freeradius-client with IPv6 and DTLS

Nikos Mavrogiannopoulos nmav at
Wed Dec 24 06:27:04 CET 2014

On Tue, 2014-12-23 at 11:13 -0500, Alan DeKok wrote:

> > Unrelated: 
> > If I can mention a small omission in the DTLS rfc is that it doesn't
> > specify a key purpose in the certificates to be used for radius. For web
> > servers the "TLS WWW server authentication" OID is used in extended key
> > usage, but there is no equivalent for DTLS radius servers.
>   The "TLS WWW server authentication” OID is not required by RADIUS.  Microsoft requires it for their clients, which is annoying.
>   I’m not sure there’s a major benefit to adding an OID specifically for RADIUS authentication.

The reason for different key purposes is to prevent cross-protocol
attacks, i.e., someone forwarding the radius packets to another service
on the same host. This is particularly dangerous with text-based
protocols like SMTP and HTTP and a common CA signing all services.
Requiring "TLS WWW server authentication" in a radius server certificate
is of course wrong as it defeats that purpose. 


More information about the Freeradius-Devel mailing list