public secret and public radius server. Is it secure?
Stefan Winter
stefan.winter at restena.lu
Tue Jun 6 09:03:12 CEST 2006
Hi,
> > In my project, I don't own the hotspots, and don't know about the
> > hotspots ISPs.
> > The hotspots communicate to the radius server though the internet.
>
> I would suggest using another method to get a secure connection to
> the hotspot. Maybe IPSec.
this is again an example where a RadSec extension would come in extremely
handy. Short wrapup: RadSec establishes connections via TCP and TLS and
transports the RADIUS payload over it, so clients can be identified by their
TLS certificate; IPs and shred secrets become obsolete. Create a dedicated CA
for your servers, then whoever tries to connect can be checked against your
CA root.
Make the hotspots talk RadSec and let them communicate with your FR server via
this link.
The only open problem is: right now there is only one implementation of RadSec
in OSCs Radiator, and it could be better coded and more advanced.
I am working on a formal specification of RadSec right now, of which I hope it
will somehow find a way into the Informational RFC track. There is a lot more
potential in it than the OSC Whitepaper suggests.
It would be really great to get an implementation of this in FR.
Greetings,
Stefan Winter
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
More information about the Freeradius-Users
mailing list