Date: Tue, 27 May 2025 08:53:21 -0500 From: Andrew Wood <andrew1tree@gmail.com> To: freebsd-current@freebsd.org Subject: Implementing RADSEC Message-ID: <9F26B64E-126D-49E2-8E56-D3CE3C946072@gmail.com>
index | next in thread | raw e-mail
[-- Attachment #1 --] Hi all, Apologies if this is the wrong place to go, I don't really have any contributing experience. I was curious and looking around FreeBSD's RADIUS implementation and noticed what appears to be a lack of RADSEC (RADIUS over TLS) in the OS's source code. Granted, there IS a port named "radsecproxy" that allows users to make use of it, but my personal thinking/opinion is that if using RADIUS as a NAS (Network Access Server) is available natively through pam_radius then perhaps if we want a "security by default" approach we should add radsec to libradius and open up native use of RADSEC. Additionally, there's an IETF draft in the works deprecating the use of UDP or TLS-less UDP (https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/), which may or may not add some importance to something like this. Thus, I come here asking, do y'all think it would be worth it or a good idea for me to work on adding in TLS support for RADIUS, or am I best off letting the port that already exists for it use it? Thanks, Andrew [-- Attachment #2 --] <html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Hi all,<div dir="ltr"></div><div dir="ltr"></div><div dir="ltr"></div><div><br></div><div>Apologies if this is the wrong place to go, I don't really have any contributing experience. I was curious and looking around FreeBSD's RADIUS implementation and noticed what appears to be a lack of RADSEC (RADIUS over TLS) in the OS's source code. Granted, there IS a port named "radsecproxy" that allows users to make use of it, but my personal thinking/opinion is that if using RADIUS as a NAS (Network Access Server) is available natively through pam_radius then perhaps if we want a "security by default" approach we should add radsec to libradius and open up native use of RADSEC. Additionally, there's an IETF draft in the works deprecating the use of UDP or TLS-less UDP (<a href="https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/">https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/</a>), which may or may not add some importance to something like this.</div><div><br></div><div>Thus, I come here asking, do y'all think it would be worth it or a good idea for me to work on adding in TLS support for RADIUS, or am I best off letting the port that already exists for it use it?</div><div><br></div><div>Thanks,</div><div>Andrew</div></body></html>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9F26B64E-126D-49E2-8E56-D3CE3C946072>