TCP/TLS - radsec / application
I've been doing some research and it seems like there has been a lot of talk about radsec and some movement on the IETF standardization front, but I'm unclear about the state of radsec within the freeradius codebase. I've downloaded the current master source as of a few days ago and successfully compiled it on CentOS 6.2 64bit. Everything seems to work save some EAP stuff that I'm not using and was able to disable around, but I can't figure out if the radsec is there and not documented or if it isn't in there at all. I'm asking because I have a specific use-case that is somewhat similar to how edu-roam is doing that I want to implement and was hoping someone can steer me in the right direction. I'm looking to implement a multi-tier radius hierarchy to deploy centralized user logins to managed network devices in a number of my managed IT customers (I'm the service provider). What I want to accomplish is something similar to: (pardon the ASCII Visio) [NAS (Typically Cisco Router/Switch)] --Standard Radius Auth--> [Onsite FreeRadius as proxy/realm selector] --Standard Radius Auth--> @customer.domain [Customer's Server (typically MS IAS/NPS) Or --TCP/TLS Radius Auth--> @service_provider.domain [Internet facing FreeRadius] --Standard Radius Auth or LDAP--> [Our backend user database (currently AD)] Right now our solution is to implement the same hierarchy but to use standard UDP radius over SSH/socat tunnels for the onsite to off-site communication. A radsec solution would be cleaner and probably more reliable. So my questions are: -Is the radsec code included in the mainline git repo? -If not, where do I get it? -If so, does anyone have any quick and dirty doc somewhere or a working example? -Am I nuts for even trying this? Jason Rohm Communications Architect SRC Technologies Inc.
Jason Rohm wrote: I'm unclear about the state of radsec within the freeradius codebase. I've downloaded the current master source as of a few days ago and successfully compiled it on CentOS 6.2 64bit. Everything seems to work save some EAP stuff that I'm not using and was able to disable around, but I can't figure out if the radsec is there and not documented or if it isn't in there at all.
-Is the radsec code included in the mainline git repo? -If not, where do I get it?
The repository code has it, I have it up and working to our federation server, where they run radiator. Over the last few weeks some bugs have surfaced, but some have been patched already and I suspect the rest of the patches should land in the repository before too long.
-If so, does anyone have any quick and dirty doc somewhere or a working example?
The docs don't plaster the word "RadSec" everywhere it is just setting the protocol on home servers or listen directives to TCP and setting some additional options, as documented in etc/raddb/sites-available/tls (in the git tree, of course) (Dealing with the cert stuff is the most fiddly part of it and will help to have openssl expertise on hand.)
-Am I nuts for even trying this?
Only if your timeline does not allow several months for performance and long-term stability testing/patching, because you'll be bleeding edge at this point.
Hi,
I've been doing some research and it seems like there has been a lot of talk about radsec and some movement on the IETF standardization front, but I'm unclear about the state of radsec within the freeradius codebase. I've downloaded the current master source as of a few days ago and successfully compiled it on CentOS 6.2 64bit. Everything seems to work save some EAP stuff that I'm not using and was able to disable around, but I can't figure out if the radsec is there and not documented or if it isn't in there at all.
the 'RADSEC' (RADIUS over TLS/TCP) support is in the master branch: git clone git://git.freeradius.org/freeradius-server.git (read http://git.freeradius.org/) the stuff you are looking for is in the 'tls' virtual server - which isnt enabled by default IIRC - so just put a link from it int sites-enabled....and read the 'tls' virtual server carefully. I am a little concerned about the 'save some EAP stuff that I'm not using and was able to disable around' - you will need to ensure that OpenSSL-devel packages are installed so that you can compile in the TLS support. once you have it running, simply get a 'CA' that your RADIUS servers all trust (I'd go for a private self-signed one) and sign the servers with it....et voila! you can now do RADSEC (oh, with the caveat that all yoru servers will have to have the TCP 2083 port open and firewalls between sites sorted out etc....but i'd assume that work would get done) alan
I am a little concerned about the 'save some EAP stuff that I'm not using and was able to disable around' - you will need to ensure that OpenSSL-devel packages are installed so that you can compile in the TLS support.
The EAP stuff was related to EAP-Pwd or something. It was a runtime problem (bug), not a compile problem. I have no use for the EAP-Pwd option in my environment and can't test, so I'll leave that to someone else to report/repair. I was able to get the TCP/TLS working as expected with the provided sample certs. Thanks for pointing me in the right direction. It was pretty simple once I saw a working example. Jason Rohm
participants (3)
-
Alan Buxey -
Brian Julin -
Jason Rohm