regex 'fun'

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Wed Nov 4 13:43:34 CET 2009


Hi,

> proxy that does the talking to Eduroam; okay I am now touting the 
> 'separate' proxy...but Eduroam has some pretty unique requirements that 
> *no-one* else does and this is the key point.

'eduroam' not Eduroam please!  ;-)

> So the bar (including the administrative work both for you and the 
> end-sysadmin does) is set low.  If RADSEC raises that bar it has failed.  
> It's 2009, it is meant to be *easier* for systems to communicate with 
> one another...if you are implementing something that is more difficult 
> it is the wrong solution.  That does not just apply to Eduroam either :)

err, no. the current concept would be something like...

1) end site gets connected and asks eduroam for a cert for their server
2) NREN validates request
3) end site gets the cert and adds it to their server

thats all easy and requires no skills..agreed?

now, the 'technical part'

end site reconfigures their RADIUS server so it knows about that
cert .... oh, something like

radsec_cert = myservercert.der
radsec_ca   = eduroam-ca.der

then they enable the new functionality to do dynamic host lookups...oh,
maybe 

$INCLUDE dynamic-server-discovery.conf

or

ln -s sites-evailable/dynamic-server sites-enabled/dynamic-server


if thats raised the bar then its a tiny tiny raise that even an ant couldnt
get under IMHO.

okay - some of this might be over simplified for the initial beta-testers
of such new functionality but its pretty much what people are visualising
as the real-life way of things working...... so, no need for wierd external
programs and PERL code...no need for PGP or whitelists.  the only thing
missign would be

sites-enabled/throw-my-stats-to-eduroam-and-NREN    ;-)
sites-enabled/log-errors-to-NREN-or-eduroam         8-)

alan



More information about the Freeradius-Users mailing list