[Battlemesh] Extending Eduroam over the community network

Mitar mitar at tnode.com
Fri Jun 3 12:19:16 UTC 2016 

Hi!

Getting back to this old thread. :-)

> Had been talking to a few people a while ago and they said
> transparent bridging like Mitar suggested should be possible. If I
> understood Mitar correctly, you mean bridging everything,
> including EAPOL, so shifting the authenticator away from the
> untrusted community node to the trusted Eduroam-AP, right?

I would just like to extend Eduroam network further with equipment we
have. I have two goals:

- this could allow those who have Eduroam to use it in more locations
- we offload load on our network exit to Eduroam network for those who
will then use our equipment with Eduroam accounts

But we can also imagine that I just want to extend Eduroam network with
one more AP: so it should provide that SSID network, you can connect to
it, it asks you for username/password to authenticate against Eduroam,
and then traffic goes over the existing Eduroam AP out.

What I imagine is that one could really simply pass all packets further.
That this new AP would really simply be a direct bridge.


Mitar

> I was actually looking for a means to allow a more flexible, generic
> RADIUS solution a while ago. Without cluttering the user interface
> with ESSIDs for every new network to support: Basically
> I was thinking about one generic "sec.freifunk.net",
> "radius.freifunk.net" or even just "anyroam" ESSID for instance (while
> still keeping <community>.freifunk.net for open, unauthenticated,
> "best-effort-volunteers-can-provide" access). And then the untrusted
> community AP should forward EAPOL and any other packet by the domain
> field or username a user entered. Afaik there are RADIUS options to
> send the username in plaintext in EAPOL or to have a third domain
> field next to username//password.
> 
> It would be great if people were then able to use valid internet
> domains in their username, like:
> 
> * student1337 at eduroam.org
> * customer123 at telekom.de
> * customer0815 at hotspot-provider.net
> * unit123 at fire-brigade.gov
> * you at your-home.net
> * linus.luessing at c0d3.blue
> 
> And the community node then tunnels to the network of their
> choice.
> 
> I can already use the identifier linus.luessing at c0d3.blue to get
> access to my emails, SIP- or XMPP-account - why not making it
> usable for entering my private network at home via any access
> point in a universal, standardized way, too?
> 
> 
> Freeradius as is of course does not allow this yet. But in theory,
> I think RADIUS/802.1x side should be capable, shouldn't it? Just
> some glue-code for encapsulating everything in IP and then routing
> it to the right host needed?
> 
> 
> Would love to have a chat about this with other people interested
> in this and/or more experienced with RADIUS/802.1x than me at the
> next Battlemesh.
> 
> Regards, Linus
> 
> 
> PS: My enquiry via the contact form on the Eduroam webpage
> regarding Eduroam on Freifunk nodes were left unanswered back then.
> Anyone knowing someone @Eduroam?
> 
> PPS: Not sure whether they might be relevant, but RFC6613 (RADIUS
> over TCP) and RFC6614 (Transport Layer Security (TLS) Encryption
> for RADIUS) sound interesting, too.
> 
> 
>>
>> We will have 1 eduroam access point at the Battlemesh room, It would be
>> great if we could set up some solution with it.
>>
>> Best Regards,
>> Filipe Teixeira
>>
>> 2016-02-23 11:36 GMT+00:00 Huub Schuurmans <huubsch at xs4all.nl>:
>>
>>> Op 21/02/16 om 09:55 schreef Mitar:
>>>> Hi!
>>>>
>>>> Eduroam has some interesting usefulness as a global network and I
>>>> started wondering if it would be possible to add to our nodes Eduroam
>>>> SSID as a parallel SSID. One thing is to do it officially, but could
>>>> this be done unofficially by connecting to an existing AP somehow and
>>>> just bridge everything over? Can this work with 801.2x in place? So that
>>>> you would bridge the whole AP network over, including the 801.2x on the
>>>> SSID?
>>>>
>>>
>>> Yes, Eduroam service can be run in parallel over a community network. We
>>> have done a research project a couple of years ago and run a 'proof of
>>> concept'.
>>> In our hardware setup we have multiple ap's at each network node, so we
>>> installed a dedicated Eduroam-ap with WPA2 and a VPN-tunnel to a Radius
>>> server/proxy at the internet gateway.
>>>
>>> Details are at
>>> https://www.wirelessleiden.nl/projects/eduroam
>>> Unfortunately this documentation is in Dutch.
>>>
>>> Huub
>>>
>>>
>>> _______________________________________________
>>> Battlemesh mailing list
>>> Battlemesh at ml.ninux.org
>>> http://ml.ninux.org/mailman/listinfo/battlemesh
>>>
>>
>>
>>
>> -- 
>> [image: INESC TEC]
>>
>> *Filipe Borges Teixeira*
>> Centro de Telecomunicações e Multimédia
>> Centre for Telecommunications and Multimedia
>>
>> *INESC TEC*
>> Campus da FEUP
>> Rua Dr Roberto Frias
>> 4200-465 Porto
>> Portugal
>>
>> T +351 22 209 4299
>> M +351 91 247 8025
>> F +351 22 209 4050
>> filipe.b.teixeira at inesctec.pt
>> www.inesctec.pt
> 
>> -----BEGIN PGP MESSAGE-----
>> Version: GnuPG v1.4.12 (GNU/Linux)
>> Comment: Charset: utf-8
>>
>> hQIMA15n0JmgejHbAQ/6A7jEYXUzo5jBQfE4ih0wq4dy4/Jh7xlKQFRpi+3nKj+p
>> Mbx56Xhi70JB6LOom9NsqnKR61sZs1qutrvTWqn1L4mU669BCDkhyT2haiZU7fhS
>> DWXRZWgMUA06WLkH6YCs3JPfIJwhkK9L3Ojjwm04FmKKFHq5DVEcHhwBvlrkeMid
>> 2pvNp/RmHuuyBTpgT9VvN9tL1F3UJehdOs4n7SGDLQgDayxZ4CV7/tH8D4IVw5S4
>> R5fefGIVBZm+2YIgQQjc1CvavYhNfgaykaMKEEPmsocycyNvWj20p6GrsLPZ4Fw4
>> X6fJBXQ/wANducB3oZPSuaIsk+vj20r1z2R0CiFieHoE8nzD8WLYHavhh3zoTLo1
>> 9V7AARl57ud5b0XgJpyqv1JmLwrHSr5QAP5838TfPDhPCnJCzjaLvbexsqVR6c9M
>> tsuyEoZVYpLYn84adu5e5CN/a6Q1fFFINPLtF/xtkK0N3JoqQnJrjaUhpR1waVHu
>> g/xcCJjEFnaUFizE678KNsdAgplM42jtqoNVodrN0egeWRYyu5YhGGh+gpRj34bq
>> L8CywlB1PPNB0/IxfZWenQMxn1PPdwjep++zAMKZ23gPFZ7YgWgTdNxqrF7zEVf2
>> XENq/sbsgH22qNn5Rw7OgAtVPc9y8szG85CwIHPfiSbI598oIUZhtixGTYiB3y/S
>> 6gEZUJoXkiKHVGbQFWQ6YGFD56x2WUGT8WvSnFHUV24x9NGbmAbCY38lHhJj6uZO
>> B8MCqnuh7U6B84j5yooe1quryNeBFA0JDb6pyQNcM965SPsVNDGTJVA1NKSyYk9q
>> ncdq8MaaSJcCk/X/qRIp6TvhB4ROFGVeT3MbKgUjIN3mRn41aakrjjSrRK7y6TW9
>> 5ulmLqnLSLR0JwV4qS+7LWA/nnhO7cxSSwQYPqrmooLELCg40svsFPPjcBuyTp0m
>> MMeJM/3zy/+YpiUDoRnvfeOaclVrQxfrVJ2fFUfg9BGUZBN7vpcneDZnctHz/Z4o
>> zi0GfMdkzrqP3mau76FyxxAhQL5AXDkxDSOJbMlnui1/19uurKsL/N00+7LJId5O
>> LS38d9VgpjJHq3Zs2ARzPtFRo5pPQL00Yb6JlUxKtaa9hV4Xtm4l1EAL+Iv8TrUc
>> yy34unF4+T6xRgHtu8IqHAl4WHnbuqFPyyAmOTQzSdvh1A97R44FIBqW8O4CIYpM
>> dhgToNJwOlwy/bHJ4S4k+QT5WDP1HY94MAjatbd8tJZHZ86ln3wGH5ZDwGQHBHie
>> z+7d4i5HBd9B6cgcGQtcmHBvvdQ3sFV2xegWzPYhhiDrRdbcQxLqZJkfy0ai1viV
>> 4OZro79ctjSfrtHD/32dMgOpxPv9xiMgT4l926/JtNaLgLejaPzQ03rlJJnFvHMC
>> EBoyTj5jK3hXfpt+VQz9GWuxx+bQFyHll9hAHN+3kNQwe/l/qVkDwX22PgGM+hWN
>> WF68iMeePuCbwOqeLczJBq+PzNLmz5IJilMoJx7GWN4o5oGH0458QhAEO9pU73Eu
>> dMv+4d1maKDqBnbLglKB4PfUDQG1Qn7NY657ZeL7tVYyt5LV+7VnaCBL60EzjGVX
>> RJs/mDTUQ8VNqD3yl2PX0jtgpll2wmpPsxhEJKi9cf0CyaaSXBGCfKact3+vi4mx
>> 6Vvxs7iJM64QZqbqSXlpoueiQp1For4Q00JiKSbo5zyf4pU5ALorWLvq29frDJyq
>> Nsd5M7/zmkwb/lH1jx3WyOcxmP4cEwE3LrWZCEq1taGSz3DStla2HczZqzMpqejf
>> PfPfCjBF2SKSZxhmkwyhtZgeHLvFhiv/HDc6aYyIFHmp+yqbKt0636yAKXYuQL3Q
>> Fsd+pfHVrtN5hWUsQxSWiC5wHI0Ew76x0Z9iPv6t3TKf/pRXmu2mjZ1+Qu3ltfAD
>> vkOYw2JPPxR5ikMGZ4oOY7KG1PIgn1kEe7WbO0hXNPqRR6N42XpUcUMLjd3CbSZ/
>> FN+QjRzMaP2tXtHUkIyY6Lp9T4L8cuchVUVeajXIRJCqMePwCykhJkcs9clnC35m
>> fYdtkjrvwRDbkeBAbPPQF+bp2fVpll5oWIgWXIUBJRSHD/WUyu1nbu44oz/SJH4E
>> pma8TSmxb3e8sHEXhNkowf2da0Gf+OrishHD4bmCkE1EQbKSvdX6z+h4HCftxcx1
>> BDPMDAFvQuEGUY3DOYAKanI19Q9nipYoetmnjhzZ61oZdM96SDzGV8lWTpRsnSvf
>> GMZlwtb22sEv1MagSxE0npXsdkgNz/oGUTSHjY5GEindP9tBUu7cRd0DAR5h9sVX
>> sYjw0g+sdY9uvYLhU1iOBeRb129JSELzFDTWSqwbJcY108ppMjSU+T+EhxY1xPwU
>> 2pQjwdAJza8Vb1p3z2Oe1ZI4WCOfCkj1yOT4kpcipdoRQV6ZktgP4bqfVcxeNe/u
>> RUCK5YS6ep/3Uli0n+3s0ZUApqx6C1pSL+f9Im5JHofjpD12oc3kHgk101WvDTSh
>> UajfAEjwTHGTbSdp71i38H9P+NSgVlzJegu68SW/Ddy0JKOu9ENciAlzgAWocN1V
>> J0ZZC180UOS6X5hlSNdG59ki6AnDyNvpESQ01Ad/j33BBMM7LOY0fLFQZhny8PIl
>> 9pZJDCxNy24211cI++e50FJhEM9OszZQB0yIdGRKce3w3Nd4cX9Ssars4zazaPu2
>> G0ldWnhWfQg+AMCjHVHM/hJObweoz8K0fLw/dg1cPFpW2M2s2zCqXE45EDMNd0ts
>> iiKhUohILB7P1J0i/YYTjvI/ni3zMMrzS60N6PnisrczNj2sjvwJLj/ZgEDwxdu9
>> M9W44cTpc4Xk4YRknNspUn+nt86v7CnWNYMMoCSBi6ldm/bqwwCP6iSpSkFSH7j4
>> wujD/waUC0I77IGDyooU7KUFjJrMHdGsuZazJ5uEEWIYID6G0T54Sw+0hcU0RREm
>> YMFOSCdY+Wo8B4wT+GXit1ivtW8=
>> =a8Bi
>> -----END PGP MESSAGE-----
> 
>> _______________________________________________
>> Battlemesh mailing list
>> Battlemesh at ml.ninux.org
>> http://ml.ninux.org/mailman/listinfo/battlemesh
> 
> _______________________________________________
> Battlemesh mailing list
> Battlemesh at ml.ninux.org
> http://ml.ninux.org/mailman/listinfo/battlemesh
> 

-- 
http://mitar.tnode.com/
https://twitter.com/mitar_m

More information about the Battlemesh mailing list