regex 'fun'

Alexander Clouter alex at digriz.org.uk
Wed Nov 4 12:45:45 CET 2009


Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> 
>>   Eduroam should really be creating a routing protocol for RADIUS.  I
>> don't think it would be hard: git + ssh + text files.  See Section 2.7 of:
>> 
>> http://tools.ietf.org/id/draft-dekok-radext-nai-00.txt
> 
> firstly, its 'eduroam', not 'Eduroam' - minor point but none the less....  :-)
>
Say's 'eduroam' in my SSID, maybe I'll go and check my 'E-mail' after 
this posting? ;)

> secondly - the current system uses a rpoxy heirarchy because that was the lowest
> common capable denominator when the federation was created and its fairly
> easy for sites/countries to get connected.
>
This is great...it was *built* first then pinned down, as a result it 
was guaranteed to work.  Cheap, easy to join, and quick to discover how 
useful the whole system actually is.

For this, it gets my praise, and everyone elses, it is awesome.

It is awesome though as it is dead easy to join for anyone doing 
anything vaguely 802.1Xy locally (wifi, wired, whatever....).

> there are currently moves underway to investigate/implement moves to using
> dynamic RADIUS/REALM lookups etc however there are then fundamental changes
> that need to be undertaken - such as having required 'membership' - eg
> certificate extension to prove you are a valid eduroam site - couple that with
> requirements to use eg RADSEC for secure transit (cant used shared secrets
> with random other sites!) .... and then theres what to do to the countless
> RADIUS servers in use that dont (and maybe wont) support such features...
> sure , sure 'RADSecProxy' is a tech answer but I've already approached sites
> big on Windows servers and IAS/NPS - the thought of running some non-MS
> software on their server makes them very angry/angsty.... it looks like a proxy
> system would need to kept into place to keep those sites in  (as well as
> imagine telling them to open ports up to their MS server to the world......)
> 
They don't have to, they run it on a separate box and configure they box 
to blindly send all non-local realmed stuff to a separate nearby RADIUS 
proxy that does the talking to Eduroam; okay I am now touting the 
'separate' proxy...but Eduroam has some pretty unique requirements that 
*no-one* else does and this is the key point.

We need something RADIUS like, you need something like a 'bridge', 
between RADIUS and Eduroam which could be 98% RADIUS.

> currently, the proxy system doesnt involve even more CA/PKI stuff and it
> doesnt open system to the world...a lot of sites like that.....  :-|
> 
So the bar (including the administrative work both for you and the 
end-sysadmin does) is set low.  If RADSEC raises that bar it has failed.  
It's 2009, it is meant to be *easier* for systems to communicate with 
one another...if you are implementing something that is more difficult 
it is the wrong solution.  That does not just apply to Eduroam either :)

Cheers

-- 
Alexander Clouter
.sigmonster says: Does not include installation.




More information about the Freeradius-Users mailing list