[RADIATOR] Shibboleth authentication for wifi

Heikki Vatiainen hvn at open.com.au
Mon Jan 16 09:25:24 CST 2012 

On 01/13/2012 03:43 PM, Denis Pavani wrote:

> My company plans to have a wireless network where authentication 
> credentials come from a federation using shibboleth.
> We have in production a cisco wireless controller, and really I was 
> trying not to bypass it for a different captive portal.
> Is it possibile to use "authby URL" redirecting creentials to a cgi
> which provides shibboleth authentication?
> Does anyone have experience with this?

I think this model is too straightforward to work. You need to allow
passthrough for every organisation that participates in the federation.
The users need to access the authentication web page of their home
organisation.

After the authentication the user is redirected back to your login web
page and the web server sets the environment variables to reflect the
outcome of user's authentication. That is, you do not get any access of
credentials you could use to do the login. To actually use this
information, you would most likely to bypass the controller to utilise
information from shibboleth.

One method to make shibboleth based WLAN login is this:

1. Create a captive portal that lets the users to select their home
organisation. When the select it, they get redirected to their home
login page. This portal most likely can not be in the controller but
needs a web server with shibboleth authentication modules. The
shibboleth authentication starts here.

2. The success URL users get from their home shibboleth login directs
them back to your web server.

3. The resource pointed by success URL (e.g., CGI script) creates a
temporary username/password into e.g. SQL database.

4. The user is redirected to controller's login page with GET or POST
request type. The request parameters specify the temporary username/password

5. Controller does RADIUS authentication against the SQL database

6. If the authentication is successful, as it always should be at this
point, the controller opens the captive portal. The user has now logged in.

Something like the above should make it possible to use shibboleth for
WLAN authentication. Note that it does not enable encrypted radio, so
even if authentication is strong, users are still susceptiple for
eavesdropping.

Have you considered eduroam for federated authentcation?

Thanks!
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list