Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID)

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID)


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: IAM David Bantz <db AT alaska.edu>
  • Cc: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID)
  • Date: Fri, 19 Oct 2018 08:48:38 +0200
  • Autocrypt: addr=stefan.winter AT restena.lu; prefer-encrypt=mutual; keydata= xsFNBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABzTxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT7CwXkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8c7BTQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAcLBXwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hello,

> Arguably we're changing more than two things at once, alas. However the
> WiFi / authN backend is independently tested independent of
> device-specific installers; (1) the CAT tools simulating login from
> remote sites were enormously helpful in verifying and tuning set-up for
> receiving and processing eduroam requests from the eduroam federation
> (using a secondary domain we also control so as not to disrupt
> production); (2) simple manual configuration of supplicants verify
> on-site connections.

Ah, I'm happy to hear that the toolset is already of use.

> I'd suggest to first test CAT on the production SSID. If that works, you
> can be rather confident that the only changes you'll have to do CAT-side
> are the adaptation to the new server certificate and server name; after
> all these are the only two properties of your auth backend which are
> visible to the outside world, and thus the only thing CAT cares about.
>
>
> I don't think that's true; as user authentication is changing from
> EAP-TLS to EAP-PEAP,

Ah. That's indeed a big change. I might have taken my mouth too full
when I wrote our installers can handle two simulateneously :-)

You could however do something on the server-side maybe. See at the end
of the mail.

> there's a fundamental difference in the
> configurations for current and new 802.1X configuration. Unless I am
> badly mistaken, the CAT installers have in themselves no way to fully
> configure our existing eduroam requiring on-demand creation and
> insertion of a user certificate from our current unsupported certificate
> factory. But even supposing such near-magic, installers that create and
> install user certificates consumed by freeRADIUS hardly provide
> confidence in a different set of installers for password authentication
> brokered by Cisco ISE.

FWIW, creating and handing out individual user certificates on demand is
a feature of our new product "eduroam Managed IdP". That one is using
our own CA though, and it is meant to be used by small institutions
without professional on-site user identity management systems. It ,
somewhat intentionally, does not scale to large deployments.

> Such an installer would have to generate a user certificate on the fly
> for the current production on-site eduroam configuration for use with
> EAP-TLS as well as supporting EAP-PEAP for new infrastructure. Perhaps
> all that can be crammed into one installer, but then what's the flow? -
> how does the wireless controller determine which RADIUS server to query?
> if determined by the supplicant, what triggers one or the other request?
> And once a RADIUS server is selected, how does the supplicant know
> whether to use TLS or PEAP for the inner identity? 

Since your old setup is a FreeRADIUS: it can proxy requests :-) So, if a
PEAP user from the new deployment variant authenticates at your current
production SSID (leading to the EAP-TLS server), FreeRADIUS can be
configured with a rule of sorts

"if user is from @newdeploymentrealm && EAP-Type == PEAP => proxy to the
new server"

Even if the realm of old and new deployment is identical - with the EAP
type being part of the condition, you make sure that genuinely old
accounts with EAP-TLS are authenticated on the old server, while new
accounts are sent onwards to your new server. All when incoming from the
same legacy deployment.

The only complication with this is when the old and new realms are
indeed identical - it can still work, but then EAP type negotiation
happens on the old server, and you will have to enable "support" for
PEAP in the first place to allow the client to actually select the EAP type.

You're basically implementing roaming with that, just not necessarily
based on realm but on EAP-Type.

That way, CAT installers for the new PEAP deployment can be used on both
the old and the new deployment; the installers themselves only contain
the new EAP details because the final RADIUS server that authenticates
users is always the new one.

It all depends on whether you're confident enough to change the
FreeRADIUS configuration in this way. It would be a ...fairly advanced
... configuration task.

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page