|
Does
anyone have any answers? Mark --------------------------------------------------------------- I was asked to add radius support to the Authentication server. This
made sense as its well known authentication protocol and would allow for all
sorts of nice things. This is the first time I've used radius, I'm hoping there is some
expertise out there to help me solve some
design issues. Radius appears to assume trust between the client and the server, at
least this is only protected with a
shared key, which for this purpose is the same as having no key at all because
it has to be known to all parties. At the moment, each node is
getting authentication from a central server. I'm not sure if this will work
for the WISP model, because the gateway needs to be handling the accounting,
not the node, otherwise you could hack into your local node and stop it
recording when you'd signed on etc. Even in a non paid model, you need this to
prevent the same account being used from multiple locations at the same time,
otherwise net abuse can be blamed on account hijacking. This potentially means that I'd
have to have a proxy radius server with accounting on the gateway (radius
appears distributed by nature) and this proxy would handle downstream
accounting. It is also reasonably safe to assume that an internet gateway
will remain online more than a mesh node which could move out of coverage
in a mobile environment. Either this,
or I run a central radius server and then have a custom app on the gateway node to handle
accounting data exchange with downstream nodes using a custom protocol,
simplified to make management easier. The downside of this is that if the software includes a radius proxy, then the nodes
could also be radius proxies, meaning you could connect *to* them via radius,
which could facilitate cool things like attaching entire down stream networks through
a single mesh link. I'm only on page 20 of the radius book (by O'reilly)
which arrived this morning, so maybe I'll find more answers as I continue
reading. I wondered if anyone had any radius enviornments,
in which they would find features of the authentication desirable. Back to the
security. I can ensure the security inside the meshnetwork
using ipsec based security, but if the radius key is
shared on the internet, then I'm assuming you could potentially spoof packets
back to the node and cause authentication based attacks (eg
hijacking an account etc) On top of this, radius uses udp, which although great, means that in some cases firewalls or nat systems are blocking the authentication packets, making gateways difficult to run
behind certain kinds of routers/firewalls. At the moment, an internet
gateway should have full IP access, but it is possible to run the whole "WirelessBox" even if you only have TCP abilities on
the remote network. The use of radius currently breaks this functionality. Is
there any kind of TCP transport (http proxy?) for radius which we could use? |
