regex 'fun'
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Tue Nov 3 23:43:24 CET 2009
Hi,
> Eduroam should really be creating a routing protocol for RADIUS. I
> don't think it would be hard: git + ssh + text files. See Section 2.7 of:
>
> http://tools.ietf.org/id/draft-dekok-radext-nai-00.txt
firstly, its 'eduroam', not 'Eduroam' - minor point but none the less.... :-)
secondly - the current system uses a rpoxy heirarchy because that was the lowest
common capable denominator when the federation was created and its fairly
easy for sites/countries to get connected.
there are currently moves underway to investigate/implement moves to using
dynamic RADIUS/REALM lookups etc however there are then fundamental changes
that need to be undertaken - such as having required 'membership' - eg
certificate extension to prove you are a valid eduroam site - couple that with
requirements to use eg RADSEC for secure transit (cant used shared secrets
with random other sites!) .... and then theres what to do to the countless
RADIUS servers in use that dont (and maybe wont) support such features...
sure , sure 'RADSecProxy' is a tech answer but I've already approached sites
big on Windows servers and IAS/NPS - the thought of running some non-MS
software on their server makes them very angry/angsty.... it looks like a proxy
system would need to kept into place to keep those sites in (as well as
imagine telling them to open ports up to their MS server to the world......)
currently, the proxy system doesnt involve even more CA/PKI stuff and it
doesnt open system to the world...a lot of sites like that..... :-|
...but anyway..even when the new system becomes functional/proved it will take
quite some time for sites to migrate... and I've already proposed that sites
can publish the national proxy as their SRV (or whatever method is chosen) record
alan
More information about the Freeradius-Users
mailing list