[RADIATOR] Enhancement for AuthDNSROAM/EduRoam and goodies suggestion

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Sat Mar 31 11:07:34 CDT 2012


On Fri, 30 Mar 2012, Jethro R Binks wrote:

Hey,

thanks for the reply.

> On Thu, 29 Mar 2012, Bjoern A. Zeeb wrote:
>
>> Not sure if we should pass down all section 5.7.18 ref.pdf options
>> down from the AuthDNSROAM patch below, but these two seem essential
>> as having them in and not working might lead to unexpected results.
>>
>> My somehow excessive attribute filter list fuer Eduroam currently is
>>  	AllowInReply            User-Name, \
>>  				Class, \
>>  				Framed-Protocol, \
>>  				Service-Type, \
>>  				EAP-Message, \
>>  				Message-Authenticator, \
>>  				MS-MPPE-Send-Key, \
>>  				MS-MPPE-Recv-Key, \
>>  				MS-CHAP-Domain, \
>>  				MS-CHAP2-Success, \
>>  				Proxy-State
>>
>> with Framed-Protocol at least being excessive and should
>> probably be static and Service-Type probably be restricted.
>>
>> I wonder if others have a comment on that list; I have been told
>> another (open source) radius software comes with a pre-defined
>> list but have not checked, so I think putting that into goodies,
>> if not there yet, for AuthDNSRoam/Eduraom samples would be an
>> excellent idea:)
>
> The UK eduroam partner, JANET, provide this list:
>
> "The following is the minimum set of attributes required to support
> eduroam. These must not be filtered out:
>
> RADIUS Access-Request or Access-Challenge message attributes:

Right but Access-Requests are the other direction; well may depend on
whether you are an IdP, an SP or a FLR.  The above id for an SP.

The reason I do not forward The Reply-Message to the AP btw is that
.1x has no way to carry it to the user - it might still be usefull
for debugging directly on the APs though, so should probably add it.

Leaves me with these two:

> 24. State

Needed in case of Access-Challenge; should definitively be added.

> 31. Calling-Station-ID

No need to go back to the AP, only in the Request direction as far as
I can see.

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
          Stop bit received. Insert coin for new address family.


More information about the radiator mailing list