[RADIATOR] Request for TLS_SubjectAltNameDNS check

Tuure Vartiainen vartiait at open.com.au
Wed Feb 21 11:42:36 UTC 2018


> On 2 Nov 2017, at 12.06, Tuure Vartiainen <vartiait at open.com.au> wrote:
>> On 31 Oct 2017, at 16.34, Jan Tomasek <jan at tomasek.cz> wrote:
>> On 10/13/2017 06:57 PM, Tuure Vartiainen wrote:
>>>> On 11 Oct 2017, at 20.28, Jan Tomasek <jan at tomasek.cz> wrote:
>>>> Originally we were using hostnames, but as our eduroam federation
>>>> was growing Radiator start was going to be slower and slower. Delay
>>>> was indeterministic and was caused by hostname to IP translation,
>>>> so we switched to IP addresses.  But IP addresses are complicating
>>>> peer verification. At this moment we are using TLS_ExpectedPeerName
>>>> but our peers sometimes try to use a certificate which has no right
>>>> SubjectDN, it would be better to be able to verify
>>>> SubjectAltName:DNS. Is there any chance to get this implemented?
>>>> Something like TLS_SubjectAltNameURI but for DNS?
>>> Radiator currently supports SubjectAltName:DNS when it’s an initiator
>>> for RadSec connection.
>> how to configure this? My problem is that I need to initiate RadSec connection by IP adress this way:
>> <Handler RecvFromAddress=/^(?!195.113.xx.x$)/o, Realm=vsup.cz>
>> Identifier            vsup_cz
>> <AuthBy RADSEC>
>>   Host                195.113.xx.x
>>   Secret              radsec
>> When I use HOST = IPaddress I've no option how to tell Radiator which value compare against SubjectAltName:DNS.
> SuljectAltName:DNS matches against configured Host, so it only works when using FQDNs.
> I changed the feature request to target adding TLS_SubjectAltNameDNS configuration option similar to 
> TLS_SubjectAltNameURI.
> http://www.open.com.au/radiator/ref/TLS_SubjectAltNameURI.html#TLS_SubjectAltNameURI

there’s now a new config option TLS_SubjectAltNameDNS in latest patches, 
which can be used to define expected FQDN for SubjectAltName:DNS.

Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list