FreeRADIUS, radsec and dnssec

Brian Julin BJulin at
Fri Apr 7 15:53:28 CEST 2017

Stefan WINTER wrote:

> In eduroam however, the RADIUS/TLS trust is pre-existing because all
> RADIUS servers receive server certificates from the same, one,
> pre-determined, CA.

This is something I'm a bit unclear on:

How do we deal with a situation where a large number of administratively
distinct realms decide to pool resources and send all requests to the same
server?  Does every change to the membership list of that group require a
new certificate to be generated to change the alternative subject names?
What does a relay do when it gets a request that DNS says should go up
an established RADSEC pipe, but that RADSEC pipe does not have a
x509 alt subject corresponding to that realm... tear down the RADSEC pipe and
renegotiate it to look for a fresher cert, or is  there an in-band mechanism
for things such as this tucked away in TLS (a spec which I have very limited
familiarity with)?

More information about the Freeradius-Users mailing list