Regarding RADIUS Authentication feature Implementation over TLS

Javed jaakhtar at cisco.com
Mon Dec 19 11:56:43 CET 2016


Hello Alan,

Good Afternmoon.It is good to see your reply and thank you for your valuable time.

> so, RADSEC.
Yes You are right it must be a RADSEC.

> 
all you are doing is changing the transport mechanism. the basic parts of RADIUS stay exactly the same, the modules know no different (in fact, under the RADIUS TLS/TCP there is still the same old RADIUS packet, even with the same old shared secret still lurking in there! ;-)

I agree with you.

>just read the 'tls' virtual server module. configure with required certificate details, add your client details, restart the server and then configure the client appropriately.

Would you like to elaborate a bit .what do you mean by configuring client appropriately? What will be the client side changes?


>regarding client....I would just point the client at a local, very stripped down FR server (so its just converting the RADIUS UDP into RADIUS TLS/TCP - very very basic config... or even more basic, a local copy of radsecproxy to do the same.

Is this you ment we can download thye pakage of radsecproxy and will use the same as client side program? 
&
I couldn’t understnd FR server?

Any opensource codebase  can be helpful to download the client side code?



Thanks in Advance ,It helps a lot.



Javed Akhtar
Technical Lead
jaakhtar at cisco.com
Tel: 
Cisco Systems, Inc.



India
cisco.com


Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
Please click here for Company Registration Information.



-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+jaakhtar=cisco.com at lists.freeradius.org] On Behalf Of Alan Buxey
Sent: 19 December 2016 16:00
To: Freeradius-Devel at lists.freeradius.org; freeradius-users at lists.freeradius.org
Subject: Re: Regarding RADIUS Authentication feature Implementation over TLS

hi,

>We have a project running under RADIUS under UDP that means we have an 
>existing architecture and APIs to support all the user authentication 
>to RADIUS server via PAP and CHAP  under UDP.

okay

>We need the same authentication to happen over a secure network where 
>we need to implement RADIUS TCP/TLS  .I need to change my client 
>configuration and required code changes has to be done to adapt with 
>RADIUS server which supports RADIUS over TLS.


so, RADSEC.

>Is the existing PAM module any version supports RADIUS over TLS?

all you are doing is changing the transport mechanism. the basic parts of RADIUS stay exactly the same, the modules know no different (in fact, under the RADIUS TLS/TCP there is still the same old RADIUS packet, even with the same old shared secret still lurking in there! ;-)
 
>If You have any suggestion for client configuration and file changes in 
>order to adapt RADIUS over TLS,You may share.

just read the 'tls' virtual server module. configure with required certificate details, add your client details, restart the server and then configure the client appropriately.

regarding client....I would just point the client at a local, very stripped down FR server (so its just converting the RADIUS UDP into RADIUS TLS/TCP - very very basic config... or even more basic, a local copy of radsecproxy to do the same.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Devel mailing list