FreeRADIUS as a general authentication system

John Dennis jdennis at
Mon Jun 22 15:57:26 CEST 2009

On 06/22/2009 05:14 AM, Lloyd wrote:
> Hi FreeRADIUS list,
> In our "system" there is a need for an authentication server. The
> required characteristics of the server are
> *) The authentication client will be a custom built one. It may be
> running on *NIX,Windows and Mac. Is it possible to write a client using
> the FreeRADIUS client library? (The client will have much more other
> functionalities, not related to authentication)
> *) Is it possible to extentd the server? As an example, in our case,
> each time a client wants to communicate with other clients, it will
> request a "session key" to the server, and the server will send the key
> to all clients which take part in the communication. (The aim of this is
> to encrypt the communication session with the new session key generated,
> so that only the clients who know the session key can decrypt the
> message) So, is it possible to introduce a key generation system as well
> as a "request interpretation" system to the FreeRADIUS server?

What you are describing in essence is Kerberos and in particular clients 
which use GSSAPI. Although FreeRADIUS can utilize Kerberos by requesting 
a TGT on behalf of an authenticating client the TGT credentials are not 
passed back to the client which is necessary to establish a session key 
and secure subsequent cooperating channels.

My general recommendation is that a KDC server is better suited to your 
needs than a radius server. Kerberos is a mature authentication system 
(it's the heart of Microsoft's AD and many other systems) and you will 
find a great deal of support for it. Another reason to use kerberos for 
the scenario you're describing is that it's hard to design a secure 
protocol, if you attempt to design a new system by extending radius 
you'll expend a lot of work and will likely come up with a result which 
has security defects. There are many examples of "I can design my own 
authentication system" which are subsequently shown to have holes in 
them like swiss cheese :-)

If you do decide to go the Kerberos route you may be interested in the 
FreeIPA project ( IPA gives you a complete Kerberos 
solution, web UI, command line utilities, backed by a commercial grade 
LDAP server (IPA is 100% open source). In addition the project has also 
just released SSSD which allows for secure offline caching of 
credentials and related identity information so there is no interruption 
if network connectivity is lost. I work on the IPA development team so 
if you have additional questions feel free to contact me off-list.

> *) Or is there a better way inplemented in FreeRADIUS to accomplish the
> above requirements?
> Thanks in advance,
> Lloyd
> ______________________________________
> Scanned and protected by Email scanner
> -
> List info/subscribe/unsubscribe? See

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list