Thanks for your feedback Heikki. We are eduroam users. We need to implement also this new kind of authentication. I know this new network would be without encryption, but politics wins over technology once again. Best regards.
Il 16/01/2012 16.25, Heikki Vatiainen ha scritto: > On 01/13/2012 03:43 PM, Denis Pavani wrote: > >> My company plans to have a wireless network where authentication >> credentials come from a federation using shibboleth. >> We have in production a cisco wireless controller, and really I was >> trying not to bypass it for a different captive portal. >> Is it possibile to use "authby URL" redirecting creentials to a cgi >> which provides shibboleth authentication? >> Does anyone have experience with this? > I think this model is too straightforward to work. You need to allow > passthrough for every organisation that participates in the federation. > The users need to access the authentication web page of their home > organisation. > > After the authentication the user is redirected back to your login web > page and the web server sets the environment variables to reflect the > outcome of user's authentication. That is, you do not get any access of > credentials you could use to do the login. To actually use this > information, you would most likely to bypass the controller to utilise > information from shibboleth. > > One method to make shibboleth based WLAN login is this: > > 1. Create a captive portal that lets the users to select their home > organisation. When the select it, they get redirected to their home > login page. This portal most likely can not be in the controller but > needs a web server with shibboleth authentication modules. The > shibboleth authentication starts here. > > 2. The success URL users get from their home shibboleth login directs > them back to your web server. > > 3. The resource pointed by success URL (e.g., CGI script) creates a > temporary username/password into e.g. SQL database. > > 4. The user is redirected to controller's login page with GET or POST > request type. The request parameters specify the temporary username/password > > 5. Controller does RADIUS authentication against the SQL database > > 6. If the authentication is successful, as it always should be at this > point, the controller opens the captive portal. The user has now logged in. > > Something like the above should make it possible to use shibboleth for > WLAN authentication. Note that it does not enable encrypted radio, so > even if authentication is strong, users are still susceptiple for > eavesdropping. > > Have you considered eduroam for federated authentcation? > > Thanks! > Heikki > -- ************************************************************************ Ing. Denis Pavani CINECA - Dipartimento Sistemi e Tecnologie NOC - Network Operations Center phone:+39 0516171648 / fax:+39 0512130212 http://www.cineca.it ************************************************************************ "Siamo pagati per adattarci, improvvisare e raggiungere lo scopo" -- Gunny Highway _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
