RADSEC is something for the future. Currently it's not recommended so don't worry about it for now.

clients.conf:

<code>
clients radsec {
    client roaming0.govroam.uk {
        ipaddr = 212.219.190.139
        proto = tls
        secret = radsec
    }
    client roaming1.govroam.uk {
        ipaddr = 212.219.209.43
        proto = tls
        secret = radsec
    }
    client roaming2.govroam.uk {
        ipaddr = 212.219.247.59
        proto = tls
        secret = radsec
    }
    client roaming3.govroam.uk {
        ipaddr = 195.194.21.203
        proto = tls
        secret = radsec
    }
}
</code>

sites-available/govroam:

<code>
       listen {
           ipaddr = *
           port = 2083
           type = auth
        
           proto = tcp
        
           clients = radsec
        
           tls {
               certdir = ${confdir}/certs
               cadir = ${confdir}/certs
        
               private_key_password = whatever
               private_key_file = ${certdir}/<yoursite>-server-cert.pem
               certificate_file = ${certdir}/<yoursite>-key.pem
               ca_file = ${cadir}/radsecCA-2019.pem
               dh_file = ${certdir}/dh
               fragment_size = 1071
               include_length = yes
               cipher_list = "DEFAULT"
               cache {
                     enable = yes
                     lifetime = 24 # hours
                     max_entries = 255
               }

               require_client_cert = yes
               verify {
               }
           }
        }
</code>

proxy.conf:

<code>
realm "~.+$" {
    auth_pool = govroam
    nostrip
}

home_server_pool govroam {
    home_server = roaming0
    type = client-port-balance
}

home_server roaming0 {
    ipaddr = 212.219.190.139
    port = 2083
    type = auth
    secret = radsec
    proto = tcp
    status_check = status-server
 
    tls {
        certdir = ${confdir}/certs
        cadir = ${confdir}/certs
 
        private_key_password = whatever
        private_key_file = ${certdir}/<yoursite>-key.pem
        certificate_file = ${certdir}/<yoursite>-client-cert.pem
        ca_file = ${cadir}/radsecCA-2019.pem
 
        dh_file = ${certdir}/dh
        random_file = ${certdir}/random
        fragment_size = 1071
        include_length = yes
        cipher_list = "DEFAULT"                                                           
    }                                                                                     
                                                                                          
}                                                                                         
</code>