Hi Jouni, We are a team in google working on Google Station (https://station.google.com/) with a mission of connecting the under-connected by providing fast, secure and reliable WiFi. We have seen that the RADIUS AAA server often is not in the same subnet as that offering the network connectivity. This means that RADIUS UDP packets sometimes is sent in clear from the ISP to the cloud hosted RADIUS AAA server. We would like to transfer this over a secure channel and RFC 6614 (https://tools.ietf.org/html/rfc6614) specifies that. There are other ways like establishing a tunnel from ISP to the server / cloud hosting RADIUS AAA server. We have found this to be tedious, hard to maintain, costly and often at odds with various ISP firewall configs. RadSec also removes the need to have firewall open ports on the hostapd server (even for dynamic auth). We have multiple certified vendors, such as Cisco, Ruckus, Aruba and Mikrotik implementing RadSec (RFC 6614). In order to allow open source APs using linux/openwrt to support this, we'd like to look into contributing patches to hostapd to add native RadSec support over the next few months. Are you open to add native RadSec support to hostapd please? This is probably a compile time flag (similar to the IPv6 support) to control whether the RadSec support is compiled into the binary. If the feature is compiled in, a new option (such as radsec_port) will trigger using radsec instead of udp radius. We are planning to support both access/accounting requests and dynamic auth requests (CoA/DM). regards Dr. Heng Liu _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
