(RADIATOR) Secure reliable Radius?
Stefan Moser
sm at open.ch
Wed Feb 2 04:36:25 CST 2005
Hello Mike,
Yep, we'd be interested too. Incidentally, we use Zebedee
(http://www.winton.org.uk/zebedee) tunnels to achieve a very similar
effect. However, there's a number of of advantages if something like
this were built right into Radiator, namely less moving parts (so to
speak). Another disadvantage of tunnels is that you loose the true IP
address information because from the perspective of Radiator everything
is sent to and seems to be coming from 127.0.0.1.
BTW, we also use Zebedee tunnels for communication between RADIUS
clients* and Radiator. Not to be insolent, but how about a tiny
proxy-like app running on a client that can translate between local/true
RADIUS packets (from/to the client app) and remote/reliable RADIUS
packets (from/to the remote Radiator server). **)
*) at least on clients where we have a say, i.e. Unix boxen
**) I realize the same result can be had by running a Radiator instance
on the client itself, but I'm thinking of something lighter. And there
is the license issue, naturally.
cheers
-stefan
Mike McCauley wrote:
> Hi All,
>
> we are thinking here about a new idea for Radiator, and wondering if anyone
> else finds it interesting and perhaps useful.
>
> We are thinking of a new AuthBy RELIABLERADIUS which would open a TCP
> connection to a remote Radiator and send Radius packets over a TCP transport
> instead of UDP. The remote Radiator would have a Server RELIABLERADIUS to
> listen for such requests.
>
> Clearly, such a TCP connection could also be secured with SSL or TLS, using
> client and/or server certificates to authenticate each end and encrypt the
> Radius traffic too.
>
> The benefits of this would be:
>
> 1. No more lost packets
> 2. High security encryption of Radius traffic
> 3. mutual authentication of each end of the tcp transport.
>
> Obviously this provides some of the features that are part of Diameter, and
> our forthcoming raDiameter product will include these too, but in the
> meantime....
>
> anyone interested?
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list