packetfence icon indicating copy to clipboard operation
packetfence copied to clipboard

Published 20 hours ago verified publisher icon inverse-inc

Eduroam: make authentication source more flexible

Open nqb opened this issue 2 years ago • 7 comments

Is your feature request related to a problem? Please describe. On PF 11.2, when you create an Eduroam source, you can't:

  • configure three Eduroam servers. Web admin lets you configure only two servers
  • configure each Eduroam server with a different secret. Web admin lets you configure only one shared secret for all servers

I'm working with an UK university and configuration is generated automatically from Eduroam platform. They can't change secrets to use the same with all Eduroam servers.

I don't think creating additional Eduroam sources as a workaround will work because Eduroam sources are exclusive.

Describe the solution you'd like

  • Be able to configure more than two servers on Eduroam sources. Would be nice to use same mechanism as for AD source when you can add several "hosts"
  • Be able to specify a different secret for each Eduroam server

nqb avatar Mar 23 '22 07:03 nqb

As the technical specialist for the UK national eduroam operator I would like to 👍 this request.

I would also suggest that this should not just be limited to 3 servers, but rather a list of 'n'. I would also like to add to this the ability to load-balance between the hosts in that list of n, as using only one (or the first in the list of n) server as a primary is not helpful in the general scheme of things. Exposing the underlying FreeRADIUS server_pool's 'type' capability (fail-over, load balancing, client-balance, client-port-balance and keyed-balance) to the UI makes a lot more sense.

spaetow avatar May 19 '22 15:05 spaetow

Hello @spaetow,

Thanks for your comment. Regarding number of servers to configure, I agree that we should support 'n' list of servers. This is what I mentioned in issue description: we already use this mechanism for AD sources.

Regarding load-balancing requests to Eduroam servers, all options you mentioned are already available in Realms menu: image

but it's not part of Eduroam sources setting so I'm not sure in which context this exactly used. @fdurand, could you tell us more on that topic ?

nqb avatar May 20 '22 07:05 nqb

Hi @nqb, does the 'Freeradius Eduroam Proxy' setting refer to the ones in this link also, or is the below being configured incorrectly?

image

spaetow avatar May 24 '22 23:05 spaetow

Hi @spaetow, it's in another section called Realms. I will look into the code and get back to you later.

nqb avatar May 25 '22 06:05 nqb

@fdurand's proposal is to rework Eduroam source form to use same options available in FreeRADIUS proxy form (in Realms menu).

With this approach, we don't define Eduroam servers anymore in Eduroam source but in RADIUS sources. It will let us define 'n' Eduroam servers.

Important: a RADIUS server can be configured only one time in FreeRADIUS.

nqb avatar May 30 '22 14:05 nqb

@spaetow, when our code is ready, would it be possible to have a test account to perform inbound/outbound tests against Eduroam UK servers ?

Thanks.

nqb avatar Jun 03 '22 11:06 nqb

@nqb Absolutely. Will be happy to test. Shoot an email to eduroamuk @ jisc dot ac dot uk for my attention and we'll be able to do something :-)

spaetow avatar Jun 20 '22 15:06 spaetow