[RADIATOR] Fwd: Monash eduroam experience using Radiator

[Hugh Irvine]

Hello Everyone -

Here is a copy of a recent posting from Myles Fenton at Monash University regarding a project I did for them towards the end of last year.

It was a very interesting project that may be of interest to some of you.

regards

Hugh


Begin forwarded message:

> From: Myles Fenton <Myles.Fenton at monash.edu>
> Date: 2 June 2010 01:33:56 EDT
> 
> Hi Folks, 
> 
> At Monash we have converged all our network authentication onto one RADIUS platform. This includes Wireless, VPN, Dial-up and internet authentication. The internet authentication is transparent in the wireless,VPN and Dial-up authentication process and we redirect users to a web internet authentication portal on the wired network. The portal is inhouse developed and uses the PHP RADIUS library. 
> 
> Staff, students and guests are placed in different internet profiles and VLAN's based on RADIUS attributes sent back to the wireless controllers. All users get a public IP address and direct (on-net+off-net) access to the internet. Staff and students have more granular access over guests to finance, HR and student systems. 
> 
> Monash broadcasts 4 SSID's eduroam, Monash-Connect, guest-wireless and install-wireless. eduroam and Monash-Connect are technically and functionally exactly the same. ie staff, students and guests can use either and are placed on their correct staff,student,guest VLAN based on their username not the SSID. We have differing opinions within Monash on whether to keep the Monash-Connect brand or remove it and just use eduroam. We have given users an informed choice (see installation page below) to use either and as you can see from the graph below Monash-Connect (daily peak ~3,000) is many times more popular than eduroam (peak 300). We are not sure if users are just drawn to the SSID with 'Monash ' in the title or what other factors may be at play.
>  
> 
> install-wireless is an open wireless network which does not require any pre configuration to join. When a users opens a web browser on this SSID they are redirected to a guided set of instructions which starts with what type of use are you? ie staff,student, guest from another uni, conference delegate etc. The url is (http://www.its.monash.edu.au/wireless/). By all means have a look over the Monash wireless instructions for any inspiration or feedback. 
> 
> guest-wireless is the wireless network of choice for short term visitors/conference delegates or staff,students and guests who can not get connected to eduroam or Monash-Connect. guest-wireless is an open (insecure data layer) network with users redirected to an https weblogin. While most users are setup and running after 5minutes on the install-wireless website or at the ITS service desk, a very small percentage of others can not get connected to eduroam or Monash-Connect even with assistance. These users tend to need a Windows reinstall to 'fix' the problem or are using a Mobile phone/PDA that is not supported. guest-wireless provides only guest-level internet and basic intranet access irrespective of whether the username is staff,student or guest. ie SAP and Callista users need to use Monash-Connect or eduroam to get secure access to finance and student admin systems. That all said, guest-wireless has become our second most popular SSID which would tend to indicate that any installation process required is a significant deterrent to use. 
> 
> Our centralised RADIUS infrastructure is using RADIATOR(www.open.com.au/radiator/ )software under linux backing onto both our Netscape LDAP and Active Directory authentication stores. Usernames are accepted in 'all formats' and are rewritten as required. 
> 'username' on its own is rewritten to username at monash.edu.au and forwarded to the monash authentication servers 
> 'username@*monash.edu*' ie with or without subdomain or .au is forwarded to the monash authentication servers 
> domain\username is rewritten as username at domain and forwarded as appropriate 
> username at anyotherdomain is forwarded to the AARNET eduroam RADIUS servers 
> 
> Regarding inner verses outer identities: The outer identity requires the correct domain to be specified to steer the request off to the AARNET eduroam server. Otherwise the request will be treated as a Monash authentication request. That said, we don't 'trust' the outer identity. When a user has successfully authenticated with their inner-request we send the inner-request username back to the Wireless controller (NAS) and the accounting server to ensure all billing and auditing is tracked via the inner username and not any bogus outer username. 
> 
> The eduroam and Monash-Connect supplicants on the install-wireless website are always configured with domain:monash.edu.au to ensure users become familiar with the domain concept and ensure that the supplicant will work when users go off-campus to another institution. Both the eduroam and Monash-Connect supplicants install both profiles, the only difference is the Monash-Connect labelled supplicant auto-joins Monash-Connect when in range and similarly eduroam SSID for the eduroam installer. This 'double profile install' is designed to help users who normally use Monash-Connect switch to eduroam if they end up at another university. 
> 
> When can we stop installing supplicants? Well the reason Monash has recently installed Active Directory -RADIUS integration is because Windows 7, Windows Vista, Mac OSx, iPhones,iPads and even many version of linux will automatically configure WPA1/2 PEAP-MSCHAPv2 authentication. ie the user just connects the first time to eduroam, enters their userame at domain and password, accepts the certificate and bingo they are connected in a matter of seconds. Unfortunately this zero-touch install only works with PEAP-MSCHAPv2 ie via Active Directory (and not EAP-TTLS via LDAP) and secondly this does not work under Windows XP. A fresh version of Windows XP will always attempt to do Certificate authentication and not PEAP-MSCHAPv2. XP will always therefore require configuring/installing of a supplicant(even the native one) before connection to eduroam/Monash-Connect will be possible. Monash is about to start rolling out a Windows 7 staff SOE and we are expecting most students to start bringing laptops running Win7 later this year/next - so we are not too concerned about the clunky nature of XP wireless installations going forward. 
> 
> Open systems consultants (www.open.com.au/radiator/) have been very capable in assisting Monash to get a scalable, high performance RADIUS platform up and running. I am happy to have further conversation with any of you regarding our setup and or by all means get in contact with Hugh Irvine (hugh at open.com.au) from Open systems consultants,Radiator. 
> 
> regards, 
> 
> Myles Fenton 
> Project Manager 
> Network Infrastructure Services 
> Infrastructure Services 
> Information Technology Services 
> Monash University
> 
> 


NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100604/1702c03a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Mail Attachment.gif
Type: image/gif
Size: 74959 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20100604/1702c03a/attachment-0001.gif