Hi, > I'm trying to understand the traffic flow between an eduroam user and their > home institution radius server. Ive been googling for a while but still dont > fully understand the flow between the user and the radius server. Please shed > some lights into my understanding: > > 1. User enter the username and password to access eduroam. > 2. the credentials pass to the wireless access point and pass to the visitor > home institution radius server - On this step, the log on the radius server > shows 'Access-Request' > 3. The visitor institution radius server then pass the credentials to the > user home radius server for authentication. > 4. If the credentials are correct, then home radius server reply with an > Access-Accept code. > 5. If the user enter the wrong credentials, then the home radius server > respond with either Access-Challenge or Access-Reject messages
there are sites and courses that explain this...but, basically, EAPOL from AP, client send an idnetity (outerID = so eg anonymous@realm), if @realm isnt local, that the request will be forwarded to the national proxies...and onto the home site. via a few more exchanges (of RADIUS cert/CA) an EAP tunnel is established between the AP and the home RADIUS server - using the proxied route. the clients real username (InnerID) eg 'username' is then passed through that tunnel....now, depending on mechanism various things could happen...but if its PEAP/MSCHAPv2, an MSCHAPv2 challenge response is then passed through the EAP tunnel. finally the Access-Accept packet (if all is okay) is passed back to the AP - along with keying material for the local WPA2/AES etc cipher mechanism ....and other things can be added to this accept by the local RADIUS server such as VLAN/bandwidth etc etc. the client NEVER needs to trust the visited site RADIUS server (so their home server can be eg self-signed and trusted,,and the visited site can have self-sign and trusted by THEIR users), the credentials are never passed in such fashion to the AP or the visited RADIUS server. thats a quick/brief summary - and due the brevity theres a few oversights and vast assumptions alan _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
