setup question : mschap + perl authentication
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Tue Jul 10 13:38:10 CEST 2007
> credentials in it. Authenticates
> user and relays the outcome as PAP reply. This solves the en-route problem,
> but cannot overcome the problem that still the visited inst *has* your
> password.
>
Ah yes, I can see that being a problem, damn this means we can't offer
any JRS authenticated services other than wireless and wired network access.
We were planning on a few kiosks dotted around campus... though in
theory if those Kiosks supported EAP Based login, the tunnel would be
between the Kiosk and the users Home RADIUS server... Would this be
acceptable, Or would the fact that we could still theoretically capture
the users credentials from the login screen be an issue ?
> Note also that your problems _can_ be solved quite cleanly,
Shibboleth is in no way clean ! It's an evil necessary... actually the
Idea is good ,Just the WAYF page is just so horribly cludgy.
I think the idea of a pre-login form on the authenticated service would
be a good idea.
You enter your username string user at domain, this sets a identification
cookie containing that string and redirects you to your home gateway
(using a central list of domain->gateway mappings) . You then provide
your password at your home gateway, which then directs you back to the
page where you were originally sent from.
No nasty WAYF pages.
Unfortunately this would mean you could be identified, and I know thats
a big feature of Shibboleth... that Service providers don't know who's
using their service, just that they've been authorised to do so.
*sigh* there must be a solution , just no ones figured it out yet .
> but without
> RADIUS. Put your captive portal behind a AAI infrastructure such as
> Shibboleth. Workflow is...
>
Were implementing shibboleth already, due to go live summer 2008...
> That way, the user only reveals his credentials to home, not the visited inst.
> There is a nice paper and prototype impl of this for Shibboleth, I can look
> up the source if you're interested.
>
I've read more shibboleth technical documentation than I would care to
already, but thanks for the offer .
> Why don't we do that then? The wireless link is still unencrypted with this
> ansatz. Again a violation of our security mimimums. And this problem is a lot
> harder to solve than authentication above. We would probably need to go to
> the IEEE asking for a "WPA2-Noauth-JustEncrypt" profile, where the AP just
> hands out a EAPoL-Key to the client, performing no prior authentication. This
> would just encrypt the link, and authentication could take palce with the
> above thing. *Then*, web-redirect is again a viable alternative. But going to
> the IEEE is not exactly a walk in the park.
>
>
No, quite. So this would be a kind of walled garden approach using
shibboleth for authentication ?
> Greetings,
>
> Stefan
>
>
Regards,
Arran
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
More information about the Freeradius-Users
mailing list