FreeRADIUS, radsec and dnssec
stefan.winter at restena.lu
Fri Apr 7 20:03:22 CEST 2017
> How do we deal with a situation where a large number of administratively
> distinct realms decide to pool resources and send all requests to the same
> server? Does every change to the membership list of that group require a
> new certificate to be generated to change the alternative subject names?
Yes. Unless the name is a wildcard name and the new name is already
covered by the wildcard. Which (in eduroam at least) is probably common
for *.tld proxy servers.
> What does a relay do when it gets a request that DNS says should go up
> an established RADSEC pipe, but that RADSEC pipe does not have a
> x509 alt subject corresponding to that realm... tear down the RADSEC pipe and
> renegotiate it to look for a fresher cert, or is there an in-band mechanism
> for things such as this tucked away in TLS (a spec which I have very limited
> familiarity with)?
There's (secure) Server/Client-initiated TLS renegotiation (both ways
are possible). That happens inband without tearing down the session.
(and yes, there's also an INsecure variant of this which made the news a
few years back. Don't use that one :-) )
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Freeradius-Users