Hi, > Right. While I think the RADSEC folks indicate they have some client > implementations, my impression of the work is that its more useful > between the first-hop proxy and the home server. > > For the RADESC folks: Is there any reason that the first-hop proxy > couldn't terminate a RADIUS (RADIUS over UDP) session with the NAS and > originate a RADSEC (RADIUS over TLS/TCP) session with the up-stream > proxies or home server? That's perfectly possible. In fact, we had planned to deploy it exactly for the server-to-server use case. It just happened that the use case of "APs in weird environments" *also* showed up, and there was additional merit in having client gear that speaks RadSec itself. There is nothing that stops one from having RADIUS client gear and a RadSec server behind because the conversion is lossless. This is what happens for my own country deployment in the Luxembourg TLD: upstream connection to the European root is via RadSec, while the connected institutions use plain RADIUS to talk to the TLD server. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Attachment:
signature.asc
Description: This is a digitally signed message part.