FreeRADIUS Proxy+CoA+TLS
My team is evaluating freeradius if we can use it for a project. The requirements we have where we see freeradius can be a solution are the support of proxy, CoA and TLS. The network structure looks like: AP/Controller <-----LinkA-----> freeradius proxy <-----LinkB-----> cloud server LinkA uses RADIUS over UDP LinkB uses RadSec over TLS
From cloud server CoA messages will be sent over LinkB.
So far my team has verified the following working: 1 - Proxy + TLS 2 - Proxy + CoA But we are unable to verify Proxy + TLS + CoA, is this supported/possible with freeradius? If it is possible, our goal is to use the same LinkB connection/socket that was established by the first Access-Request for cloud server initiated CoA messages. Is it possible to configure the proxy to listen CoA messages via that same socket used for sending auth+acct requests? Thank you in advance for your help!
On Feb 23, 2018, at 5:39 PM, Goitom Seyoum via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
My team is evaluating freeradius if we can use it for a project. The requirements we have where we see freeradius can be a solution are the support of proxy, CoA and TLS.
FreeRADIUS does all that...
The network structure looks like:
AP/Controller <-----LinkA-----> freeradius proxy <-----LinkB-----> cloud server
LinkA uses RADIUS over UDP LinkB uses RadSec over TLS
From cloud server CoA messages will be sent over LinkB.
Nope. There's no standard which allows that. No RADIUS server implements that.
So far my team has verified the following working: 1 - Proxy + TLS 2 - Proxy + CoA
But we are unable to verify Proxy + TLS + CoA, is this supported/possible with freeradius?
It's not possible in *RADIUS*.
If it is possible, our goal is to use the same LinkB connection/socket that was established by the first Access-Request for cloud server initiated CoA messages. Is it possible to configure the proxy to listen CoA messages via that same socket used for sending auth+acct requests?
No. This was discussed in the IETF. There was no consensus about how to do this, or whether it was a good idea. That being said, we're always happy to accept patches. This might be possible without too many code changes. Alan DeKok.
participants (2)
-
Alan DeKok -
Goitom Seyoum