Hi, I'm currently assembling the -06 draft of RADIUS over TLS. This is a proposed new section 2.3 to cover issue "NAS Identity": Please comment... 2.3. Connecting Client Identity In RADIUS, clients are uniquely identified by their IP address. This does not permit to determine whether the connecting entity is a NAS or a different server which proxies a request. When NAT is used on the path to the server, it also does not permit to determine whether there is more than one entity connecting from the same IP address. RADIUS over TLS makes it possible to preserve this traditional RADIUS semantics by identifying a connecting client by the IP address which initiated the TLS connection. In addition, it does permit a much more fine-grained identification. The parameters of the TLS connection can be attributed to the RADIUS packets inside the TLS connection. An implementation of RADIUS over TLS should expose as many details of the TLS connection which belongs to an incoming RADIUS packet as possible to the application administrator to allow the administrator to define the identification criteria which are applicable to his desired operational model. In X.509 certificate operation, at least the following parameters of the TLS connection should be exposed: o Originating IP address o Certificate Fingerprint o Issuer o Subject o all X509v3 Extended Key Usage o all X509v3 Subject Alternative Name o all X509v3 Certificate Policies In TLS-PSK operation, at least the following parameters of the TLS connection should be exposed: o Originating IP address o TLS Identifier Greetings, Stefan Winter (I created this text outside of my sponsor project's time) -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Attachment:
signature.asc
Description: OpenPGP digital signature