FreeRadius, Eduroam, and me...
Tim Young
Tim.Young at LightSys.org
Mon Jun 22 21:37:08 CEST 2020
Sorry for not giving all the details...
This comes from "eduvpn." (app.eduvpn.org) Apparently it is an openvpn
based system. When I start the VPN, and select "KNET" it takes me to a
sign-in webpage that "authenticates off of eduroam" creates some form of
token:
https://controller.eduroam.ke/vpn-user-portal/_form/auth/verify
When I type my credentials into the above webpage, I do get the
plaintext username / password.
I do not know what else they are doing, but I know they have other sites
that successfully authenticate against a mysql database. They do not
have a config that successfully authenticates off of Active Directory
(which is what the school I am helping with is trying to set up).
We can probably assume it is not running "proper eduroam." My question
is, then, can I get something that passes in the depressingly insecure
username/password combo to authenticate off Active Directory, or is it a
lost cause? Do I need to complain loudly that they need to change the
auth type to something else? (but whatever they use will need to
authenticate off of a mysql back-end also)
- Tim
On 6/22/2020 2:05 PM, Alan Buxey wrote:
> hi,
>
>> but still have some issues. I am now testing through an eduroam
>> web-sign-in, where the actual main requests will come from. It appears
>
> there is no such thing as eduroam web sign-in. captive portal eduroam
> was killed off back
> in the early days - pre 2012
>
> are you talking about a site you have access to that allows some sort
> of testing functionality
> in your NRO (is that SAFIRE per chance?) - if so, it should not be
> using PAP , it should
> be using at least a PEAP mechanism (ideally it would support any EAP
> type supported
> by the home organisation so ensure the home org can test its users
> behaviour remotely).
> (as said in previous reply, your RADIUS server should be configured to
> drop incoming
> requests if they are not EAP
>
>> require_message_authenticator = no
> and set those to 'yes' in your clients.conf
>
>> (1) User-Name = "mytextusername at my.domain.edu"
>> (1) User-Password = "mypassinplaintext"
> not an EAP request - so it wont get to your inner-server config
> (which , being from outside world should
> be a rather plain inner-server that doesnt do things like VLAN
> assignment based on groups etc etc)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list