[RADIATOR] Request for TLS_SubjectAltNameDNS check

Tuure Vartiainen vartiait at open.com.au
Wed Feb 21 11:42:36 UTC 2018 

Hello,

> On 2 Nov 2017, at 12.06, Tuure Vartiainen <vartiait at open.com.au> wrote:
> 
>> On 31 Oct 2017, at 16.34, Jan Tomasek <jan at tomasek.cz> wrote:
>> 
>> On 10/13/2017 06:57 PM, Tuure Vartiainen wrote:
>>>> On 11 Oct 2017, at 20.28, Jan Tomasek <jan at tomasek.cz> wrote:
>>>> 
>>>> Originally we were using hostnames, but as our eduroam federation
>>>> was growing Radiator start was going to be slower and slower. Delay
>>>> was indeterministic and was caused by hostname to IP translation,
>>>> so we switched to IP addresses.  But IP addresses are complicating
>>>> peer verification. At this moment we are using TLS_ExpectedPeerName
>>>> but our peers sometimes try to use a certificate which has no right
>>>> SubjectDN, it would be better to be able to verify
>>>> SubjectAltName:DNS. Is there any chance to get this implemented?
>>>> Something like TLS_SubjectAltNameURI but for DNS?
>>>> 
>>> 
>>> Radiator currently supports SubjectAltName:DNS when it’s an initiator
>>> for RadSec connection.
>> 
>> how to configure this? My problem is that I need to initiate RadSec connection by IP adress this way:
>> 
>> <Handler RecvFromAddress=/^(?!195.113.xx.x$)/o, Realm=vsup.cz>
>> Identifier            vsup_cz
>> <AuthBy RADSEC>
>>   Host                195.113.xx.x
>>   Secret              radsec
>> 
>> When I use HOST = IPaddress I've no option how to tell Radiator which value compare against SubjectAltName:DNS.
>> 
> 
> SuljectAltName:DNS matches against configured Host, so it only works when using FQDNs.
> 
> I changed the feature request to target adding TLS_SubjectAltNameDNS configuration option similar to 
> TLS_SubjectAltNameURI.
> 
> http://www.open.com.au/radiator/ref/TLS_SubjectAltNameURI.html#TLS_SubjectAltNameURI
> 

there’s now a new config option TLS_SubjectAltNameDNS in latest patches, 
which can be used to define expected FQDN for SubjectAltName:DNS.


BR
-- 
Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list