FreeRADIUS, radsec and dnssec

Stefan Winter stefan.winter at
Fri Apr 7 20:03:22 CEST 2017


> How do we deal with a situation where a large number of administratively
> distinct realms decide to pool resources and send all requests to the same
> server?  Does every change to the membership list of that group require a
> new certificate to be generated to change the alternative subject names?

Yes. Unless the name is a wildcard name and the new name is already
covered by the wildcard. Which  (in eduroam at least) is probably common
for *.tld proxy servers.

> What does a relay do when it gets a request that DNS says should go up
> an established RADSEC pipe, but that RADSEC pipe does not have a
> x509 alt subject corresponding to that realm... tear down the RADSEC pipe and
> renegotiate it to look for a fresher cert, or is  there an in-band mechanism
> for things such as this tucked away in TLS (a spec which I have very limited
> familiarity with)?

There's (secure) Server/Client-initiated TLS renegotiation (both ways
are possible). That happens inband without tearing down the session.

(and yes, there's also an INsecure variant of this which made the news a
few years back. Don't use that one :-) )


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list