FreeRadius, Eduroam, and me...

Alan DeKok aland at deployingradius.com
Mon Jun 22 21:45:23 CEST 2020


On Jun 22, 2020, at 3:37 PM, Tim Young <Tim.Young at LightSys.org> wrote:
> 
> Sorry for not giving all the details...
> 
> This comes from "eduvpn."  (app.eduvpn.org) Apparently it is an openvpn based system.  When I start the VPN, and select "KNET" it takes me to a sign-in webpage that "authenticates off of eduroam" creates some form of token:
> 
> https://controller.eduroam.ke/vpn-user-portal/_form/auth/verify
> 
> When I type my credentials into the above webpage, I do get the plaintext username / password.

  I would suggest not trusting random portals on the internet.

> I do not know what else they are doing, but I know they have other sites that successfully authenticate against a mysql database.  They do not have a config that successfully authenticates off of Active Directory (which is what the school I am helping with is trying to set up).

  Ignore whatever broken configurations other people have.  The FreeRADIUS documentation and my web page is correct.

> We can probably assume it is not running "proper eduroam."  My question is, then, can I get something that passes in the depressingly insecure username/password combo to authenticate off Active Directory, or is it a lost cause?

  The guide on my web page goes through this in great detail.  Please... just read it.

>  Do I need to complain loudly that they need to change the auth type to something else? (but whatever they use will need to authenticate off of a mysql back-end also)

  As Alan Buxey said, you need to block all packets from Eduroam which don't contain EAP.  Tell them that their system is wrong and broken.

 Alan DeKok.




More information about the Freeradius-Users mailing list