I'm working as NREN eduroam operator at CESNET. We have connected about 150 RADSEC peers using a config like this:

<Handler RecvFromAddress=/^(?!195.113.xx.x$)/o, Realm=vsup.cz>
  Identifier            vsup_cz
  <AuthBy RADSEC>
    #Host                radius.vsup.cz
    Host                195.113.xx.x
    Secret              radsec

    LocalAddress        195.113.xxx.xx

    TLS_Protocols       TLSv1, TLSv1.1, TLSv1.2
    TLS_CAPath          /etc/ssl/certs
    TLS_CertificateFile /etc/ssl/certs/radius1.eduroam.cz.crt
    TLS_CertificateType PEM
    TLS_PrivateKeyFile  /etc/ssl/private/radius1.eduroam.cz.key
    TLS_CRLFile /etc/ssl/crl/*.r0
    TLS_ExpectedPeerName CN=(|.+/)radius.vsup.cz(|/emailAddress=.+)$

  AuthLog               FTICKS
  AuthLog               FTICKS-FULL
  AuthLog               defaultAuthLog

Originally we were using hostnames, but as our eduroam federation was growing Radiator start was going to be slower and slower. Delay was indeterministic and was caused by hostname to IP translation, so we switched to IP addresses. But IP addresses are complicating peer verification. At this moment we are using TLS_ExpectedPeerName but our peers sometimes try to use a certificate which has no right SubjectDN, it would be better to be able to verify SubjectAltName:DNS. Is there any chance to get this implemented? Something like TLS_SubjectAltNameURI but for DNS?


Jan Tomasek aka Semik

radiator mailing list

Reply via email to