Re: [radext] PAKEs and secure RADIUS

Alan DeKok <> Wed, 20 September 2023 15:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BD42EC151070 for <>; Wed, 20 Sep 2023 08:39:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id x9xP6yi4ihxP for <>; Wed, 20 Sep 2023 08:39:37 -0700 (PDT)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 3B3E1C151546 for <>; Wed, 20 Sep 2023 08:39:36 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTPSA id E90E243B; Wed, 20 Sep 2023 15:39:33 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.\))
From: Alan DeKok <>
In-Reply-To: <24504.1695223881@localhost>
Date: Wed, 20 Sep 2023 11:39:32 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <24504.1695223881@localhost>
To: Michael Richardson <>
X-Mailer: Apple Mail (2.3696.
Archived-At: <>
Subject: Re: [radext] PAKEs and secure RADIUS
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Sep 2023 15:39:39 -0000

On Sep 20, 2023, at 11:31 AM, Michael Richardson <> wrote
> I understood Bernard's message as being about RADIUS<->RADIUS security rather
> than end-device security (EAP).

  Sure.  My thought was that if EAP has a bootstrapping method based on TLS, then RADIUS also needs a bootstrapping method for TLS.

  Why not use a similar mechanism?

>   The connections between various proxies
> being more and more ad-hoc/on-demand as connectivty patterns grow.

  I think that issue can be addressed via dynamic discovery.  Even without that, proxies are complex systems that are already on the net.  They can be managed by admins through various OS tooling.

  However, there's still an issue for NAS -> server bootstrapping.  Right now it is pretty horrific.  If we can define a way to fix that, and then wedge it into various other standards bodies, it will benefit everyone.

  Alan DeKok.