Date: Tue, 27 May 2025 08:53:21 -0500 From: Andrew Wood <andrew1tree@gmail.com> To: freebsd-current@freebsd.org Subject: Implementing RADSEC Message-ID: <9F26B64E-126D-49E2-8E56-D3CE3C946072@gmail.com>
next in thread | raw e-mail | index | archive | help
--Apple-Mail-34DC8331-3196-4D10-9CF0-AC63332C3870 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hi all, Apologies if this is the wrong place to go, I don't really have any contribu= ting experience. I was curious and looking around FreeBSD's RADIUS implement= ation and noticed what appears to be a lack of RADSEC (RADIUS over TLS) in t= he OS's source code. Granted, there IS a port named "radsecproxy" that allow= s users to make use of it, but my personal thinking/opinion is that if using= RADIUS as a NAS (Network Access Server) is available natively through pam_r= adius then perhaps if we want a "security by default" approach we should add= radsec to libradius and open up native use of RADSEC. Additionally, there's= an IETF draft in the works deprecating the use of UDP or TLS-less UDP (http= s://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/), which m= ay or may not add some importance to something like this. Thus, I come here asking, do y'all think it would be worth it or a good idea= for me to work on adding in TLS support for RADIUS, or am I best off lettin= g the port that already exists for it use it? Thanks, Andrew= --Apple-Mail-34DC8331-3196-4D10-9CF0-AC63332C3870 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D= utf-8"></head><body dir=3D"auto">Hi all,<div dir=3D"ltr"></div><div dir=3D"l= tr"></div><div dir=3D"ltr"></div><div><br></div><div>Apologies if this is th= e wrong place to go, I don't really have any contributing experience. I was c= urious and looking around FreeBSD's RADIUS implementation and noticed what a= ppears to be a lack of RADSEC (RADIUS over TLS) in the OS's source code. Gra= nted, there IS a port named "radsecproxy" that allows users to make use of i= t, but my personal thinking/opinion is that if using RADIUS as a NAS (Networ= k Access Server) is available natively through pam_radius then perhaps if we= want a "security by default" approach we should add radsec to libradius and= open up native use of RADSEC. Additionally, there's an IETF draft in the wo= rks deprecating the use of UDP or TLS-less UDP (<a href=3D"https://datatrack= er.ietf.org/doc/draft-ietf-radext-deprecating-radius/">https://datatracker.i= etf.org/doc/draft-ietf-radext-deprecating-radius/</a>), which may or may not= add some importance to something like this.</div><div><br></div><div>Thus, I= come here asking, do y'all think it would be worth it or a good idea for me= to work on adding in TLS support for RADIUS, or am I best off letting the p= ort that already exists for it use it?</div><div><br></div><div>Thanks,</div= ><div>Andrew</div></body></html>= --Apple-Mail-34DC8331-3196-4D10-9CF0-AC63332C3870--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9F26B64E-126D-49E2-8E56-D3CE3C946072>