Alan DeKok <aland@deployingradius.com> wrote:
Alexander Clouter wrote:
I got those :alpha:-n-chums actually working and tested them with a bunch of test cases; they definitely seem to be doing what I would expect...well unless the realm has a space in it :)
Odd...
Glad you do too, means I have not missed something.....hopefully :)
I never understood why eduroam just didn't use SRV records against the realm to find the RADIUS server and a DNS based whitelist to validate which realms were part of the community. :-/
It's hard. Once FreeRADIUS gets SRV support...
I decided, in an imaginary place where I am God and decider of all, it would be better to have a RADIUS-esque proxy brige thingy mcwhatsit. The RADIUS server's would proxy to the 'eduroam proxy' you would run locally, it would then 'eduroam-ise' the request (filter cruft, check the realm is routable etc etc) and then shift the packets themselves off to their destination.
The only complication I can see is the Message-Authenticator I think, however I would imagine the .ac.uk community can dig into the sofa for some loose change to hire some FreeRADIUS consultant...if he is not too busy lying with his feet kicked up in France with fresh food and good wine :)
I'm in Canada right now. Cold... wintry... good beer.
Hmmm, if it is anything like the New England beer I tried a while back, I am not so keen.
But RadSec and/or DTLS should solve much of the security issues.
EAP-TTLS wrapped in TLS eh, I already have the user validating the cert they are sending the credentials to...kinda redundant surely? I hear PKI is meant to 'solve' the realm whitelisting part too...'great' :-/ "This network monkey recommends people realise PKI is stupid", however if the eduroam world were maybe to think about a PGPesque key signing approach, that I would be interested in supporting. Cheers -- Alexander Clouter .sigmonster says: Try to divide your time evenly to keep others happy.