proxed EAP and eduroam project

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Mon Feb 18 12:32:36 CET 2008


Hi,

> rather than a problem, this is a question.
> I assume you know what eduroam is, but just in case:
> What is eduroam

several members of this list are involved in eduroam at sites
worldwide.

> What happens is that the EAP conversation traverls in cleartext across
> the public internet (really the inter-university networks).

cleartext?  not really.  the proxied traffic will be at least
encapsulated via a shared secret between each RADIUS end point. 
and the inner method itself is sat in the EAP tunnel. unless
using very old method like EAP-MD5.  ideally you wouldnt use a PAP
method either - MSCHAPv2 challenge response in PEAP or EAP-TTLS
would give greater security.  however, EAP-TLS is the defacto
top-level way of doing it. platinum service, as it were - but
you've got to have a full PKI infrastructure for creation, 
deployment and revokation. 

looking to the future, RADSEC will be involved in 'beefing up'
the RADIUS to RADIUS communication channel. as well as the
automatic assignment/discovery of AAA end point systems.

alan



More information about the Freeradius-Users mailing list