From nobody Tue May 27 13:53:21 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b6Dcy6bHxz5xSds for ; Tue, 27 May 2025 13:53:54 +0000 (UTC) (envelope-from andrew1tree@gmail.com) Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4b6Dcx6MQlz3Ym7 for ; Tue, 27 May 2025 13:53:53 +0000 (UTC) (envelope-from andrew1tree@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=ecwz4DAP; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of andrew1tree@gmail.com designates 2607:f8b0:4864:20::331 as permitted sender) smtp.mailfrom=andrew1tree@gmail.com Received: by mail-ot1-x331.google.com with SMTP id 46e09a7af769-72c27166ab3so2074123a34.1 for ; Tue, 27 May 2025 06:53:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1748354032; x=1748958832; darn=freebsd.org; h=to:message-id:subject:date:mime-version:from :content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=V+BvlcoKH9yMEyHnWPEsz5//IMcBDUNJHcb4u32Vp6M=; b=ecwz4DAP4mi+wIe8uL3ay+1rGVn1JXPVjIvG+iiUZVCWyo5jnbydLhqcfJJJ+VJJGS 59qM3EdL0pdbNl7RKynDLwbp72MBBDPihx5i8ag9ArztZZtc+uPKR0YgyTSi636cVlSP eT9HzficSI39z/dub1rkoZ7l1i1twbVVDgj391BvhdL7cGmFfB9pqdTkqQ+Xv60AzXOu g4KOu3S2//BeHg5ZHnU/Pmn3PXWMl0YWqZSYhhvbjPfvlPBUl0Z22rjP78OCQMsrBdMy SjsY2z5gYZPXuSMM5LAjOh0jOyfgV8yBj6K/R+rv6KbLZKVr0ba9DrFdIe0/PRXplX3Q zPew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748354032; x=1748958832; h=to:message-id:subject:date:mime-version:from :content-transfer-encoding:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=V+BvlcoKH9yMEyHnWPEsz5//IMcBDUNJHcb4u32Vp6M=; b=XcYZQUmuvU7e0fRPevIzKzB3L1XQSDt9DuRZfcbDwFOQud+jkJVjjYhakScxHWnjCO yN3YdOJMBfk1bwal3n1Axvfa4JCVbBQxJ7vgwIqS7kCNNpb1xN9Gx3jlmDjmLYzt39dd M32gdZiz6BD56N97Lz5gWCuK1zbfrHvv4Ywq0HgxjrpZy9SS94d3ylbNGsOj/1Yp2o81 gnbfxvq6FQ/qbekpxsUbc1SxRT4NqSQ8ZfRkTqXJVFhzXt7hjmONeuMBvvI2qmvTHsNw zVYZqPvoDGZjrBbKq2Y9YoASnyYUyYfe9uGDzSsUYyir9/Mu1V3asKxcY6oM2xe25quW 8Nhg== X-Gm-Message-State: AOJu0YyyylfT81csMoxHv4wWCfxmKDlI7RLkyNz1BWfI03mVdBsYEfE2 ITvwIebN7lrpZBeSLFyRx8SgGGTyZYLJjoY+vmQakUUvyULw0zPq08M1jQ+/yQ== X-Gm-Gg: ASbGncu8tabGow7N4xj9EoBP4GGvFb23dAGicJ7BjqtS2hSUtZDN7Vdrc0XdMlewunQ mW7u28//aYmHJjfpXkdVKLbU9rkxxCDiSr5zfe53bGQDGaRdJHACjEJy3cZD66diRaIiY/21TnQ lnhhe7wsZxvEAI4/h7hRCGcPlJVJEcQFOsEq4bqCQIN2P6cq0l3IeKOXq2KhM7qoIdNK9eVITT9 6noiGGxu11Az/5J2bUFsvQnPqp1Hqu9Wkore00H7j9Du5nBN3xSj/IyDsFqqc0XL/GX0ddh2g14 +XBZqy/JpTri1vTuYlHG0EPaTgDz9KMeI6P8n9GVFdnMTJgi2YpFVPvqO5E2sN+nLcnHQYSep5M LPA== X-Google-Smtp-Source: AGHT+IGtyCY67RbaDur0QxJJG7HAEkaS04fDtv0f5blHqRIUqRPZ6eaPVopZDIFIfQ6BdTifDBMwvw== X-Received: by 2002:a05:6830:2805:b0:727:3664:ca30 with SMTP id 46e09a7af769-7355d0b7658mr8298848a34.16.1748354032173; Tue, 27 May 2025 06:53:52 -0700 (PDT) Received: from smtpclient.apple ([171.158.163.248]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-734f6a9afa9sm4379766a34.39.2025.05.27.06.53.51 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 27 May 2025 06:53:51 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-34DC8331-3196-4D10-9CF0-AC63332C3870 Content-Transfer-Encoding: 7bit From: Andrew Wood List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org Mime-Version: 1.0 (1.0) Date: Tue, 27 May 2025 08:53:21 -0500 Subject: Implementing RADSEC Message-Id: <9F26B64E-126D-49E2-8E56-D3CE3C946072@gmail.com> To: freebsd-current@freebsd.org X-Mailer: iPhone Mail (22F76) X-Spamd-Result: default: False [-0.01 / 15.00]; NEURAL_SPAM_LONG(1.00)[0.999]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.45)[-0.452]; NEURAL_SPAM_MEDIUM(0.44)[0.444]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FREEMAIL_FROM(0.00)[gmail.com]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[gmail.com:+]; APPLE_IOS_MAILER_COMMON(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::331:from]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4b6Dcx6MQlz3Ym7 X-Spamd-Bar: / --Apple-Mail-34DC8331-3196-4D10-9CF0-AC63332C3870 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hi all, Apologies if this is the wrong place to go, I don't really have any contribu= ting experience. I was curious and looking around FreeBSD's RADIUS implement= ation and noticed what appears to be a lack of RADSEC (RADIUS over TLS) in t= he OS's source code. Granted, there IS a port named "radsecproxy" that allow= s users to make use of it, but my personal thinking/opinion is that if using= RADIUS as a NAS (Network Access Server) is available natively through pam_r= adius then perhaps if we want a "security by default" approach we should add= radsec to libradius and open up native use of RADSEC. Additionally, there's= an IETF draft in the works deprecating the use of UDP or TLS-less UDP (http= s://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/), which m= ay or may not add some importance to something like this. Thus, I come here asking, do y'all think it would be worth it or a good idea= for me to work on adding in TLS support for RADIUS, or am I best off lettin= g the port that already exists for it use it? Thanks, Andrew= --Apple-Mail-34DC8331-3196-4D10-9CF0-AC63332C3870 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi all,

Apologies if this is th= e wrong place to go, I don't really have any contributing experience. I was c= urious and looking around FreeBSD's RADIUS implementation and noticed what a= ppears to be a lack of RADSEC (RADIUS over TLS) in the OS's source code. Gra= nted, there IS a port named "radsecproxy" that allows users to make use of i= t, but my personal thinking/opinion is that if using RADIUS as a NAS (Networ= k Access Server) is available natively through pam_radius then perhaps if we= want a "security by default" approach we should add radsec to libradius and= open up native use of RADSEC. Additionally, there's an IETF draft in the wo= rks deprecating the use of UDP or TLS-less UDP (https://datatracker.i= etf.org/doc/draft-ietf-radext-deprecating-radius/), which may or may not= add some importance to something like this.

Thus, I= come here asking, do y'all think it would be worth it or a good idea for me= to work on adding in TLS support for RADIUS, or am I best off letting the p= ort that already exists for it use it?

Thanks,
Andrew
= --Apple-Mail-34DC8331-3196-4D10-9CF0-AC63332C3870--