Stig Venaas
Stig Venaas
UNINETT
RadSec - A better RADIUS protocol
These days RADIUS is being used in several environments to provide roaming. A user is authenticated and authorised using one or more RADIUS servers, possibly proxied in a chain, to reach the user's home RADIUS server. This is generally done using standard RADIUS over UDP, which has well-known issues related to security and reliability. That may not be critical in a small network. However, for a service like e.g. eduroam, the RADIUS messages need to traverse long distances and many RADIUS hops across the open Internet. We will explain these issues, what RadSec is about, and how it solves the above problems. We will also discuss other benefits, and the current state of implementations and standardisation.
RadSec was introduced by Open System Consultants. It is simply a new RADIUS transport where TLS (over TCP) is used rather than UDP. The use of TLS with client and server certificate based authentication and strong encryption ensures that the peers know they talk to the right party and that eavesdroppers can not get any useful information. With the use of TCP one gets reliable delivery of packets and congestion control. Combined with RADIUS Status Server messages (keep alive messages) one can monitor the availability of RADIUS peers and provide a good failover mechanism. The use of certificates and TLS replaces the static IP and shared secret bindings that RADIUS normally uses. This has other benefits than just improved security. For e.g. eduroam where one can easily provide an ad-hoc eduroam service at a meeting with an access point with built-in RadSec support and no configuration of IP addresses and secrets on any servers. With the use of RADIUS Status Server messages, it can also work from behind a NAT.
With RadSec it is also possible to use some dynamic mapping from realm to server, e.g. DNS SRV records, so that a RADIUS client can connect directly to the user's home server, thus obsoleting the current RADIUS hierarchy.
There are two RadSec implementations. One is the Radiator product from OSC. The other is an open source implementation of RadSec called radsecproxy. This is a generic RADIUS proxy that can handle multiple clients and servers, each using standard RADIUS (UDP) or RadSec. It can be used to RadSec enable a RADIUS client or server (e.g. it has been used to RadSec enable access points), or as simply a proxy in RADIUS routing hierarchies like eduroam where most of the nodes are RADIUS proxies performing routing.
Download presentation
Biography
Stig Venaas is a senior scientist at UNINETT, the Norwegian Research Network. He has worked at UNINETT since 2000 and is working on various topics like IPv6, multicast, routing and middleware; focusing on development, research and standardisation. He is actively involved in the IETF and also participates in Internet2 working groups and TERENA Task Forces.