Add testing/radsec.

diff --git a/testing/radsec.mdwn b/testing/radsec.mdwn
new file mode 100644 (file)
index 0000000..b0b4c5e
--- /dev/null
+++ b/testing/radsec.mdwn
@@ -0,0 +1,72 @@
+# Using RadSec (RADIUS/TLS)
+
+### Make sure that libradsec is at bae5640d (or later)
+
+### Get radsecproxy built
+    cd ~/moonshot-tlv/libradsec
+    git checkout master
+    ./configure --prefix=/usr/local/moonshix=/usr/local/moonshot --enable-tls
+    make all install
+    git checkout libradsec
+
+### Configure radsecproxy like this:
+    cat > /usr/local/moonshot/etc/radsecproxy.conf << EOF
+    tls default {
+        CACertificateFile   /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem
+        CertificateFile     /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/02.pem
+        CertificateKeyFile  /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/private/c2key.pem
+    }
+    client 127.0.0.1 {
+        type    tls
+        secret  testing123
+        certificateNameCheck off
+    }
+    server 127.0.0.1 {
+        type    udp
+        port    1812
+        secret  testing123
+    }
+    realm * {
+        server 127.0.0.1
+    }
+    EOF
+
+### Start radsecproxy
+    /usr/local/moonshot/sbin/radsecproxy -c /usr/local/moonshot/etc/radsecproxy.conf
+
+### Configure /usr/local/moonshot/etc/radsec.conf as
+       realm gss-eap-tls {
+               type = TLS
+               cacertfile = "/home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem"
+               certfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/03.pem"
+               certkeyfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/private/c3key.pem"
+               server {
+                       hostname = "localhost"
+                       service = "2083"
+                       secret = "testing123"
+               }
+       }
+
+Note that this adds a second "realm" called gss-eap-tls.  In order to
+make mech_eap use this instead of the ordinare gss-eap, edit
+createRadiusHandle() in mech_eap/accept_sec_context.c to read 
+
+       const char *configStanza = "gss-eap-tls";
+
+If you intend to switch to RadSec entirely, name the realm "gss-eap"
+in radsec.conf and don't make the change createRadiusHandle().
+
+### Test with a simple RadSec client
+    lib/examples/client /usr/local/moonshot/etc/radsec.conf gss-eap-tls
+        Code: 2, Identifier: 0, Lenght: 20
+       Good auth.
+
+### Test with gss-server and gss-client
+    ~/krb5-1.9/src/appl/gss-sample/gss-server host@moonshot-test.project-moonshot.org &
+    ~/krb5-1.9/src/appl/gss-sample/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" -user steve@local -pass testing  127.0.0.1 host@localhost bar
+
+This should produce lots of interesting output, ending with
+
+       Received message: "bar"
+       Signature verified.
+       NOOP token