Hi all, Is it possible with free RADIUS to form tunnel directly between two radius servers which dont have any shared secret between them but knowing each other IP address. Means by forming the secret dynamically with TLS handshaking?
"kiran kumar gullapalli" <kirangullapalli@rediffmail.com> wrote:
Is it possible with free RADIUS to form tunnel directly between two radius servers which dont have any shared secret between them but knowing each other IP address. Means by forming the secret dynamically with TLS handshaking?
No. There is a spec available, though, from the RADIATOR people. They implemented something similar a few months ago. See "radsec". It's possible to implement with FreeRADIUS, but it's probably easiest to do with another daemon, that just does TLS<->RADIUS translations. Alan DeKok.
Hello,
Is it possible with free RADIUS to form tunnel directly between two radius servers which dont have any shared secret between them but knowing each other IP address. Means by forming the secret dynamically with TLS handshaking?
no, but there are some dedicated tools that form TLS tunnels and then transport TCP and UDP packets through that tunnel. I've heard of zebedee http://www.winton.org.uk/zebedee/ for example, it does explicitly state that it does UDP tunneling. Note, however, that this does not automatically do the RADIUS secret handshaking for you, you have got to do that yourself. If you want to give it a try, I'd be interested in hearing from your experiences. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: stefan.winter@restena.lu tél.: +352 424409-1 http://www.restena.lu fax: +352 422473
Stefan Winter <freeradius-users-ml@stefan-winter.de> wrote:
transport TCP and UDP packets through that tunnel. I've heard of zebedee http://www.winton.org.uk/zebedee/
I would not recommend using zedebee. They don't have integrity protection on the tunnel, which is bad. In general, home-brewed re-inventions of TLS are wrong, and should be avoided like the plague. Alan DeKok.
participants (3)
-
Alan DeKok -
kiran kumar gullapalli -
Stefan Winter