Regarding RADIUS Authentication feature Implementation over TLS
Hello All, I would like to let me know about my requirement first. We have a project running under RADIUS under UDP that means we have an existing architecture and APIs to support all the user authentication to RADIUS server via PAP and CHAP under UDP. We are running on top of FreeBSD OS. We have used PAM module to do and implement the same. Requirement: We need the same authentication to happen over a secure network where we need to implement RADIUS TCP/TLS .I need to change my client configuration and required code changes has to be done to adapt with RADIUS server which supports RADIUS over TLS. Queries: Is there anywhere I can find Client side program for FreeRadius which supports TLS? Is the existing PAM module any version supports RADIUS over TLS? If You have any suggestion for client configuration and file changes in order to adapt RADIUS over TLS,You may share. Your reply will be much appreciated. Thanks & Regards, Javed Akhtar Technical Lead <mailto:jaakhtar@cisco.com> jaakhtar@cisco.com Tel: Cisco Systems, Inc. India cisco.com Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Please <http://www.cisco.com/web/about/doing_business/legal/cri/index.html> click here for Company Registration Information.
hi,
We have a project running under RADIUS under UDP that means we have an existing architecture and APIs to support all the user authentication to RADIUS server via PAP and CHAP under UDP.
okay
We need the same authentication to happen over a secure network where we need to implement RADIUS TCP/TLS .I need to change my client configuration and required code changes has to be done to adapt with RADIUS server which supports RADIUS over TLS.
so, RADSEC.
Is the existing PAM module any version supports RADIUS over TLS?
all you are doing is changing the transport mechanism. the basic parts of RADIUS stay exactly the same, the modules know no different (in fact, under the RADIUS TLS/TCP there is still the same old RADIUS packet, even with the same old shared secret still lurking in there! ;-)
If You have any suggestion for client configuration and file changes in order to adapt RADIUS over TLS,You may share.
just read the 'tls' virtual server module. configure with required certificate details, add your client details, restart the server and then configure the client appropriately. regarding client....I would just point the client at a local, very stripped down FR server (so its just converting the RADIUS UDP into RADIUS TLS/TCP - very very basic config... or even more basic, a local copy of radsecproxy to do the same. alan
Hello Alan, Good Afternmoon.It is good to see your reply and thank you for your valuable time.
so, RADSEC. Yes You are right it must be a RADSEC.
all you are doing is changing the transport mechanism. the basic parts of RADIUS stay exactly the same, the modules know no different (in fact, under the RADIUS TLS/TCP there is still the same old RADIUS packet, even with the same old shared secret still lurking in there! ;-) I agree with you.
just read the 'tls' virtual server module. configure with required certificate details, add your client details, restart the server and then configure the client appropriately.
Would you like to elaborate a bit .what do you mean by configuring client appropriately? What will be the client side changes?
regarding client....I would just point the client at a local, very stripped down FR server (so its just converting the RADIUS UDP into RADIUS TLS/TCP - very very basic config... or even more basic, a local copy of radsecproxy to do the same.
Is this you ment we can download thye pakage of radsecproxy and will use the same as client side program? & I couldn’t understnd FR server? Any opensource codebase can be helpful to download the client side code? Thanks in Advance ,It helps a lot. Javed Akhtar Technical Lead jaakhtar@cisco.com Tel: Cisco Systems, Inc. India cisco.com Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Please click here for Company Registration Information. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+jaakhtar=cisco.com@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 19 December 2016 16:00 To: Freeradius-Devel@lists.freeradius.org; freeradius-users@lists.freeradius.org Subject: Re: Regarding RADIUS Authentication feature Implementation over TLS hi,
We have a project running under RADIUS under UDP that means we have an existing architecture and APIs to support all the user authentication to RADIUS server via PAP and CHAP under UDP.
okay
We need the same authentication to happen over a secure network where we need to implement RADIUS TCP/TLS .I need to change my client configuration and required code changes has to be done to adapt with RADIUS server which supports RADIUS over TLS.
so, RADSEC.
Is the existing PAM module any version supports RADIUS over TLS?
all you are doing is changing the transport mechanism. the basic parts of RADIUS stay exactly the same, the modules know no different (in fact, under the RADIUS TLS/TCP there is still the same old RADIUS packet, even with the same old shared secret still lurking in there! ;-)
If You have any suggestion for client configuration and file changes in order to adapt RADIUS over TLS,You may share.
just read the 'tls' virtual server module. configure with required certificate details, add your client details, restart the server and then configure the client appropriately. regarding client....I would just point the client at a local, very stripped down FR server (so its just converting the RADIUS UDP into RADIUS TLS/TCP - very very basic config... or even more basic, a local copy of radsecproxy to do the same. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
just read the 'tls' virtual server module. configure with required certificate details, add your client details, restart the server and then configure the client appropriately.
Would you like to elaborate a bit .what do you mean by configuring client appropriately? What will be the client side changes?
the client is currently RADIUS over UDP - so you'll need to configure it to use TCP/TLS and set the correct certificate details (CA etc etc - its a TLS client).
regarding client....I would just point the client at a local, very stripped down FR server (so its just converting the RADIUS UDP into RADIUS TLS/TCP - very very basic config... or even more basic, a local copy of radsecproxy to do the same.
Is this you ment we can download thye pakage of radsecproxy and will use the same as client side program? & I couldn’t understnd FR server?
FR = FreeRADIUS radsecproxy is a simple program that will take UDP and turn it into TCP/TLS
Any opensource codebase can be helpful to download the client side code?
FreeRADIUS contains the client side code - it has to as it is also a client of remote RADSEC servers..... alan
Hello Alan, I have this query, I have downloaded the server program for FreeRADIUS v3.0.10 .Would you like to share the purpose of the file below: radclient.c client.c available under /src/main/ You mentioned in one of the mail saying that RADIUS server has to contain client side program too in or der to serve as a client to 0the RADIUS remote servers. Is that means that the client side files we are looking for we can get all through RADIUS server code/package? Javed Akhtar Technical Lead jaakhtar@cisco.com Tel: Cisco Systems, Inc. India cisco.com Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Please click here for Company Registration Information. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+jaakhtar=cisco.com@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: 19 December 2016 17:57 To: FreeRadius developers mailing list <freeradius-devel@lists.freeradius.org> Cc: 'FreeRadius users mailing list' <freeradius-users@lists.freeradius.org> Subject: Re: Regarding RADIUS Authentication feature Implementation over TLS Hi,
just read the 'tls' virtual server module. configure with required certificate details, add your client details, restart the server and then configure the client appropriately.
Would you like to elaborate a bit .what do you mean by configuring client appropriately? What will be the client side changes?
the client is currently RADIUS over UDP - so you'll need to configure it to use TCP/TLS and set the correct certificate details (CA etc etc - its a TLS client).
regarding client....I would just point the client at a local, very stripped down FR server (so its just converting the RADIUS UDP into RADIUS TLS/TCP - very very basic config... or even more basic, a local copy of radsecproxy to do the same.
Is this you ment we can download thye pakage of radsecproxy and will use the same as client side program? & I couldn’t understnd FR server?
FR = FreeRADIUS radsecproxy is a simple program that will take UDP and turn it into TCP/TLS
Any opensource codebase can be helpful to download the client side code?
FreeRADIUS contains the client side code - it has to as it is also a client of remote RADSEC servers..... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Javed