FreeRADIUS, radsec and dnssec
Stefan Winter
stefan.winter at restena.lu
Fri Apr 7 20:03:22 CEST 2017
Hi,
> How do we deal with a situation where a large number of administratively
> distinct realms decide to pool resources and send all requests to the same
> server? Does every change to the membership list of that group require a
> new certificate to be generated to change the alternative subject names?
Yes. Unless the name is a wildcard name and the new name is already
covered by the wildcard. Which (in eduroam at least) is probably common
for *.tld proxy servers.
> What does a relay do when it gets a request that DNS says should go up
> an established RADSEC pipe, but that RADSEC pipe does not have a
> x509 alt subject corresponding to that realm... tear down the RADSEC pipe and
> renegotiate it to look for a fresher cert, or is there an in-band mechanism
> for things such as this tucked away in TLS (a spec which I have very limited
> familiarity with)?
There's (secure) Server/Client-initiated TLS renegotiation (both ways
are possible). That happens inband without tearing down the session.
(and yes, there's also an INsecure variant of this which made the news a
few years back. Don't use that one :-) )
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170407/60fa5a49/attachment.sig>
More information about the Freeradius-Users
mailing list