On Tue, 27 May 2025, Andrew Wood wrote:
Hi all,
Apologies if this is the wrong place to go, I don't really have any contributing experience. I was
curious and looking around FreeBSD's RADIUS implementation and noticed what appears to be a lack of
RADSEC (RADIUS over TLS) in the OS's source code. Granted, there IS a port named
"radsecproxy" that allows users to make use of it, but my personal thinking/opinion is
that if using RADIUS as a NAS (Network Access Server) is available natively through pam_radius then
perhaps if we want a "security by default" approach we should add radsec to libradius and
open up native use of RADSEC. Additionally, there's an IETF draft in the works deprecating the use
of UDP or TLS-less UDP (https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/),
which may or may not add some importance to something like this.
Thus, I come here asking, do y'all think it would be worth it or a good idea
for me to work on adding in TLS support for RADIUS, or am I best off letting
the port that already exists for it use it?
Maybe ask on net@ There may be more folks intereted in the topic.
There (is|was) other software in ports like Radiator or freeradius
which will do both and proxying is part of all of it.
Deprecating RADIUS/UDP will take longer than getting rid of IPv4 if
anyone asks me ;-)
What but pam is using libradius in base? ppp and hostapd? But hostapd has
it's own, so it's pam and ppp. Counting days of their use... I guess.
/bz
--
Bjoern A. Zeeb r15:7
