Hello Michael,
werecently had a discussion about FreeRADIUS and radsec. The DFN which ist the central hub for the German eduroam wants the universities to migrate to radsec.
But the DFN thinks there are stil some issues with FreeRADIUS 3 so that is why they advertise to use radsecproxy.
They did not tell me yet what the issues were, but as far as I understood they wanted to have a dynamic home server resolution based on realms in eduroam.
Basically that seems to be a good idea but the problem is, how to estalish mutual trust with dynamic home servers.
Here DNSSEC and especially the TLSA RR comes into play.
In general, it's a good idea to consider DNSSEC for trust relationships. For E-Mail, this is crucial because one does not know which certificate and CA the other end uses; the trust bootstrap must come from somewhere else. In eduroam however, the RADIUS/TLS trust is pre-existing because all RADIUS servers receive server certificates from the same, one, pre-determined, CA. Additional DNSSEC / TLSA / DANE is then not necessary: if DNS was lieing to you, then you'll end up at a host which can't present a trusted certificate, and then the conversation ends before any payload is exchanged. Greetings, Stefan Winter
Is it possible to add trust to FreeRADIUS 3 based on a TLSA RR verified by DNSSEC so my RADIUS server can trust the remote RADIUS server based on the comparison of its server certificate and the according TLSA RR in DNS of the home organisation?
I know establishing this kind of mutiual trust work good for e-mail systems. The system is called DANE. See RFC 7671 for detailed information about DANE.
Basically this the short version of this mail would be: Can the FreeRADIUS project add DANE authentication and verification of home servers to its features?
Mit freundlichen Grüßen,
Michael Schwartzkopff
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66