FreeRADIUS, radsec and dnssec
ms at sys4.de
Thu Apr 6 15:07:21 CEST 2017
werecently had a discussion about FreeRADIUS and radsec. The DFN which ist the
central hub for the German eduroam wants the universities to migrate to
But the DFN thinks there are stil some issues with FreeRADIUS 3 so that is why
they advertise to use radsecproxy.
They did not tell me yet what the issues were, but as far as
I understood they wanted to have a dynamic home server resolution based on
realms in eduroam.
Basically that seems to be a good idea but the problem is, how to estalish
mutual trust with dynamic home servers.
Here DNSSEC and especially the TLSA RR comes into play.
Is it possible to add trust to FreeRADIUS 3 based on a TLSA RR verified by
DNSSEC so my RADIUS server can trust the remote RADIUS server based on the
comparison of its server certificate and the according TLSA RR in DNS of the
I know establishing this kind of mutiual trust work good for e-mail systems.
The system is called DANE. See RFC 7671 for detailed information about DANE.
Basically this the short version of this mail would be: Can the FreeRADIUS
project add DANE authentication and verification of home servers to its
Mit freundlichen Grüßen,
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 230 bytes
Desc: This is a digitally signed message part.
More information about the Freeradius-Users