On 13.11.2012 16:20, Phil Mayers wrote: > On 13/11/12 14:45, Olivier Beytrison wrote: >> Hello, >> >> [snip] >> >> So I have two questions : >> 1. is this implementation possible ? > > Yes. But I would argue it's not ideal (see below). > >> 2. If it is possible, will the inner-tunnel for eap-peap and eap-ttls >> end on the local or central radius, taking in account that the >> authentication is performed by the central radius. > > It depends what you configure. You can proxy the inner tunnel, or the > outer tunnel. > > If you proxy the outer tunnel, it's encrypted all the way, but the > central servers have to do all the TLS. The local servers then do very > little (what you refer to as "vlans, subnets, etc.")
Well, that's what I would like to do. We have 7 different IT services running their own network the way they want. The local radius are there to let them freely manage how users access their network. > If you proxy the inner tunnel, the local servers do the TLS, but the > traffic to the central servers is only lightly encrypted (by the RADIUS > encryption scheme). Whether this matters will depend on your environment. Not really a matter, as it will rull either over a lan-to-lan ipsec vpn, or with radsec enabled. (still thinking between using radsecproxy or going with freeradius 3 [I know, you need guinea pig ;)]) > Personally, I would think carefully if this model is right. The local > servers don't seem to add much value, and are entirely dependent on the > central servers. It's not really about value, it's more about letting the local IT services manage how and what the users can access. We're already enforcing this central authentication, if we don't let them a minimum of control, this will lead to an IT Riot :p > Have you considered replicating the LDAP database to the local servers? Well not really a solution here. The central LDAP system is one of the most complex Novell eDirectory deployment possible. Syncing 7 other ldap servers would just put more load on the actual cluster. The authentication will be made against a dedicated cluster of ldap server which contains only authentication-related informations. To summarize, if I proxy the outer tunnel, there will be more load on the central server, and I'll add the custom attributes to the outer reply in order for the local radius to analyse them and add the nas-specific attribute. if I proxy the inner tunnel, the TLS is handled by the local radius (more CERT to buy), on the central server I add the attributes in the normal reply, and the local radius keep doing the authorization part. I just have to take care of the encryption between the local and central servers. thankfully l2l vpn are already established. Thanks a lot for your answer, gives me a good idea on how I'll do it. Olivier B. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: [email protected] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
