On Thu, Dec 08, 2005 at 12:55:53PM +0000, Jon Warbrick wrote:
> On Thu, 8 Dec 2005, Jon Warbrick wrote:
>
> >Are people who are working on Shibboleth in the UK aware of the current
> >'Janet Roaming Consultation Exercise'...
>
> Sorry, intended to say: "... details at
>
> http://www.ja.net/development/aa/lin/consult.html
The use of Shib for roaming was (and is) being looked at by at least some
people involved in LIN. The fundamental problem is dynamically enabling
web-redirect gateways to pass the shib exchanges. The scalability problem
is similar to that of the 'restricted VPN' model of roaming support (which
was being used by RUGIT, but which I think has been dropped in favour of
the scalable LIN approach).
It was also indirectly the subject of a talk I gave at the recent Edinbugh
JISC middleware event and I believe that Josh gave at the JISC event in
the Lake District, i.e. where do LIN and Shibboleth meet?
There is some possible interoperability, but my own view at the moment
is that the network layer access control via LIN is likely to target
802.1x/WPA for the foreseeable future.
A beauty of LIN is that it uses an established standardised authentication
transport mechanisms (RADIUS); its 'weakness' is that while web-redirect
works very simply (most commercial hotspots use the same technology) that
approach is not as secure as 802.1x, where vendor support is 'emerging'.
There is some pushback in LIN allowing web-redirect in the production
service.
It seems most LIn sites see web-redirect as a stepping stone to 802.1x/WPA,
and that for a number that technology can/will also be used to secure wired,
static systems as well as providing local and remote wireless access.
As an aside, we've also been looking at methods that allow the LIN to be
applied to application layer authentication (beyond plain web authentication).
--
Tim/::1
|