--- /dev/null
+# Using RadSec (RADIUS/TLS)
+
+### Make sure that libradsec is at bae5640d (or later)
+
+### Get radsecproxy built
+ cd ~/moonshot-tlv/libradsec
+ git checkout master
+ ./configure --prefix=/usr/local/moonshix=/usr/local/moonshot --enable-tls
+ make all install
+ git checkout libradsec
+
+### Configure radsecproxy like this:
+ cat > /usr/local/moonshot/etc/radsecproxy.conf << EOF
+ tls default {
+ CACertificateFile /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem
+ CertificateFile /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/02.pem
+ CertificateKeyFile /home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/private/c2key.pem
+ }
+ client 127.0.0.1 {
+ type tls
+ secret testing123
+ certificateNameCheck off
+ }
+ server 127.0.0.1 {
+ type udp
+ port 1812
+ secret testing123
+ }
+ realm * {
+ server 127.0.0.1
+ }
+ EOF
+
+### Start radsecproxy
+ /usr/local/moonshot/sbin/radsecproxy -c /usr/local/moonshot/etc/radsecproxy.conf
+
+### Configure /usr/local/moonshot/etc/radsec.conf as
+ realm gss-eap-tls {
+ type = TLS
+ cacertfile = "/home/moonshot/moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/01.pem"
+ certfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/newcerts/03.pem"
+ certkeyfile = "/home/moonshot//moonshot-tlv/libradsec/lib/tests/demoCA/private/c3key.pem"
+ server {
+ hostname = "localhost"
+ service = "2083"
+ secret = "testing123"
+ }
+ }
+
+Note that this adds a second "realm" called gss-eap-tls. In order to
+make mech_eap use this instead of the ordinare gss-eap, edit
+createRadiusHandle() in mech_eap/accept_sec_context.c to read
+
+ const char *configStanza = "gss-eap-tls";
+
+If you intend to switch to RadSec entirely, name the realm "gss-eap"
+in radsec.conf and don't make the change createRadiusHandle().
+
+### Test with a simple RadSec client
+ lib/examples/client /usr/local/moonshot/etc/radsec.conf gss-eap-tls
+ Code: 2, Identifier: 0, Lenght: 20
+ Good auth.
+
+### Test with gss-server and gss-client
+ ~/krb5-1.9/src/appl/gss-sample/gss-server host@moonshot-test.project-moonshot.org &
+ ~/krb5-1.9/src/appl/gss-sample/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" -user steve@local -pass testing 127.0.0.1 host@localhost bar
+
+This should produce lots of interesting output, ending with
+
+ Received message: "bar"
+ Signature verified.
+ NOOP token