Possible certificatre problem

Nathan Ward lists+freeradius at daork.net
Sun Jul 3 16:21:07 CEST 2016

> On 3/07/2016, at 07:17, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> I was ignoring your posts because they showed you hadn't done any background research,
> and i'd rather be writing code, to make FreeRADIUS better, than helping people who
> don't know how to import root CAs (under Windows‽), I mean really…

I’ve got a general comment about this thread, and I think this particular comment is a good segue. Not picking on you, Arran, though your comment certainly got me thinking for a couple of hours today.
Also, this post got a bit more ramble-y than I intended so apologies for it’s length.

I’ll preface this by saying I have no problem with the FreeRADIUS list.

There is (at least in my observation) an expectation on this list of a knowledge of the RADIUS protocol, and surrounding systems (importing Windows CA certs, for example). To me and to I imagine most others on this list, these sorts of things are pretty elementary, though of course there certainly are times when I read a post and go off and do a bit of research myself - this list has brought me a great many starting points for curious learning.
It seems to me that the documentation has a similar expectation.

I’m not sure, but I don’t think that that same expectation exists on mailing lists for other open source software. It’s not clear to me whether that’s because of a decision to expect that level of knowledge, or if maybe it just seems that way because RADIUS is somewhat specialised so there are a lower % of people with high skill RADIUS/associated system knowledge (if you’re a corporate network admin, RADIUS is maybe 1% of your job, so it’s not something you’d deal with every day so there are few people with “expert” or even “good” knowledge).

The skill level expectation for participants in this list and readers of the documentation is, to me, perfectly fine. FreeRADIUS is an implementation and is used as part of a solution, so should not be held responsible for the whole solution. 
People often post on this list and it’s clear that they’ve been told to “implement RADIUS” having no idea where to start, when really what they should have been told is to implement a solution for which a RADIUS server is a component.
I do wonder whether it would be beneficial to have a more general use mailing list, maybe for beginner to medium skill level folks, where there is more expectation that we’ll have to explain things that seem to come up from time to time like in this thread. We could use this to build the wiki up - or perhaps another wiki so the FR wiki doesn’t get littered with 3rd party system mess - and start pointing users towards that.
I’d be happy to help with this, and lend advice to folks who are looking for it. I have zero experience with corporate stuff (Windows, EAP, etc.), but 13 or so years on and off experience using FR in service provider environments in all manner of weird deployments.

There is what seems to be pretty good, though somewhat outdated, documents on EAP TLS here https://freeradius.org/doc/EAPTLS.pdf <https://freeradius.org/doc/EAPTLS.pdf>, and an updated guide to some of the bits on the front page of http://deployingradius.com <http://deployingradius.com/>.
Perhaps we can look to provide documentation or guides that start at a more fundamental and whole-solution level, for example explaining what a CA certificate is for in this context, what a client certificate is for, some diagrams of how the various systems interact (i.e. step by step where/what messages are sent) etc. Perhaps vendor specific implementation details (I certainly have a number of learnings about what does/doesn’t work well), etc.

Again, I don’t think this is the responsibility of the FreeRADIUS project team, but perhaps with the right forum the community could be better at this stuff so that the core team can focus on writing code.

Nathan Ward

More information about the Freeradius-Users mailing list