RadSec

RADSEC is next-generation RADIUS transport which relies on TCP and TLS for reliable and secure transport with integrity verification.  Deployment of RADSEC will likely come in two phases:  Initially the eduroam infrastructure will deploy RADSEC for infrastructure validation, in which case TLS replaces shared RADIUS secrets.  The second-phase of RADSEC deployment will replace the current hierarchical structure of eduroam with a Peer-to-Peer model as outlined in [5].

Currently RADSEC support is integrated into Radiator [2], and FreeRADIUS support is forthcoming.  To aid in integration of RADSEC with existing infrastructure the radsecproxy tool [3] has been created by UNINETT (Norway) to provide RADSEC infrastructure while proxying to non-RADSEC aware RADIUS servers.

For technical information on RADSEC and dynamic discovery for RADSEC please see [4] and [5] below:

  1. GEANT2 report on RADSEC
  2. Open Source Consultants Whitepaper on RADSEC
  3. radsecproxy homepage
  4. TLS encryption for RADIUS over TCP (RadSec)
  5. NAI-based Dynamic Peer Discovery for RADIUS over TLS and DTLS