We have been involved in the Internet Engineering Task Force (IETF) for a few decades now. During that time, we have written many of the RADIUS standards. We are still involved in the standards process, and this post explains how the new standards will affect you.
The IETF is meeting in San Francisco for IETF 117. We are working on a number of standards in different groups.
RADIUS Extensions (RADEXT)
The bulk of our work is in the RADIUS extensions (RADEXT) working group. The documents we are working on are:
TLS-PSK The original RADIUS/TLS specifications did not describe how to use TLS-PSK with RADIUS. This document corrects that mistake. In many cases, it can be simpler to use pre-shared keys with RADIUS, than configuring clients with certificates.
Deprecating insecure transports. This document suggests that it’s a bad idea to use “bare” UDP or TCP transports across the Internet. We have more discussion on this topic in our RADIUS Insecurity article.
Reverse CoA. When a NAS connects to a RADIUS server via TLS, it can be difficult (or impossible) to send
Disconnect-Requestpackets to the NAS. This document describes how to send CoA packets in “reverse” down that RADIUS/TLS connection. While it is not yet a working group document, we believe that it will be published shortly. It is most likely to be useful in OpenRoaming.
There is a strong demand for TEAP, in part because of its ability to do provisioning inside of the TLS tunnel. We have implemented TEAP in FreeRADIUS 3.2.3, and are working on updates and documentation.
We are also monitoring EAP-FIDO, which is a new proposed specification that uses Passkeys for 802.1X. The hope is that EAP configuration will become little more than “Use EAP-FIDO for network access”. It looks like this will not only work, but that it will not be too complicated to do.
If EAP-FIDO reaches its potential, then many Mobile Device Management (MDM) problems simply go away. That is a good thing for enterprises and universities.
We are working with the [DHCP]((https://datatracker.ietf.org/wg/dhc/about/) working group to clarify implementation issues with DHCPv6.
Our customers have run into issues with DHCPv6. We are working on updates to clarify “best practices” around DHCPv6.
MAC address randomization can make MAC authentication difficult. We are following the Madinas working group to ensure that new standards meet the markets needs, and are secure.
Now that the TACACS+ RFC has been published, the working group is updating the document for TACACS+ TLS. Many of our customers use TACACS+, and there is a strong need for a version of the protocol which uses modern cryptography.
How this affects people using FreeRADIUS
People using FreeRADIUS can rest assured that FreeRADIUS is compatible with all “up and coming” Internet standards. In fact, led by Alan DeKok, the team at Network RADIUS continues to lead the industry in defining and implementing these standards, as we have done for decases.
Your RADIUS systems will continue to get more secure, and more flexible.
We continue to follow these, and other standards. Our goal is to serve our customers, to improve the technology, and to make peoples lives easer.
Need more help?
Network RADIUS has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.