FreeRADIUS, radsec and dnssec

Michael Schwartzkopff ms at
Thu Apr 6 15:07:21 CEST 2017


werecently had a discussion about FreeRADIUS and radsec. The DFN which ist the 
central hub for the German eduroam wants the universities to migrate to 

But the DFN thinks there are stil some issues with FreeRADIUS 3 so that is why 
they advertise to use radsecproxy.

They did not tell me yet what the issues were, but as far as 
I understood they wanted to have a dynamic home server resolution based on 
realms in eduroam.

Basically that seems to be a good idea but the problem is, how to estalish 
mutual trust with dynamic home servers.

Here DNSSEC and especially the TLSA RR comes into play.

Is it possible to add trust to FreeRADIUS 3 based on a TLSA RR verified by 
DNSSEC so my RADIUS server can trust the remote RADIUS server based on the 
comparison of its server certificate and the according TLSA RR in DNS of the 
home organisation?

I know establishing this kind of mutiual trust work good for e-mail systems. 
The system is called DANE. See RFC 7671 for detailed information about DANE.

Basically this the short version of this mail would be: Can the FreeRADIUS 
project add DANE authentication and verification of home servers to its 

Mit freundlichen Grüßen,

Michael Schwartzkopff


[*] sys4 AG, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Freeradius-Users mailing list