On 06/22/2009 05:14 AM, Lloyd wrote:
Hi FreeRADIUS list, In our "system" there is a need for an authentication server. The required characteristics of the server are *) The authentication client will be a custom built one. It may be running on *NIX,Windows and Mac. Is it possible to write a client using the FreeRADIUS client library? (The client will have much more other functionalities, not related to authentication) *) Is it possible to extentd the server? As an example, in our case, each time a client wants to communicate with other clients, it will request a "session key" to the server, and the server will send the key to all clients which take part in the communication. (The aim of this is to encrypt the communication session with the new session key generated, so that only the clients who know the session key can decrypt the message) So, is it possible to introduce a key generation system as well as a "request interpretation" system to the FreeRADIUS server?
What you are describing in essence is Kerberos and in particular clients which use GSSAPI. Although FreeRADIUS can utilize Kerberos by requesting a TGT on behalf of an authenticating client the TGT credentials are not passed back to the client which is necessary to establish a session key and secure subsequent cooperating channels.
My general recommendation is that a KDC server is better suited to your needs than a radius server. Kerberos is a mature authentication system (it's the heart of Microsoft's AD and many other systems) and you will find a great deal of support for it. Another reason to use kerberos for the scenario you're describing is that it's hard to design a secure protocol, if you attempt to design a new system by extending radius you'll expend a lot of work and will likely come up with a result which has security defects. There are many examples of "I can design my own authentication system" which are subsequently shown to have holes in them like swiss cheese :-)
If you do decide to go the Kerberos route you may be interested in the FreeIPA project (http://freeipa.org). IPA gives you a complete Kerberos solution, web UI, command line utilities, backed by a commercial grade LDAP server (IPA is 100% open source). In addition the project has also just released SSSD which allows for secure offline caching of credentials and related identity information so there is no interruption if network connectivity is lost. I work on the IPA development team so if you have additional questions feel free to contact me off-list.
*) Or is there a better way inplemented in FreeRADIUS to accomplish the above requirements? Thanks in advance, Lloyd ______________________________________ Scanned and protected by Email scanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- John Dennis <[email protected]> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
