Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RADSEC Clients must validate Server Certificates #2839

Open
mark-grayson opened this issue Aug 2, 2019 · 2 comments

Comments

@mark-grayson
Copy link

commented Aug 2, 2019

Issue type

  • Defect - Unexpected behaviour.

Defect

In FreeRADIUS, version 3.0.18, when a RADSEC client initiates a TLS connection to a server listed in a server_pool, a trusted Server responds to the request, and TLS attributes are expanded from the Server certificate OIDs, no expansions occur. RADSEC clients must be able to verify additional attributes and oids contained in the Server Certificate SAN in the same manner as client certificates do , e.g.
listen:TLS-Server-Cert-Subject-Alt-Name-Dns .

Background

This issue is being raised on behalf of Wireless Broadband Alliance.
WBA is currently evolving its WRIX RADIUS Roaming system to enable support of RADSEC.
RADSEC testing has been performed by multiple WBA members, including:
Accuris Networks, BSG Wireless, Cablelabs, Cisco and iPass/Pareteum

@alandekok

This comment has been minimized.

Copy link
Member

commented Aug 3, 2019

I've pushed a fix which should help. Please verify, and if this OK, close the issue.

The fix will be in 3.0.20 when it is released.

alandekok added a commit that referenced this issue Aug 3, 2019

@alandekok

This comment has been minimized.

Copy link
Member

commented Aug 5, 2019

commit dd438bf has more code and documentation changes which should help.

But be aware that home server TLS parameters are available only after a connection has been opened to the home server. And, there's no way to run a policy during the connection opening process.

If you could clearly describe the packet flow / policy requirements you have, that would help a lot. Detailed requirements are much more productive than vague descriptions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.