3.75. <AuthBy DNSROAM> Previous topic Parent topic Child topic Next topic

This clause proxies RADIUS requests to remote RADIUS and/or RadSec servers based on the Realm in the User-Name. The appropriate server to send to and the protocol to use is discovered through DNS lookups configured through the Resolver clause. For more information, see Section 3.113. <Resolver>. You must include a <Resolver> clause in your configuration if you intend to use <AuthBy DNSROAM>.
AuthBy DNSROAM is intended to make it easy to set up a secure, reliable, low maintenance RADIUS/RadSec federation. A RADIUS federation (sometimes called a RADIUS mesh) is a set of RADIUS servers, operated by a set of independent but cooperating organisations. The goal is to permit users who belong to one organisation to be able to use RADIUS-controlled resources at another organisation. A typical example is for a group of Universities to cooperate to permit a user from one University to connect to the wireless network at any other University in the group using their home user name and password. Radiator also permits RADIUS requests to be sent to another Radiator server through RadSec. RadSec provides secure, encrypted, reliable transport of RADIUS requests, with optional mutual authentication of RadSec client and server. For more information about RadSec protocol, see RadSec white paper Opens in new window.
Using AuthBy DNSROAM and DNS to hold information about the target server for each Realm permits convenient and scalable administration of the routing topology within a RADIUS/RadSec mesh.
DNSROAM cooperates well with existing RADIUS infrastructure, and can interoperate with other RADIUS servers and clients, as well as other RadSec servers and clients. It supports hardwired preconfigured RADIUS and RadSec routes as well as DNS discovered routes. It can provide a default fallback, so that Realms that are neither discovered nor hardwired can be forwarded to some catchall server (or dropped). It supports forwarding to IPv4 and/or IPv6 addresses. RadSec can use TCP or SCTP protocol for transport over IPv4 or IPv6. DNSROAM supports discovering RADIUS proxy servers as well as RadSec proxy servers.
The <AuthBy DNSROAM> clause can contain one or more <Route> subclauses which specify hardwired target servers for certain Realms or a DEFAULT fallback server. <Route> subclauses can specify RADIUS or RadSec target servers.
A sample configuration file showing how to use <Resolver>, <AuthBy DNSROAM> and <Route> clauses together can be found in goodies/dnsroam.cfg in your Radiator distribution.
AuthBy DNSROAM uses the following algorithm when it receives a RADIUS request for handling:
  1. Extract the Realm from the User-Name in the RADIUS request. (The user name and/or realm can be configured to be rewritten by patterns in the enclosing Handler or Client clause).
  2. Look for a preconfigured target server <Route> subclause for that Realm.
  3. If no preconfigured target server <Route> subclause is found for that Realm, try to discover a target server name or address using DNS (more below on exactly how this is done).
  4. If no target server is preconfigured or discovered, try to find a DEFAULT preconfigured target server <Route> subclause.
  5. If there is still no target server found, log and drop the request.
  6. If the target server is a RadSec server (Protocol=radsec) establish a RadSec connection to the target server (using a private AuthBy RADSEC clause), and if so configured, set up TLS tunnel and perform mutual authentication based on PKI certificates.
  7. If the target server is a RADIUS server (Protocol=radius) forward the request using RADIUS protocol over UDP (using a private AuthBy RADIUS clause).
  8. When a reply is received from the target server, send the reply back to wherever the request originally came from (there may be multiple proxying hops until the request reaches the home RADIUS server for that Realm).
AuthBy DNSROAM creates private AuthBy RADIUS and/or AuthBy RADSEC clauses to implement each discovered and hardwired RADIUS and RadSec Route. The default values for the parameters for these private clauses are obtained from the enclosing <Route> and/or <AuthBy DNSROAM> clauses, and can be overridden by <Route> clause parameters and parameters discovered from DNS by the <Resolver> clause. For more information, see Section 3.76. <Route> and Section 3.113. <Resolver>.
AuthBy DNSROAM supports TLS. For more information about TLS parameters, see Section 3.11. TLS configuration.
AuthBy DNSROAM understands also the same parameters as <AuthBy xxxxxx>. For more information, see Section 3.28. <AuthBy xxxxxx>.