[Battlemesh] Extending Eduroam over the community network

Linus Lüssing linus.luessing at c0d3.blue
Mon Mar 21 01:58:02 CET 2016


Hi,

On Tue, Feb 23, 2016 at 02:33:47PM +0000, Filipe Borges Teixeira wrote:
> Hi!
> 
> That is for sure an interesting scenario, but may raise security issues.

Had been talking to a few people a while ago and they said
transparent bridging like Mitar suggested should be possible. If I
understood Mitar correctly, you mean bridging everything,
including EAPOL, so shifting the authenticator away from the
untrusted community node to the trusted Eduroam-AP, right?

I was actually looking for a means to allow a more flexible, generic
RADIUS solution a while ago. Without cluttering the user interface
with ESSIDs for every new network to support: Basically
I was thinking about one generic "sec.freifunk.net",
"radius.freifunk.net" or even just "anyroam" ESSID for instance (while
still keeping <community>.freifunk.net for open, unauthenticated,
"best-effort-volunteers-can-provide" access). And then the untrusted
community AP should forward EAPOL and any other packet by the domain
field or username a user entered. Afaik there are RADIUS options to
send the username in plaintext in EAPOL or to have a third domain
field next to username//password.

It would be great if people were then able to use valid internet
domains in their username, like:

* student1337 at eduroam.org
* customer123 at telekom.de
* customer0815 at hotspot-provider.net
* unit123 at fire-brigade.gov
* you at your-home.net
* linus.luessing at c0d3.blue

And the community node then tunnels to the network of their
choice.

I can already use the identifier linus.luessing at c0d3.blue to get
access to my emails, SIP- or XMPP-account - why not making it
usable for entering my private network at home via any access
point in a universal, standardized way, too?


Freeradius as is of course does not allow this yet. But in theory,
I think RADIUS/802.1x side should be capable, shouldn't it? Just
some glue-code for encapsulating everything in IP and then routing
it to the right host needed?


Would love to have a chat about this with other people interested
in this and/or more experienced with RADIUS/802.1x than me at the
next Battlemesh.

Regards, Linus


PS: My enquiry via the contact form on the Eduroam webpage
regarding Eduroam on Freifunk nodes were left unanswered back then.
Anyone knowing someone @Eduroam?

PPS: Not sure whether they might be relevant, but RFC6613 (RADIUS
over TCP) and RFC6614 (Transport Layer Security (TLS) Encryption
for RADIUS) sound interesting, too.


> 
> We will have 1 eduroam access point at the Battlemesh room, It would be
> great if we could set up some solution with it.
> 
> Best Regards,
> Filipe Teixeira
> 
> 2016-02-23 11:36 GMT+00:00 Huub Schuurmans <huubsch at xs4all.nl>:
> 
> > Op 21/02/16 om 09:55 schreef Mitar:
> > > Hi!
> > >
> > > Eduroam has some interesting usefulness as a global network and I
> > > started wondering if it would be possible to add to our nodes Eduroam
> > > SSID as a parallel SSID. One thing is to do it officially, but could
> > > this be done unofficially by connecting to an existing AP somehow and
> > > just bridge everything over? Can this work with 801.2x in place? So that
> > > you would bridge the whole AP network over, including the 801.2x on the
> > > SSID?
> > >
> >
> > Yes, Eduroam service can be run in parallel over a community network. We
> > have done a research project a couple of years ago and run a 'proof of
> > concept'.
> > In our hardware setup we have multiple ap's at each network node, so we
> > installed a dedicated Eduroam-ap with WPA2 and a VPN-tunnel to a Radius
> > server/proxy at the internet gateway.
> >
> > Details are at
> > https://www.wirelessleiden.nl/projects/eduroam
> > Unfortunately this documentation is in Dutch.
> >
> > Huub
> >
> >
> > _______________________________________________
> > Battlemesh mailing list
> > Battlemesh at ml.ninux.org
> > http://ml.ninux.org/mailman/listinfo/battlemesh
> >
> 
> 
> 
> -- 
> [image: INESC TEC]
> 
> *Filipe Borges Teixeira*
> Centro de Telecomunicações e Multimédia
> Centre for Telecommunications and Multimedia
> 
> *INESC TEC*
> Campus da FEUP
> Rua Dr Roberto Frias
> 4200-465 Porto
> Portugal
> 
> T +351 22 209 4299
> M +351 91 247 8025
> F +351 22 209 4050
> filipe.b.teixeira at inesctec.pt
> www.inesctec.pt

> -----BEGIN PGP MESSAGE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Charset: utf-8
> 
> hQIMA15n0JmgejHbAQ/6A7jEYXUzo5jBQfE4ih0wq4dy4/Jh7xlKQFRpi+3nKj+p
> Mbx56Xhi70JB6LOom9NsqnKR61sZs1qutrvTWqn1L4mU669BCDkhyT2haiZU7fhS
> DWXRZWgMUA06WLkH6YCs3JPfIJwhkK9L3Ojjwm04FmKKFHq5DVEcHhwBvlrkeMid
> 2pvNp/RmHuuyBTpgT9VvN9tL1F3UJehdOs4n7SGDLQgDayxZ4CV7/tH8D4IVw5S4
> R5fefGIVBZm+2YIgQQjc1CvavYhNfgaykaMKEEPmsocycyNvWj20p6GrsLPZ4Fw4
> X6fJBXQ/wANducB3oZPSuaIsk+vj20r1z2R0CiFieHoE8nzD8WLYHavhh3zoTLo1
> 9V7AARl57ud5b0XgJpyqv1JmLwrHSr5QAP5838TfPDhPCnJCzjaLvbexsqVR6c9M
> tsuyEoZVYpLYn84adu5e5CN/a6Q1fFFINPLtF/xtkK0N3JoqQnJrjaUhpR1waVHu
> g/xcCJjEFnaUFizE678KNsdAgplM42jtqoNVodrN0egeWRYyu5YhGGh+gpRj34bq
> L8CywlB1PPNB0/IxfZWenQMxn1PPdwjep++zAMKZ23gPFZ7YgWgTdNxqrF7zEVf2
> XENq/sbsgH22qNn5Rw7OgAtVPc9y8szG85CwIHPfiSbI598oIUZhtixGTYiB3y/S
> 6gEZUJoXkiKHVGbQFWQ6YGFD56x2WUGT8WvSnFHUV24x9NGbmAbCY38lHhJj6uZO
> B8MCqnuh7U6B84j5yooe1quryNeBFA0JDb6pyQNcM965SPsVNDGTJVA1NKSyYk9q
> ncdq8MaaSJcCk/X/qRIp6TvhB4ROFGVeT3MbKgUjIN3mRn41aakrjjSrRK7y6TW9
> 5ulmLqnLSLR0JwV4qS+7LWA/nnhO7cxSSwQYPqrmooLELCg40svsFPPjcBuyTp0m
> MMeJM/3zy/+YpiUDoRnvfeOaclVrQxfrVJ2fFUfg9BGUZBN7vpcneDZnctHz/Z4o
> zi0GfMdkzrqP3mau76FyxxAhQL5AXDkxDSOJbMlnui1/19uurKsL/N00+7LJId5O
> LS38d9VgpjJHq3Zs2ARzPtFRo5pPQL00Yb6JlUxKtaa9hV4Xtm4l1EAL+Iv8TrUc
> yy34unF4+T6xRgHtu8IqHAl4WHnbuqFPyyAmOTQzSdvh1A97R44FIBqW8O4CIYpM
> dhgToNJwOlwy/bHJ4S4k+QT5WDP1HY94MAjatbd8tJZHZ86ln3wGH5ZDwGQHBHie
> z+7d4i5HBd9B6cgcGQtcmHBvvdQ3sFV2xegWzPYhhiDrRdbcQxLqZJkfy0ai1viV
> 4OZro79ctjSfrtHD/32dMgOpxPv9xiMgT4l926/JtNaLgLejaPzQ03rlJJnFvHMC
> EBoyTj5jK3hXfpt+VQz9GWuxx+bQFyHll9hAHN+3kNQwe/l/qVkDwX22PgGM+hWN
> WF68iMeePuCbwOqeLczJBq+PzNLmz5IJilMoJx7GWN4o5oGH0458QhAEO9pU73Eu
> dMv+4d1maKDqBnbLglKB4PfUDQG1Qn7NY657ZeL7tVYyt5LV+7VnaCBL60EzjGVX
> RJs/mDTUQ8VNqD3yl2PX0jtgpll2wmpPsxhEJKi9cf0CyaaSXBGCfKact3+vi4mx
> 6Vvxs7iJM64QZqbqSXlpoueiQp1For4Q00JiKSbo5zyf4pU5ALorWLvq29frDJyq
> Nsd5M7/zmkwb/lH1jx3WyOcxmP4cEwE3LrWZCEq1taGSz3DStla2HczZqzMpqejf
> PfPfCjBF2SKSZxhmkwyhtZgeHLvFhiv/HDc6aYyIFHmp+yqbKt0636yAKXYuQL3Q
> Fsd+pfHVrtN5hWUsQxSWiC5wHI0Ew76x0Z9iPv6t3TKf/pRXmu2mjZ1+Qu3ltfAD
> vkOYw2JPPxR5ikMGZ4oOY7KG1PIgn1kEe7WbO0hXNPqRR6N42XpUcUMLjd3CbSZ/
> FN+QjRzMaP2tXtHUkIyY6Lp9T4L8cuchVUVeajXIRJCqMePwCykhJkcs9clnC35m
> fYdtkjrvwRDbkeBAbPPQF+bp2fVpll5oWIgWXIUBJRSHD/WUyu1nbu44oz/SJH4E
> pma8TSmxb3e8sHEXhNkowf2da0Gf+OrishHD4bmCkE1EQbKSvdX6z+h4HCftxcx1
> BDPMDAFvQuEGUY3DOYAKanI19Q9nipYoetmnjhzZ61oZdM96SDzGV8lWTpRsnSvf
> GMZlwtb22sEv1MagSxE0npXsdkgNz/oGUTSHjY5GEindP9tBUu7cRd0DAR5h9sVX
> sYjw0g+sdY9uvYLhU1iOBeRb129JSELzFDTWSqwbJcY108ppMjSU+T+EhxY1xPwU
> 2pQjwdAJza8Vb1p3z2Oe1ZI4WCOfCkj1yOT4kpcipdoRQV6ZktgP4bqfVcxeNe/u
> RUCK5YS6ep/3Uli0n+3s0ZUApqx6C1pSL+f9Im5JHofjpD12oc3kHgk101WvDTSh
> UajfAEjwTHGTbSdp71i38H9P+NSgVlzJegu68SW/Ddy0JKOu9ENciAlzgAWocN1V
> J0ZZC180UOS6X5hlSNdG59ki6AnDyNvpESQ01Ad/j33BBMM7LOY0fLFQZhny8PIl
> 9pZJDCxNy24211cI++e50FJhEM9OszZQB0yIdGRKce3w3Nd4cX9Ssars4zazaPu2
> G0ldWnhWfQg+AMCjHVHM/hJObweoz8K0fLw/dg1cPFpW2M2s2zCqXE45EDMNd0ts
> iiKhUohILB7P1J0i/YYTjvI/ni3zMMrzS60N6PnisrczNj2sjvwJLj/ZgEDwxdu9
> M9W44cTpc4Xk4YRknNspUn+nt86v7CnWNYMMoCSBi6ldm/bqwwCP6iSpSkFSH7j4
> wujD/waUC0I77IGDyooU7KUFjJrMHdGsuZazJ5uEEWIYID6G0T54Sw+0hcU0RREm
> YMFOSCdY+Wo8B4wT+GXit1ivtW8=
> =a8Bi
> -----END PGP MESSAGE-----

> _______________________________________________
> Battlemesh mailing list
> Battlemesh at ml.ninux.org
> http://ml.ninux.org/mailman/listinfo/battlemesh




More information about the Battlemesh mailing list