FreeRadius, Eduroam, and me...

[Alan DeKok]

On Jun 22, 2020, at 3:37 PM, Tim Young <Tim.Young at LightSys.org> wrote:
> 
> Sorry for not giving all the details...
> 
> This comes from "eduvpn."  (app.eduvpn.org) Apparently it is an openvpn based system.  When I start the VPN, and select "KNET" it takes me to a sign-in webpage that "authenticates off of eduroam" creates some form of token:
> 
> https://controller.eduroam.ke/vpn-user-portal/_form/auth/verify
> 
> When I type my credentials into the above webpage, I do get the plaintext username / password.

  I would suggest not trusting random portals on the internet.

> I do not know what else they are doing, but I know they have other sites that successfully authenticate against a mysql database.  They do not have a config that successfully authenticates off of Active Directory (which is what the school I am helping with is trying to set up).

  Ignore whatever broken configurations other people have.  The FreeRADIUS documentation and my web page is correct.

> We can probably assume it is not running "proper eduroam."  My question is, then, can I get something that passes in the depressingly insecure username/password combo to authenticate off Active Directory, or is it a lost cause?

  The guide on my web page goes through this in great detail.  Please... just read it.

>  Do I need to complain loudly that they need to change the auth type to something else? (but whatever they use will need to authenticate off of a mysql back-end also)

  As Alan Buxey said, you need to block all packets from Eduroam which don't contain EAP.  Tell them that their system is wrong and broken.

 Alan DeKok.