freeradius-client with IPv6 and DTLS
nmav at gnutls.org
Wed Dec 24 06:27:04 CET 2014
On Tue, 2014-12-23 at 11:13 -0500, Alan DeKok wrote:
> > Unrelated:
> > If I can mention a small omission in the DTLS rfc is that it doesn't
> > specify a key purpose in the certificates to be used for radius. For web
> > servers the "TLS WWW server authentication" OID is used in extended key
> > usage, but there is no equivalent for DTLS radius servers.
> The "TLS WWW server authentication” OID is not required by RADIUS. Microsoft requires it for their clients, which is annoying.
> I’m not sure there’s a major benefit to adding an OID specifically for RADIUS authentication.
The reason for different key purposes is to prevent cross-protocol
attacks, i.e., someone forwarding the radius packets to another service
on the same host. This is particularly dangerous with text-based
protocols like SMTP and HTTP and a common CA signing all services.
Requiring "TLS WWW server authentication" in a radius server certificate
is of course wrong as it defeats that purpose.
More information about the Freeradius-Devel