On 01/13/2012 03:43 PM, Denis Pavani wrote: > My company plans to have a wireless network where authentication > credentials come from a federation using shibboleth. > We have in production a cisco wireless controller, and really I was > trying not to bypass it for a different captive portal. > Is it possibile to use "authby URL" redirecting creentials to a cgi > which provides shibboleth authentication? > Does anyone have experience with this?
I think this model is too straightforward to work. You need to allow passthrough for every organisation that participates in the federation. The users need to access the authentication web page of their home organisation. After the authentication the user is redirected back to your login web page and the web server sets the environment variables to reflect the outcome of user's authentication. That is, you do not get any access of credentials you could use to do the login. To actually use this information, you would most likely to bypass the controller to utilise information from shibboleth. One method to make shibboleth based WLAN login is this: 1. Create a captive portal that lets the users to select their home organisation. When the select it, they get redirected to their home login page. This portal most likely can not be in the controller but needs a web server with shibboleth authentication modules. The shibboleth authentication starts here. 2. The success URL users get from their home shibboleth login directs them back to your web server. 3. The resource pointed by success URL (e.g., CGI script) creates a temporary username/password into e.g. SQL database. 4. The user is redirected to controller's login page with GET or POST request type. The request parameters specify the temporary username/password 5. Controller does RADIUS authentication against the SQL database 6. If the authentication is successful, as it always should be at this point, the controller opens the captive portal. The user has now logged in. Something like the above should make it possible to use shibboleth for WLAN authentication. Note that it does not enable encrypted radio, so even if authentication is strong, users are still susceptiple for eavesdropping. Have you considered eduroam for federated authentcation? Thanks! Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
