From nobody Tue May 27 21:40:57 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b6Qzy1GYRz5xwFM for ; Tue, 27 May 2025 21:41:02 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "mx-01.divo.sbone.de", Issuer "E5" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4b6Qzx68BDz49kY for ; Tue, 27 May 2025 21:41:01 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Authentication-Results: mx1.freebsd.org; none Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by mx-01.divo.sbone.de (Postfix) with ESMTPS id B28AFA64805; Tue, 27 May 2025 21:40:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zabbadoz.net; s=20240622; t=1748382058; bh=dm6T7shcaijmsoUTxoKFavpaQZk735PrXAt/UMTCc0Y=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=hn1BKpU+MuISIok7LOB+qSfVzewycoZdOchPko2eNa7Cz8Qom5JFnWoPjZfWDnnoO s7tN3Eg6EVSTzT0e8FZfho4D8NBeFBJwhOAXZVOmkV9nsDmPMkqBr0XcWXrrW95HfC PQQspK38ReAKx+D5XpFBIaBXaN9MqPqj8pfCyNUYVYVabsFRRThVo+nyFFr9r5oQ7v Ph3+aulkzYSO+Og8i2sJ2WuaGa40UJPFH1cBlIuTj1d98e6Tu+PNpDYrhHTsjeLfKk 4MJki6E0pM6qdyiorLaLII4uVtSsZw8RGNPToZAqDiK/UFuOAIfn60ZcasGb2d/YOL P9Kmk4v2VN5uFDCYOlZm70vu/P8umn5QVHh7lwAU3paPXlrJgEk8Vq254dw7cklgbf kIm6KGdCg+drKJwgla58nV5CgOzX+4admIK5WTe7wHX9iLgtFSb9smAmAYKeQZYgp5 ib1spM0n49aeNT3iGZpKVcBM7y4X/2c9G472IHr5jgKBaUr+bAR0bweaG/P7irblq2 1N5FB5oxLS94V2VYPBZgKfeRGJJcOa04Ub4xtNIfv7ZsZrA8jWkLlJ0yd26cJxRFxF j4ny++bkP2sYAUfOiBjARnn6OH15gTgdKa4Y30pFFVGNWIFavDYDAagUijLkggvjfV 1kJCUbCbLGkeDacVTWrRUV4Q= Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 3451B2D029E0; Tue, 27 May 2025 21:40:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024) with ESMTP id H-Iu7kDxRdga; Tue, 27 May 2025 21:40:58 +0000 (UTC) Received: from strong-rtwn0.sbone.de (strong-rtwn0.sbone.de [IPv6:fde9:577b:c1a9:4902:3e64:cfff:fe55:bc80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 1225B2D029D8; Tue, 27 May 2025 21:40:58 +0000 (UTC) Date: Tue, 27 May 2025 21:40:57 +0000 (UTC) From: "Bjoern A. Zeeb" To: Andrew Wood cc: freebsd-current@freebsd.org Subject: Re: Implementing RADSEC In-Reply-To: <9F26B64E-126D-49E2-8E56-D3CE3C946072@gmail.com> Message-ID: <03o36766-85q7-s58q-362o-910p561o24so@yvfgf.mnoonqbm.arg> References: <9F26B64E-126D-49E2-8E56-D3CE3C946072@gmail.com> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:3320, ipnet:2003::/19, country:DE] X-Rspamd-Queue-Id: 4b6Qzx68BDz49kY X-Spamd-Bar: ---- On Tue, 27 May 2025, Andrew Wood wrote: > Hi all, > > Apologies if this is the wrong place to go, I don't really have any contributing experience. I was curious and looking around FreeBSD's RADIUS implementation and noticed what appears to be a lack of RADSEC (RADIUS over TLS) in the OS's source code. Granted, there IS a port named "radsecproxy" that allows users to make use of it, but my personal thinking/opinion is that if using RADIUS as a NAS (Network Access Server) is available natively through pam_radius then perhaps if we want a "security by default" approach we should add radsec to libradius and open up native use of RADSEC. Additionally, there's an IETF draft in the works deprecating the use of UDP or TLS-less UDP (https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/), which may or may not add some importance to something like this. > > Thus, I come here asking, do y'all think it would be worth it or a good idea for me to work on adding in TLS support for RADIUS, or am I best off letting the port that already exists for it use it? Maybe ask on net@ There may be more folks intereted in the topic. There (is|was) other software in ports like Radiator or freeradius which will do both and proxying is part of all of it. Deprecating RADIUS/UDP will take longer than getting rid of IPv4 if anyone asks me ;-) What but pam is using libradius in base? ppp and hostapd? But hostapd has it's own, so it's pam and ppp. Counting days of their use... I guess. /bz -- Bjoern A. Zeeb r15:7