   /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem
        CertificateFile     /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/02.pem
        CertificateKeyFile  /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/private/c2key.pem
    }
    client 127.0.0.1 {
        type    tls
        secret  testing123
        certificateNameCheck off
    }
    server 127.0.0.1 {
        type    udp
        port    1812
        secret  testing123
    }
    realm * {
        server 127.0.0.1
    }
    EOF

### Start radsecproxy
    /usr/local/moonshot/sbin/radsecproxy -c /usr/local/moonshot/etc/radsecproxy.conf

### Configure /usr/local/moonshot/etc/radsec.conf as
	realm gss-eap-tls {
		type = TLS
		cacertfile = "/home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem"
		certfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/03.pem"
		certkeyfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/private/c3key.pem"
		server {
			hostname = "localhost"
			service = "2083"
			secret = "testing123"
		}
	}

Note that this adds a second "realm" called gss-eap-tls.  In order to
make mech_eap use this instead of the ordinare gss-eap, edit
createRadiusHandle() in mech_eap/accept_sec_context.c to read 

	const char *configStanza = "gss-eap-tls";

If you intend to switch to RadSec entirely, name the realm "gss-eap"
in radsec.conf and don't make the change createRadiusHandle().

### Test with a simple RadSec client
    lib/examples/client /usr/local/moonshot/etc/radsec.conf gss-eap-tls
        Code: 2, Identifier: 0, Lenght: 20
	Good auth.

### Test with gss-server and gss-client
    ~/krb5-1.9/src/appl/gss-sample/gss-server host@moonshot-test.project-moonshot.org &
    ~/krb5-1.9/src/appl/gss-sample/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" -user steve@local -pass testing  127.0.0.1 host@localhost bar

This should produce lots of interesting output, ending with

	Received message: "bar"
	Signature verified.
	NOOP token