proxed EAP and eduroam project

Stefan Winter stefan.winter at restena.lu
Tue Feb 19 10:04:13 CET 2008


Hi,

> unless using very old method like EAP-MD5.

which is forbidden in the eduroam policy anyway. For the exact reason of not 
providing sufficient security (no mutual authentication).

> looking to the future, RADSEC will be involved in 'beefing up'
> the RADIUS to RADIUS communication channel. as well as the
> automatic assignment/discovery of AAA end point systems.

RadSec is RADIUS over TCP+TLS. This means that the attributes which are 
unencrypted in RADIUS (User-Name, Calling-Station-Id, ...) will be hidden 
inside a TLS tunnel and will only be visible to the RADIUS servers involved 
in proxying, not any IP node underway as is current with RADIUS alone.

Concerning RadSec, you might like to read the current Internet-Draft: 
http://www.ietf.org/internet-drafts/draft-winter-radsec-01.txt

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080219/90a9cce9/attachment.pgp>


More information about the Freeradius-Users mailing list