[RADIATOR] eduroam and radius servers

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Wed Mar 27 11:29:18 CDT 2013


Hi,

> I'm trying to understand the traffic flow between an eduroam user and their home institution radius server. Ive been googling for a while but still dont fully understand the flow between the user and the radius server. Please shed some lights into my understanding:
> 
> 1. User enter the username and password  to access eduroam.
> 2. the credentials pass to the wireless access point and pass to the visitor home institution radius server - On this step, the log on the radius server shows 'Access-Request'
> 3. The visitor institution radius server then pass the credentials to the user home radius server for authentication.
> 4. If the credentials are correct, then home radius server reply with an Access-Accept code.
> 5. If the user enter the wrong credentials, then the home radius server respond with either Access-Challenge or Access-Reject messages

there are sites and courses that explain this...but, basically,


EAPOL from AP, client send an idnetity (outerID = so eg anonymous at realm), if @realm
isnt local, that the request will be forwarded to the national proxies...and onto the
home site. via a few more exchanges (of RADIUS cert/CA) an EAP tunnel is established between
the AP and the home RADIUS server - using the proxied route. the clients real username
(InnerID) eg 'username' is then passed through that tunnel....now, depending on mechanism
various things could happen...but if its PEAP/MSCHAPv2, an MSCHAPv2 challenge response
is then passed through the EAP tunnel.  finally the Access-Accept packet (if all is okay)
is passed back to the AP - along with keying material for the local WPA2/AES etc cipher
mechanism ....and other things can be added to this accept by the local RADIUS server
such as VLAN/bandwidth etc etc. 

the client NEVER needs to trust the visited site RADIUS server (so their home server can be
eg self-signed and trusted,,and the visited site can have self-sign and trusted by THEIR users),
the credentials are never passed in such fashion to the AP or the visited RADIUS server.

thats a quick/brief summary - and due the brevity theres a few oversights and vast assumptions

alan


More information about the radiator mailing list