[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Dynamic discovery: applicability questions
Bernard Aboba wrote:
> While my understanding is that certificates have been used in RADSEC
> deployments, deploying certificates on NASes for use with RADIUS/DTLS
> could be considerably more difficult.
It depends on how it's done. Bob Moscowitz && I had a "RADIUS
bootstrap" draft years ago that would have helped. But there was little
interest at the time.
> Also, typically NASes are configured with the address of the proxy or
> server, and
> therefore don't need to dynamically discover it. The situation is a bit
> like default
> route configuration with IPv4.
These addresses change from time to time. (Months, maybe years).
> For example, I'd suggest that a RADIUS server should probably not use
> dynamic discovery
> to decide how to answer an incoming Request. This could result in an
> incoming RADSEC
> packet being answered with a RADIUS over DTLS packet. The logical thing
> to do is for a
> responder (either a RADIUS server or a DAS) to respond with the same
> transport that was
> used in the Request.
Yes.
> I'm also not sure whether a DAC should use dynamic discovery to decide
> how to speak
> to a DAS. In this situation, there is presumably information available
> on the transport used
> by the RADIUS client in the Access-Request. Wouldn't it make more sense
> for the DAC
> to use that same transport in speaking to the DAS?
Yes. The RADIUS server should cache IP's for a client, and when
connecting to that client for purposes of dynamic authorization, use
that IP address.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>