Complex eduroam radius design

[Olivier Beytrison]

Hello,

We're planning to deploy eduroam centrally for all the university of
applied science of west-switzerland. (consists of ~27 schools and 25'000
people).

On one side, we will have the central radius servers, connected to the
central ldap backend which contains all the user account.

On the other side, we will have local radius servers (about 7 pairs of
servers, because the schools are grouped regionally and under a central
management).

The idea is the following :
User join the WLAN (802.1x, eduroam). the WiFi controller (nas) contact
the local radius for authentication, which in turn contact the central
radius to authenticate the user. upon successful authentication, the
central radius return the Access-Accept along with some custom attribute
about the user.
The local radius then perform admission control based on those
attributes. (selecting the correct vlan, subnet, ect)

So I have two questions :
1. is this implementation possible ?
2. If it is possible, will the inner-tunnel for eap-peap and eap-ttls
end on the local or central radius, taking in account that the
authentication is performed by the central radius. (I'll go for the
central one)

Thanks in advance for your answers.
Best regards,
Olivier B.
-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at heliosnet.org