Complex eduroam radius design

Olivier Beytrison olivier at heliosnet.org
Tue Nov 13 18:23:32 CET 2012


On 13.11.2012 18:03, Phil Mayers wrote:
> On 13/11/12 16:38, Olivier Beytrison wrote:
>>
>> Well not really a solution here. The central LDAP system is one of the
> 
> Fair enough.
> 
>> To summarize, if I proxy the outer tunnel, there will be more load on
>> the central server, and I'll add the custom attributes to the outer
>> reply in order for the local radius to analyse them and add the
>> nas-specific attribute.
> 
> Yes.
> 
>>
>> if I proxy the inner tunnel, the TLS is handled by the local radius
>> (more CERT to buy), on the central server I add the attributes in the
>> normal reply, and the local radius keep doing the authorization part.
>> I just have to take care of the encryption between the local and central
>> servers. thankfully l2l vpn are already established.
> 
> Yes. However, buying separate certs might not be a good idea as it will
> complicate the client setup - they'll all have to come from the same CA
> and share the same CN (or you'll have to rely on wildcard CN matching on
> the clients).
> 
> For this reason, it might be easier to do all the TLS on the central
> servers, and have the same cert on both of them.

Another good point indeed. Well this will make the local radius setup
fairly easy. Proxy everything to the central one, and just do
post-auth/post-proxy section, and manage the accounting.

This will also make things easier when people outside our local realm
logs in on eduroam, the outer tunnel is proxied to the central radius,
which in turn proxies it to the NRO radius ...

> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mobile: +41 (0)78 619 73 53
 Mail: olivier at heliosnet.org


More information about the Freeradius-Users mailing list