regex 'fun'
Alexander Clouter
alex at digriz.org.uk
Wed Nov 4 12:34:08 CET 2009
Alan DeKok <aland at deployingradius.com> wrote:
>
> Alexander Clouter wrote:
>
>> I got those :alpha:-n-chums actually working and tested them with a
>> bunch of test cases; they definitely seem to be doing what I would
>> expect...well unless the realm has a space in it :)
>
> Odd...
>
Glad you do too, means I have not missed something.....hopefully :)
>> I never understood why eduroam just didn't use SRV records against
>> the realm to find the RADIUS server and a DNS based whitelist to
>> validate which realms were part of the community. :-/
>
> It's hard. Once FreeRADIUS gets SRV support...
>
I decided, in an imaginary place where I am God and decider of all, it
would be better to have a RADIUS-esque proxy brige thingy mcwhatsit.
The RADIUS server's would proxy to the 'eduroam proxy' you would run
locally, it would then 'eduroam-ise' the request (filter cruft, check
the realm is routable etc etc) and then shift the packets themselves off
to their destination.
>> The only complication I can see is the Message-Authenticator I think,
>> however I would imagine the .ac.uk community can dig into the sofa for
>> some loose change to hire some FreeRADIUS consultant...if he is not too
>> busy lying with his feet kicked up in France with fresh food and good
>> wine :)
>
> I'm in Canada right now. Cold... wintry... good beer.
>
Hmmm, if it is anything like the New England beer I tried a while back,
I am not so keen.
> But RadSec and/or DTLS should solve much of the security issues.
>
EAP-TTLS wrapped in TLS eh, I already have the user validating the cert
they are sending the credentials to...kinda redundant surely? I hear
PKI is meant to 'solve' the realm whitelisting part too...'great' :-/
"This network monkey recommends people realise PKI is stupid", however
if the eduroam world were maybe to think about a PGPesque key signing
approach, that I would be interested in supporting.
Cheers
--
Alexander Clouter
.sigmonster says: Try to divide your time evenly to keep others happy.
More information about the Freeradius-Users
mailing list