FreeRADIUS, radsec and dnssec
Stefan Winter
stefan.winter at restena.lu
Fri Apr 7 08:40:45 CEST 2017
Hello Michael,
> werecently had a discussion about FreeRADIUS and radsec. The DFN which ist the
> central hub for the German eduroam wants the universities to migrate to
> radsec.
>
> But the DFN thinks there are stil some issues with FreeRADIUS 3 so that is why
> they advertise to use radsecproxy.
>
> They did not tell me yet what the issues were, but as far as
> I understood they wanted to have a dynamic home server resolution based on
> realms in eduroam.
>
> Basically that seems to be a good idea but the problem is, how to estalish
> mutual trust with dynamic home servers.
>
> Here DNSSEC and especially the TLSA RR comes into play.
In general, it's a good idea to consider DNSSEC for trust relationships.
For E-Mail, this is crucial because one does not know which certificate
and CA the other end uses; the trust bootstrap must come from somewhere
else.
In eduroam however, the RADIUS/TLS trust is pre-existing because all
RADIUS servers receive server certificates from the same, one,
pre-determined, CA.
Additional DNSSEC / TLSA / DANE is then not necessary: if DNS was lieing
to you, then you'll end up at a host which can't present a trusted
certificate, and then the conversation ends before any payload is exchanged.
Greetings,
Stefan Winter
> Is it possible to add trust to FreeRADIUS 3 based on a TLSA RR verified by
> DNSSEC so my RADIUS server can trust the remote RADIUS server based on the
> comparison of its server certificate and the according TLSA RR in DNS of the
> home organisation?
>
> I know establishing this kind of mutiual trust work good for e-mail systems.
> The system is called DANE. See RFC 7671 for detailed information about DANE.
>
> Basically this the short version of this mail would be: Can the FreeRADIUS
> project add DANE authentication and verification of home servers to its
> features?
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170407/fe6b10cc/attachment.sig>
More information about the Freeradius-Users
mailing list