RADIUS shared secret over internet
Hi, I have read on the archives regarding the above issue and that the RADIUS shared secret is an obfuscation method of securing the communications between the NAS and RADIUS Server. One method i have read is by using IPSec but i am asking around if there are other ideas that i may not have thought of. Regards, Muhammad Nuzaihan Bin Kamal Luddin -- Taqi Systems 269-J Jalan Panji Kampung Chempaka, Kota Bharu, Kelantan 16100 pub 4096R/4C77F88C 2013-04-06 [expires: 2015-04-06] Key fingerprint = 2FE1 87FA E775 2E05 CC0F B3F6 3CB7 C65F 4C77 F88C uid Muhammad Nuzaihan Bin Kamal Luddin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
Hi, RADSEC These days, the more proper answer is: RFC6614 http://tools.ietf.org/html/rfc6614 :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
On Tue, Apr 9, 2013 at 2:52 PM, Muhammad Nuzaihan Kamal Luddin muham...@taqisystems.com wrote: Hi, I have read on the archives regarding the above issue and that the RADIUS shared secret is an obfuscation method of securing the communications between the NAS and RADIUS Server. One method i have read is by using IPSec ... or whatever private tunnel you can create between NAS and radius, e.g. openvpn, PPTP, etc. but i am asking around if there are other ideas that i may not have thought of. Depending on what you use the radius for, you might get away by ONLY allowing (T)TLS/EAP along with strict cert checking. -- FAN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
Interesting method by using TLS. This is what i had in mind but couldn't find the answer. The only method i see is through proxying the requests, based on a whitepaper i read - if this is what RFC6614 may contain. What are the roadmap for this? Are there any initial work being done or proof-of-concept work on this? By looking at implementations of TLS (in combination of openssl/gnutls) on other protocols might be similar to this but i may be wrong (i have yet to read on the RFC) as it's another layer taking place. Thanks for the hint. I'll read up on the RFC. Cheers, Muhammad Nuzaihan Bin Kamal Luddin On Tue, 2013-04-09 at 10:13 +0200, Stefan Winter wrote: Hi, RADSEC These days, the more proper answer is: RFC6614 http://tools.ietf.org/html/rfc6614 :-) Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
As I remmember, Alan mentioned that RADSEC will be implemented in freeRadius 3... On 9.4.2013 10:54, Muhammad Nuzaihan bin Kamal Luddin wrote: Interesting method by using TLS. This is what i had in mind but couldn't find the answer. The only method i see is through proxying the requests, based on a whitepaper i read - if this is what RFC6614 may contain. What are the roadmap for this? Are there any initial work being done or proof-of-concept work on this? By looking at implementations of TLS (in combination of openssl/gnutls) on other protocols might be similar to this but i may be wrong (i have yet to read on the RFC) as it's another layer taking place. Thanks for the hint. I'll read up on the RFC. Cheers, Muhammad Nuzaihan Bin Kamal Luddin On Tue, 2013-04-09 at 10:13 +0200, Stefan Winter wrote: Hi, RADSEC These days, the more proper answer is: RFC6614 http://tools.ietf.org/html/rfc6614 :-) Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
Hi, As I remmember, Alan mentioned that RADSEC will be implemented in freeRadius 3... correct. you can try/test/run FR3 today from GIT but if you want to keep with FR2.x in the meantime you can always have a local proxy eg RadSecProxy which works fine with FR2.x (and each end can do status-server too) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS shared secret over internet
Muhammad Nuzaihan wrote: What are the roadmap for this? Are there any initial work being done or proof-of-concept work on this? By looking at implementations of TLS (in combination of openssl/gnutls) on other protocols might be similar to this but i may be wrong (i have yet to read on the RFC) as it's another layer taking place. I've been piloting FR3's RADSEC between our campus and our eduroam federation for close to a year now. There were some initial bugs but it's been stable since those were dealt with. Just be sure to turn off max_requests_per_server by setting it to zero. Sometime soon EDUROAM-US is moving to a redundant setup so we'll be able to test any interactions with home server pooling. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
