Complex eduroam radius design

Olivier Beytrison olivier at heliosnet.org
Tue Nov 13 17:38:19 CET 2012 


On 13.11.2012 16:20, Phil Mayers wrote:
> On 13/11/12 14:45, Olivier Beytrison wrote:
>> Hello,
>>
>> [snip]
>>
>> So I have two questions :
>> 1. is this implementation possible ?
> 
> Yes. But I would argue it's not ideal (see below).
> 
>> 2. If it is possible, will the inner-tunnel for eap-peap and eap-ttls
>> end on the local or central radius, taking in account that the
>> authentication is performed by the central radius.
> 
> It depends what you configure. You can proxy the inner tunnel, or the
> outer tunnel.
> 
> If you proxy the outer tunnel, it's encrypted all the way, but the
> central servers have to do all the TLS. The local servers then do very
> little (what you refer to as "vlans, subnets, etc.")

Well, that's what I would like to do. We have 7 different IT services
running their own network the way they want. The local radius are there
to let them freely manage how users access their network.

> If you proxy the inner tunnel, the local servers do the TLS, but the
> traffic to the central servers is only lightly encrypted (by the RADIUS
> encryption scheme). Whether this matters will depend on your environment.

Not really a matter, as it will rull either over a lan-to-lan ipsec vpn,
or with radsec enabled. (still thinking between using radsecproxy or
going with freeradius 3 [I know, you need guinea pig ;)])

> Personally, I would think carefully if this model is right. The local
> servers don't seem to add much value, and are entirely dependent on the
> central servers.

It's not really about value, it's more about letting the local IT
services manage how and what the users can access. We're already
enforcing this central authentication, if we don't let them a minimum of
control, this will lead to an IT Riot :p

> Have you considered replicating the LDAP database to the local servers?

Well not really a solution here. The central LDAP system is one of the
most complex Novell eDirectory deployment possible. Syncing 7 other ldap
servers would just put more load on the actual cluster. The
authentication will be made against a dedicated cluster of ldap server
which contains only authentication-related informations.

To summarize, if I proxy the outer tunnel, there will be more load on
the central server, and I'll add the custom attributes to the outer
reply in order for the local radius to analyse them and add the
nas-specific attribute.

if I proxy the inner tunnel, the TLS is handled by the local radius
(more CERT to buy), on the central server I add the attributes in the
normal reply, and the local radius keep doing the authorization part.
I just have to take care of the encryption between the local and central
servers. thankfully l2l vpn are already established.

Thanks a lot for your answer, gives me a good idea on how I'll do it.

Olivier B.

> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mobile: +41 (0)78 619 73 53
 Mail: olivier at heliosnet.org

More information about the Freeradius-Users mailing list