Complex eduroam radius design
Phil Mayers
p.mayers at imperial.ac.uk
Tue Nov 13 16:20:44 CET 2012
On 13/11/12 14:45, Olivier Beytrison wrote:
> Hello,
>
> We're planning to deploy eduroam centrally for all the university of
> applied science of west-switzerland. (consists of ~27 schools and 25'000
> people).
>
> On one side, we will have the central radius servers, connected to the
> central ldap backend which contains all the user account.
>
> On the other side, we will have local radius servers (about 7 pairs of
> servers, because the schools are grouped regionally and under a central
> management).
>
> The idea is the following :
> User join the WLAN (802.1x, eduroam). the WiFi controller (nas) contact
> the local radius for authentication, which in turn contact the central
> radius to authenticate the user. upon successful authentication, the
> central radius return the Access-Accept along with some custom attribute
> about the user.
> The local radius then perform admission control based on those
> attributes. (selecting the correct vlan, subnet, ect)
>
> So I have two questions :
> 1. is this implementation possible ?
Yes. But I would argue it's not ideal (see below).
> 2. If it is possible, will the inner-tunnel for eap-peap and eap-ttls
> end on the local or central radius, taking in account that the
> authentication is performed by the central radius.
It depends what you configure. You can proxy the inner tunnel, or the
outer tunnel.
If you proxy the outer tunnel, it's encrypted all the way, but the
central servers have to do all the TLS. The local servers then do very
little (what you refer to as "vlans, subnets, etc.")
If you proxy the inner tunnel, the local servers do the TLS, but the
traffic to the central servers is only lightly encrypted (by the RADIUS
encryption scheme). Whether this matters will depend on your environment.
Personally, I would think carefully if this model is right. The local
servers don't seem to add much value, and are entirely dependent on the
central servers.
Have you considered replicating the LDAP database to the local servers?
More information about the Freeradius-Users
mailing list