proxed EAP and eduroam project

[inverse]

On Feb 18, 2008 12:32 PM,  <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>

> cleartext?  not really.  the proxied traffic will be at least

This regards EAP-TLS:
I meant that at least the username is shown, and you can get
additional information reading the attribute values.
Other than that, everything else seems useless but I just say the
conversation is not completely encapsulated if that's what you mean.
Anyways I'm not worried.

> encapsulated via a shared secret between each RADIUS end point.

snip

> would give greater security.  however, EAP-TLS is the defacto
> top-level way of doing it. platinum service, as it were - but
> you've got to have a full PKI infrastructure for creation,
> deployment and revokation.

We have our PKI, we routinely revoke certificates and distribute the
crl. This happens not without our share of anality, taken care of by
scripts (written with my blood, over human skin) that restart radiusd
and check that everything is still working fine, including the event
of an expired/invalid crl or an out of service PKI.

So, if there is any configuration option to encapsulate the full UDP
payload without revealing anything, I'm more than glad to hear
something about it because I must admit ignorance regarding this
particular matter.
If there isn't one, never mind, just means I misunderstood.

> looking to the future, RADSEC will be involved in 'beefing up'
> the RADIUS to RADIUS communication channel. as well as the
> automatic assignment/discovery of AAA end point systems.

seems interesting

bye!
Inverse


-- 
"In a sea of glass shards, I hear you screaming"
--icchan