Support for RFC 7585 "Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS Based on the Network Access Identifier (NAI)". Instead of statically forwarding RADIUS requests to one or more RADIUS servers, Dynamic Peer Discovery dynamically finds the correct RADIUS server based on the realm/NAI. If a request arrives, the correct server is found via DNS NAPTR/SRV record.
LANconfig:
Console:
- DPD operating
- Switch Dynamic Peer Discovery on or off. As soon as Dynamic Peer Discovery is enabled, the RADIUS server branches to dynamic resolution if a specific realm is not defined in its forwarding table. dynamic resolution if a particular realm/NAI is not defined in its forwarding table. Local definitions for realms always have priority.
- Services
-
TTable with the services. The service is what is delivered in the NAPTR response in the service. All NAPTR entries are extracted and
are extracted and further resolved, which have as service the one with the highest priority from this table. If the
default setting, for example, NAPTR records for both service types are supplied, those for "x-eduroam:radius.tls"
are ignored. The table is automatically sorted by the LCOS so that higher
prioritized services are placed higher up. The protocol that must be used to such a server (RADIUS or RADSEC) is
explicitly specified. In case the NAPTR request does not return any usable records, this table still has the
meaning, which prefix is put in front of the NAI for the fallback SRV request. The highest priority entry is taken from the
table for which a prefix is defined in an internally fixed table. Currently the services
radius.tls, radius.tls.tcp, radsec.tcp and radius.udp are defined, which respond to a prefix of _radiustls._tcp., _radsec.tcp. or
_radius._udp. respectively.
- Priority
- Priority of this service.
- Service
- The services themselves. The defaults are "aaa+auth:radius.tls.tcp" and "x-eduroam:radius.tls".
- Protocol
- The protocol (RADIUS or RADSEC) used for this service.
- DNS timeout
- The amount of time in seconds within which all DNS requests for an NAI must be handled. This also includes the two-step variant via NAPTR and subsequent SRV queries. Default: 3 seconds
- Minimal eff. TTL
- TTL values reported by the DNS server that are shorter than this time are raised to this value. Default: 60 seconds
- Backoff time
- If a resolution ends in an error (DNS response with error, timeout…), this is the time in seconds for which no new resolution attempts should be made for this realm. Default: 600 seconds
- Attribute values
- RADIUS attributes to be added or changed when forwarding to servers discovered by Dynamic Peer Discovery.
- Routing tag
- The routing tag that Dynamic Peer Discovery should use for its DNS queries. Default: 0
- Source address (opt.)
- The loopback address to use when forwarding to RADIUS servers determined by Dynamic Peer Discovery.
