FreeRADIUS, radsec and dnssec

[Alan DeKok]

On Apr 6, 2017, at 9:07 AM, Michael Schwartzkopff <ms at sys4.de> wrote:
> But the DFN thinks there are stil some issues with FreeRADIUS 3 so that is why 
> they advertise to use radsecproxy.

  TBH, radsecproxy is a bit easier, because it's a dedicated proxy.  And it doesn't have configuration for non-proxy functionality, because that doesn't exist.

> Basically that seems to be a good idea but the problem is, how to estalish 
> mutual trust with dynamic home servers.
> 
> Here DNSSEC and especially the TLSA RR comes into play.
> 
> Is it possible to add trust to FreeRADIUS 3 based on a TLSA RR verified by 
> DNSSEC so my RADIUS server can trust the remote RADIUS server based on the 
> comparison of its server certificate and the according TLSA RR in DNS of the 
> home organization?

  As always, it's just code. :)

  The difficulty here is that v3 isn't really set up to do that.  The networking code has grown over time, and is pretty fixed in what it can do.  Making changes is hard.

  I've recently been making good progress in v4.  The goal there is to pull the transports (UDP, TCP, TLS, etc.) and protocols (RADIUS) out of the server core, and into plugins.  

  Once that's done, adding a new transport should be pretty simple.  Just write transport-specific code, and hand it off to the rest of the server for RADIUS processing.

> I know establishing this kind of mutiual trust work good for e-mail systems. 
> The system is called DANE. See RFC 7671 for detailed information about DANE.
> 
> Basically this the short version of this mail would be: Can the FreeRADIUS 
> project add DANE authentication and verification of home servers to its 
> features?

  Yes, but it won't be quick.  I'd suggest writing up some notes on the Wiki:  http://wiki.freeradius.org/version4/

  Make it as detailed as possible, so that implementation becomes straightforward.

  Alan DeKok.