What clients actually use Radius over TCP? I can't find anything out there that's widely deployed and can query a Radius server over TCP. E.g. the Cisco documentation for routers, etc. seems to indicate that they only do UDP. The reason why I'm asking - I'm looking into setting up authentication for a variety of clients, with Radius used as a transport protocol, and I'm wondering if it's worth the trouble to even think about enabling TCP, or promising I could offer TCP. Thanks, -- Florin Andrei http://florin.myip.org/
On May 3, 2016, at 8:45 PM, Florin Andrei <florin@andrei.myip.org> wrote:
What clients actually use Radius over TCP? I can't find anything out there that's widely deployed and can query a Radius server over TCP. E.g. the Cisco documentation for routers, etc. seems to indicate that they only do UDP.
Most things only do UDP.
The reason why I'm asking - I'm looking into setting up authentication for a variety of clients, with Radius used as a transport protocol, and I'm wondering if it's worth the trouble to even think about enabling TCP, or promising I could offer TCP.
Don't use TCP. Use TLS over TCP. The RADIUS over TCP RFC says this explicitly. Alan DeKok.
On 2016-05-03 17:56, Alan DeKok wrote:
On May 3, 2016, at 8:45 PM, Florin Andrei <florin@andrei.myip.org> wrote:
What clients actually use Radius over TCP? I can't find anything out there that's widely deployed and can query a Radius server over TCP. E.g. the Cisco documentation for routers, etc. seems to indicate that they only do UDP.
Most things only do UDP.
The reason why I'm asking - I'm looking into setting up authentication for a variety of clients, with Radius used as a transport protocol, and I'm wondering if it's worth the trouble to even think about enabling TCP, or promising I could offer TCP.
Don't use TCP. Use TLS over TCP. The RADIUS over TCP RFC says this explicitly.
Yup. I was looking at Radsec the other day. The problem is, if a lot of clients out there only do UDP, then Radsec is not really an option, unfortunately. I can't find even a single example of a client that can connect to a Radius server via TCP. Not custom-written clients that someone wrote specifically to do that, but devices or apps that are in fairly common use and just employ Radius for authentication. -- Florin Andrei http://florin.myip.org/
On May 3, 2016, at 9:01 PM, Florin Andrei <florin@andrei.myip.org> wrote:
I can't find even a single example of a client that can connect to a Radius server via TCP.
radclient?
Not custom-written clients that someone wrote specifically to do that, but devices or apps that are in fairly common use and just employ Radius for authentication.
RADIUS over TCP is not intended to be used by anyone. TLS is better. Alan DeKok.
On 2016-05-03 18:07, Alan DeKok wrote:
On May 3, 2016, at 9:01 PM, Florin Andrei <florin@andrei.myip.org> wrote:
I can't find even a single example of a client that can connect to a Radius server via TCP.
radclient?
Not custom-written clients that someone wrote specifically to do that, but devices or apps that are in fairly common use and just employ Radius for authentication.
RADIUS over TCP is not intended to be used by anyone. TLS is better.
I'm sorry, I wasn't clear enough. I'm not looking for a test client. I was just curious if it's worth the trouble to even think of doing anything else besides UDP, if almost everybody in the real world uses UDP. If it was a single FreeRadius frontend that I had to build, it would be simple enough - I would enable TLS when needed. But I have to build load balancers and a bunch of other infrastructure, and then I'll probably have to think beforehand about TCP vs UDP. If essentially everyone in the real world uses UDP, I'll throw a simple LVS load balancer (kernel-based) in front of everything. But if there's a substantial chance I'll stumble upon real world clients that can do anything besides UDP, then that's a different infrastructure that will have to be built (different load balancers, etc). I don't have any control over what clients will be used. I just don't have any idea what the real world Radius clients can and cannot do, that's what I'm saying. -- Florin Andrei http://florin.myip.org/
On 3 May 2016, at 18:21, Florin Andrei <florin@andrei.myip.org> wrote:
On 2016-05-03 18:07, Alan DeKok wrote:
On May 3, 2016, at 9:01 PM, Florin Andrei <florin@andrei.myip.org> wrote:
I can't find even a single example of a client that can connect to a Radius server via TCP. radclient? Not custom-written clients that someone wrote specifically to do that, but devices or apps that are in fairly common use and just employ Radius for authentication. RADIUS over TCP is not intended to be used by anyone. TLS is better.
I'm sorry, I wasn't clear enough. I'm not looking for a test client. I was just curious if it's worth the trouble to even think of doing anything else besides UDP, if almost everybody in the real world uses UDP.
Yes.
If it was a single FreeRadius frontend that I had to build, it would be simple enough - I would enable TLS when needed. But I have to build load balancers and a bunch of other infrastructure, and then I'll probably have to think beforehand about TCP vs UDP.
If essentially everyone in the real world uses UDP, I'll throw a simple LVS load balancer (kernel-based) in front of everything. But if there's a substantial chance I'll stumble upon real world clients that can do anything besides UDP, then that's a different infrastructure that will have to be built (different load balancers, etc). I don't have any control over what clients will be used.
No one uses TCP.
I just don't have any idea what the real world Radius clients can and cannot do, that's what I'm saying.
TCP is actually a pretty crap transport for RADIUS. It enforces packet ordering which you don't need, it doesn't fix the issue with only having an 8bit ID field, so you need multiple TCP sockets if you have more than 255 packets in flight, it requires a file descriptor per connection which makes scaling a pain. SCTP would have been a better choice, but at the time implementations were not mature. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
The reason why I'm asking - I'm looking into setting up authentication for a variety of clients, with Radius used as a transport protocol, and I'm wondering if it's worth the trouble to even think about enabling TCP, or promising I could offer TCP.
Moonshot technology uses RadSec specifically... That's between endpoints (clients) and their local RADIUS servers, and between RADIUS servers in the infrastructure. But that's as far as it goes and that I know. :-) With Regards Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Florin Andrei -
Stefan Paetow