Hi Stefan,
On 20.08.20, 17:24, "Stefan Winter" stefan.winter@restena.lu wrote: right now I'm looking at a use case of RADIUS/TLS peer connections which is a bit different from standard. I wonder if someone could comment on the feasilibility/desirability if one uses certificates as sketched below.
The idea is to cram EAP-specific authorization information into the certificates. They do not only contain the FQDN of the server one connects to, but also verifies whether that same server is authorized to authenticate certain realms. Both of the information elements (FQDN and NAI realm list) are to be included in the same certificate by the server.
I'll answer the important questions first:
Is this kind of behaviour supported in radsecproxy at the present time?
No, this is currently not supported. (for dynamic discovery that is. You can always require a specific sAN to be present for static servers, but that's not the point here)
Could it?
Yes I think it would be feasible to implement this.
The FQDN of the server itself would be in the Subject (CN=server.fqdn.example); the list of authoritative realms would be in an arbitrarily long set of subjectAltName:DNS extensions.
The client, when presented such a certificate from a server it connects to, should always exclusively look at the CN and abort the connection attempt when the server's name doesn't match the expectation (i.e. the discovered hostname from a NAPTR discovery). Notably, if the FQDN happens to be in the sAN:DNS list, it should still disconnect. CN is the only field that counts.
I'm very skeptical about this point. I can't point to any RFC or so, but my gut-feeling says that sAN:DNS is used very often for multi-domain certificates. Not allowing multi-domain certificates would violate user expectations, and might also exclude some use-cases. As you said yourself, RFC7585 provides a semantically cleaner behavior. What would be the argument against using this? In terms of implementation, this wouldn't be that much different. As it happens, I'm already looking into implementing further sAN checks (#43, #45).
Only if the CN matches, the next step would be to check the realm that was used as a starting point for NAPTR discovery, and verify that this realm is one of the sAN:DNS in the certificate. Again, the client should disconnect if that is not true. [1]
Checking the realm against sAN:DNS is a possibility, but not sure if this would create further issues if also used for multi-domain certificates.
Best regards, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39