FIPS feature

Alan DeKok aland at
Tue Apr 28 18:29:46 CEST 2009

William Rettig wrote:
> My boss has asked me to add a FIPS feature to FreeRADIUS.


> It really doesn’t amount to much at this point.  We think that FIPS mode
> requires additional two things:
> 1)       Use of HMAC-SHA1 MAC (vendor neutral)

  For... what?  The TLS methods?

> 2)       AES Key Wrap of the MSK in the Access-Accept (attribute format
> is vendor specific - but feature could be mostly generic).

  That won't be supported by most NASes, but OK.

> Is this something that could be supported moving forward?

  Sure.  Submit a patch.

> Would someone be willing to direct my efforts?

  My suggestion for the AES keywrap is to write a module that takes the
existing MSK, creates the keywrapped attributes, and then (possibly)
deletes the original MSK.

  Alan DeKok.

More information about the Freeradius-Devel mailing list