JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for MOONSHOT-COMMUNITY Archives


MOONSHOT-COMMUNITY Archives

MOONSHOT-COMMUNITY Archives


MOONSHOT-COMMUNITY@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

MOONSHOT-COMMUNITY Home

MOONSHOT-COMMUNITY Home

MOONSHOT-COMMUNITY  July 2012

MOONSHOT-COMMUNITY July 2012

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: [input requested] Channel Binding: TTLS vs Interoperability

From:

Alan DeKok <[log in to unmask]>

Reply-To:

Alan DeKok <[log in to unmask]>

Date:

Fri, 20 Jul 2012 20:19:23 -0400

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (57 lines)

Sam Hartman wrote:
> Unfortunately, when FreeRADIUS is a RADIUS server. So internally it
> converts the incoming message from Diameter to RADIUS. When it does
> that, it fails the entire authentication if it finds Diameter attributes
> that cannot be mapped to RADIUS attributes.
> 
> This is bad. It means that if you try to perform Moonshot authentication
> against an unmodified FreeRADIUS  server, it will completely fail.

  It's pretty bad.  I'm not even sure why I did that in the first place.
 It's easy enough to fix.  I've put a fix into git (v2.1.x) which will
make it into the next release.

  The solution is to allow all well-formed Diameter attributes.
However, only ones which can be converted to RADIUS attributes are
converted.  All others are silently ignored.

> Unfortunately, FreeRADIUS also fails the EAP-TTLS authentication  if
> there is an unknown RADIUS attribute in an EAP-TTLS message.

  Now that's just stupid.  Who was the idiot who wrote that code?

  Um...

> Also, note that we have no reason to believe things are better with
> other EAP servers. We just happen to know the behavior for FreeRADIUS.

  Ah, the benefits of Open Source.  You *know* how bad it is. :)

> There's another option we've thought of. We can squat on some attribute
> that's guaranteed to already be in the FReeRADIUS dictionary but that
> has no place in an EAP-TTLS tunnel.  The architectural impurity of this
> solution should be obvious.
> However at least with FreeRADIUS it provides backwards compatibility.

  A horrid solution would be to use attribute 26 (Vendor-Specific).
IIRC, it's forbidden in Diameter proper.  However, RFC 5281 (TTLS) says:

      RADIUS vendor-specific attributes use RADIUS
      attribute 26 and include Vendor-ID, vendor-specific attribute
      code, and length; see [RFC2865] for details.

  So you could just packet a JANET VSA into it, and it would work.  The
FreeRADIUS diameter decoding does *not* look for RADIUS VSAs.  In this
case, it would just create an attribute of type 26, type "octets".

  I could go poke the code to look for VSAs in the TTLS diameter
decoding, and create them.  In the 3.0 "master" branch, this is actually
pretty easy.

> Secondly, we could use input on the tradeoffs between architectural
> impurity and working  with backward compatibility.

  My guess is that using attribute 26 would work everywhere.  But I'd
want to get information from the other RADIUS vendors to be sure.

  Alan DeKok.

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

June 2018
April 2018
November 2017
October 2017
September 2017
August 2017
July 2017
May 2017
April 2017
March 2017
February 2017
December 2016
November 2016
October 2016
August 2016
July 2016
June 2016
May 2016
March 2016
February 2016
January 2016
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager