[RADIATOR] Enhancement for AuthDNSROAM/EduRoam and goodies suggestion

[Jethro R Binks]

On Thu, 29 Mar 2012, Bjoern A. Zeeb wrote:

> Not sure if we should pass down all section 5.7.18 ref.pdf options
> down from the AuthDNSROAM patch below, but these two seem essential
> as having them in and not working might lead to unexpected results.
> 
> My somehow excessive attribute filter list fuer Eduroam currently is
>  	AllowInReply            User-Name, \
>  				Class, \
>  				Framed-Protocol, \
>  				Service-Type, \
>  				EAP-Message, \
>  				Message-Authenticator, \
>  				MS-MPPE-Send-Key, \
>  				MS-MPPE-Recv-Key, \
>  				MS-CHAP-Domain, \
>  				MS-CHAP2-Success, \
>  				Proxy-State
> 
> with Framed-Protocol at least being excessive and should
> probably be static and Service-Type probably be restricted.
> 
> I wonder if others have a comment on that list; I have been told
> another (open source) radius software comes with a pre-defined
> list but have not checked, so I think putting that into goodies,
> if not there yet, for AuthDNSRoam/Eduraom samples would be an
> excellent idea:)

The UK eduroam partner, JANET, provide this list:

"The following is the minimum set of attributes required to support 
eduroam. These must not be filtered out:

RADIUS Access-Request or Access-Challenge message attributes:
1.   User-Name
18. Reply-Message
24. State
25. Class 
80. Message-Authenticator
31. Calling-Station-ID 
33. Proxy-State
79. EAP-Message 
     MS-MPPE-Send-Key
     MS-MPPE-Recv-Key
RADIUS Accounting messages:
1.   User-Name
40. Acct-Status-Type
44. Acct-Session-ID
25. Class
33. Proxy-State
"

from:

  http://www.ja.net/services/authentication-and-authorisation/janet-roaming/technology.html#RADIUS

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.