RadSec

Because this connection continues to use RadSec, we still have to request several files from Camford University, namely the Certificate Authority (CA) file for Camford (ca.pem), and the Client Certificate (client.pem) and private key (client.key) for use with their Moonshot IdP.

Preparing the certificates

1. If Camford University sent us three files, we'll create a combined file of the Client Certificate and its private key:

   bash

2. Verify that the client.pem file starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END ENCRYPTED PRIVATE KEY-----".

Storing the certificates

Because the certificates are only used by FreeRADIUS, it is best if you store the certificates in FreeRADIUS' certs directory.

Rename the files from ca.pem and client.pem to an easily-recognisable name, such as camford_moonshot_ca.pem and camford_moonshot_client.pem.

Then make sure they are readable by members of the FreeRADIUS group.

FreeRADIUS configuration

In the FreeRADIUS configuration, we can define a single file that contains everything about the RadSec connection to the Moonshot IdP:

1. Create a new file in the FreeRADIUS sites-available directory (/etc/raddb/sites-available on RedHat/CentOS/Scientific Linux, /etc/freeradius/sites-available on Debian/Ubuntu) called camford_moonshotidp with the below contents:

   sites-available/camford_moonshotidptrueCertificate paths

   If you stored the certificates for the Moonshot IdP somewhere else, you must adjust the private_key, certificate_file and ca_file entries with appropriate paths. The ${certdir} and ${ca_dir} directives refer to the FreeRADIUS certs directory.

2. To enable this configuration, it needs to be linked into the FreeRADIUS sites-enabled directory:

   On Debian/UbuntubashOn RedHat/CentOS/Scientific Linuxbash

   
   

3.  Restart FreeRADIUS

You should now try a test to check that the connection is functional.