Let us presume that there is a NAT (perhaps a carrier grade NAT) located between a RADIUS over TLS client and server. Bringing up a TLS connection to the RTLS server and using this for traffic in both directions has several advantages, it seems to me: a. RADIUS DynAuth traffic from the DAC to DAS can now traverse the NAT (assuming that the RTLS server is acting as the DAC and the NAS as the DAS). b. Both the NAS/DAS and the RTLS server/DAC do not need to have both TLS client and TLS server certs. Does this make sense? > > Re-using the TCP or UDP ports for both TLS and classic, the NAT > > unfriendliness comes back, by producing ambiguous assumptions about the > > client's state on the server. Using separate ports makes these > > assumptions unnecessary; which is a good thing IMHO. > > For TLS in particular, but also TCP, I think it's also good to allow the > same connection (which obviously the same destination port) to be used > for all RADIUS messages. > > This mainly to reduce the amount of state, and cycles spent on TLS, > certificate verification etc. |