[RADIATOR] Shibboleth authentication for wifi

Denis Pavani d.pavani at cineca.it
Wed Jan 18 08:03:57 CST 2012


Thanks for your feedback Heikki.
We are eduroam users. We need to implement also this new kind of 
authentication.
I know this new network would be without encryption, but politics wins 
over technology once again.
Best regards.

Il 16/01/2012 16.25, Heikki Vatiainen ha scritto:
> On 01/13/2012 03:43 PM, Denis Pavani wrote:
>
>> My company plans to have a wireless network where authentication
>> credentials come from a federation using shibboleth.
>> We have in production a cisco wireless controller, and really I was
>> trying not to bypass it for a different captive portal.
>> Is it possibile to use "authby URL" redirecting creentials to a cgi
>> which provides shibboleth authentication?
>> Does anyone have experience with this?
> I think this model is too straightforward to work. You need to allow
> passthrough for every organisation that participates in the federation.
> The users need to access the authentication web page of their home
> organisation.
>
> After the authentication the user is redirected back to your login web
> page and the web server sets the environment variables to reflect the
> outcome of user's authentication. That is, you do not get any access of
> credentials you could use to do the login. To actually use this
> information, you would most likely to bypass the controller to utilise
> information from shibboleth.
>
> One method to make shibboleth based WLAN login is this:
>
> 1. Create a captive portal that lets the users to select their home
> organisation. When the select it, they get redirected to their home
> login page. This portal most likely can not be in the controller but
> needs a web server with shibboleth authentication modules. The
> shibboleth authentication starts here.
>
> 2. The success URL users get from their home shibboleth login directs
> them back to your web server.
>
> 3. The resource pointed by success URL (e.g., CGI script) creates a
> temporary username/password into e.g. SQL database.
>
> 4. The user is redirected to controller's login page with GET or POST
> request type. The request parameters specify the temporary username/password
>
> 5. Controller does RADIUS authentication against the SQL database
>
> 6. If the authentication is successful, as it always should be at this
> point, the controller opens the captive portal. The user has now logged in.
>
> Something like the above should make it possible to use shibboleth for
> WLAN authentication. Note that it does not enable encrypted radio, so
> even if authentication is strong, users are still susceptiple for
> eavesdropping.
>
> Have you considered eduroam for federated authentcation?
>
> Thanks!
> Heikki
>


-- 
************************************************************************
Ing. Denis Pavani

CINECA - Dipartimento Sistemi e Tecnologie
NOC - Network Operations Center

phone:+39 0516171648 / fax:+39 0512130212
http://www.cineca.it
************************************************************************
  "Siamo pagati per adattarci, improvvisare e raggiungere lo scopo"
   -- Gunny Highway



More information about the radiator mailing list