Complex eduroam radius design
Michael Schwartzkopff
misch at schwartzkopff.org
Tue Nov 13 16:01:05 CET 2012
> Hello,
>
> We're planning to deploy eduroam centrally for all the university of
> applied science of west-switzerland. (consists of ~27 schools and 25'000
> people).
>
> On one side, we will have the central radius servers, connected to the
> central ldap backend which contains all the user account.
>
> On the other side, we will have local radius servers (about 7 pairs of
> servers, because the schools are grouped regionally and under a central
> management).
>
> The idea is the following :
> User join the WLAN (802.1x, eduroam). the WiFi controller (nas) contact
> the local radius for authentication, which in turn contact the central
> radius to authenticate the user. upon successful authentication, the
> central radius return the Access-Accept along with some custom attribute
> about the user.
> The local radius then perform admission control based on those
> attributes. (selecting the correct vlan, subnet, ect)
>
> So I have two questions :
> 1. is this implementation possible ?
Yes.
> 2. If it is possible, will the inner-tunnel for eap-peap and eap-ttls
> end on the local or central radius, taking in account that the
> authentication is performed by the central radius. (I'll go for the
> central one)
EAP tunnel will end on the end system. Attributes from inside the tunnel can
be copied to the outside RADIUS protocol. This attributes can be seen from the
NAS. So they can react as configured.
Greetings,
--
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 München
Tel: (0163) 172 50 98
Fax: (089) 620 304 13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121113/3664c906/attachment.pgp>
More information about the Freeradius-Users
mailing list