Skip to content

feat: add RadSec (RADIUS over TLS) support #35

Open
Open
feat: add RadSec (RADIUS over TLS) support#35
Assignees
jozefrebjak
@jozefrebjak

Description

@jozefrebjak
jozefrebjak
opened on Mar 9, 2026

Context

Duo Authentication Proxy 6.6.0 introduces RadSec (RADIUS over TLS) as a beta feature. RadSec replaces traditional unencrypted UDP RADIUS with TCP+TLS, providing encryption and mutual authentication for RADIUS traffic.

This is relevant for environments where RADIUS traffic traverses untrusted networks or where compliance requires encrypted authentication flows.

What needs to change

1. New environment variables

radius_client section (upstream connection):

Variable Default Description
RADIUS_TRANSPORT udp Transport mode — udp or radsec
RADIUS_SSL_CA_CERTS_FILE Path to CA certificate(s) for TLS validation
RADIUS_SSL_CLIENT_CERT_FILE Client certificate for mTLS (optional)
RADIUS_SSL_KEY_PATH Private key for client certificate (optional)
RADIUS_MINIMUM_TLS_VERSION tls1.2 Minimum TLS version (tls1.1, tls1.2)

radius_server_auto section (downstream listener):

Variable Default Description
RADIUS_SERVER_TRANSPORT udp Transport mode — udp or radsec
RADIUS_SERVER_SSL_CA_CERTS_FILE CA cert to validate client connections
RADIUS_SERVER_SSL_CERT_PATH Server TLS certificate (PEM)
RADIUS_SERVER_SSL_KEY_PATH Server TLS private key (PEM)
RADIUS_SERVER_MINIMUM_TLS_VERSION tls1.2 Minimum TLS version
RADIUS_SERVER_CIPHER_LIST OpenSSL cipher suite restriction (optional)

2. Init script changes (assets/01-init.sh)

  • When RADIUS_TRANSPORT=radsec:
    • Write transport=radsec to [radius_client]
    • Default port changes to 2083 (not 1812)
    • secret becomes hardcoded as radsec by Duo — skip RADIUS_SECRET requirement
    • Write TLS cert/key paths if provided
  • When RADIUS_SERVER_TRANSPORT=radsec:
    • Write transport=radsec to [radius_server_auto]
    • Default port changes to 2083
    • radius_secret_* not needed — hardcoded by Duo
    • Require RADIUS_SERVER_SSL_CERT_PATH and RADIUS_SERVER_SSL_KEY_PATH
    • Write TLS configuration options

3. Validation updates

  • RADIUS_SECRET and RADIUS_CLIENT_SECRET_1 should not be required when transport is radsec
  • RADIUS_SSL_CA_CERTS_FILE should be required when RADIUS_TRANSPORT=radsec
  • RADIUS_SERVER_SSL_CERT_PATH + RADIUS_SERVER_SSL_KEY_PATH required when RADIUS_SERVER_TRANSPORT=radsec
  • Validate TLS version values

4. Dockerfile changes

  • Expose port 2083/tcp in addition to existing ports

5. Documentation

  • Update README with RadSec environment variables and Docker Compose example with TLS cert mounts

Notes

  • RadSec is beta in Duo 6.6.0 — document this clearly
  • Only applies to images built with Duo >= 6.6.0
  • TLS certificates need to be mounted as volumes into the container

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions