FreeRADIUS, radsec and dnssec
Brian Julin
BJulin at clarku.edu
Fri Apr 7 15:53:28 CEST 2017
Stefan WINTER wrote:
> In eduroam however, the RADIUS/TLS trust is pre-existing because all
> RADIUS servers receive server certificates from the same, one,
> pre-determined, CA.
This is something I'm a bit unclear on:
How do we deal with a situation where a large number of administratively
distinct realms decide to pool resources and send all requests to the same
server? Does every change to the membership list of that group require a
new certificate to be generated to change the alternative subject names?
What does a relay do when it gets a request that DNS says should go up
an established RADSEC pipe, but that RADSEC pipe does not have a
x509 alt subject corresponding to that realm... tear down the RADSEC pipe and
renegotiate it to look for a fresher cert, or is there an in-band mechanism
for things such as this tucked away in TLS (a spec which I have very limited
familiarity with)?
More information about the Freeradius-Users
mailing list