[#4274] Update FreeRADIUS server doc

author Francis Dupont <fdupont@isc.org>

Tue, 27 Jan 2026 01:08:50 +0000 (02:08 +0100)

committer Francis Dupont <fdupont@isc.org>

Mon, 9 Feb 2026 21:05:47 +0000 (22:05 +0100)
author Francis Dupont <fdupont@isc.org>
Tue, 27 Jan 2026 01:08:50 +0000 (02:08 +0100)
committer Francis Dupont <fdupont@isc.org>
Mon, 9 Feb 2026 21:05:47 +0000 (22:05 +0100)
diff --git a/changelog_unreleased/4274-implement-radius-over-tls b/changelog_unreleased/4274-implement-radius-over-tls

new file mode 100644 (file)

index 0000000..38e5445
--- /dev/null
+++ b/changelog_unreleased/4274-implement-radius-over-tls
@@ -0,0 +1,3 @@
+[func]         fdupont
+       Implemented RADIUS/TLS in the RADIUS hook library.
+       (Gitlab #4274)
diff --git a/doc/sphinx/arm/ext-radius.rst b/doc/sphinx/arm/ext-radius.rst

index 336864c10a69f2894712aa88bfc9867cf1433db2..33decaecaf04ed65f39bc2d78bde5aee00977fea 100644 (file)
--- a/doc/sphinx/arm/ext-radius.rst
+++ b/doc/sphinx/arm/ext-radius.rst
@@ -616,6 +616,16 @@ set it up to enable basic functionality in Kea.
     - ``/etc/radius-config/mods-config/files/accounting``
     - ``/etc/freeradius/3.0/mods-config/files/accounting``
  
+8. When RADIUS/TLS is used it is a good idea to bind the TLS credentials
+   with the client identity. This can be done using:
+
+   ::
+
+      check_cert_cn = %{User-Name}
+
+   which matches the Common Name of the TLS client (i.e. Kea) certificate
+   with the RADIUS User-Name.
+
  .. _radius-lease-allocation:
  
  RADIUS Workflows for Lease Allocation
author	Francis Dupont <fdupont@isc.org>
	Tue, 27 Jan 2026 01:08:50 +0000 (02:08 +0100)
committer	Francis Dupont <fdupont@isc.org>
	Mon, 9 Feb 2026 21:05:47 +0000 (22:05 +0100)
changelog_unreleased/4274-implement-radius-over-tls	[new file with mode: 0644]	patch \| blob
doc/sphinx/arm/ext-radius.rst		patch \| blob \| blame \| history