2007 © switch tnc2007 extending switch public wireless lan with eap-sim kurt baumann switchmobile...
Post on 24-Dec-2015
219 Views
Preview:
TRANSCRIPT
2007 © SWITCH TNC2007
Extending SWITCH Public Wireless LAN with EAP-SIM
Kurt Baumann
SWITCHmobile
Project Leader
kurt.baumann@switch.ch
2007 © SWITCH 2TNC2007
Agenda
Introduction SWITCH Public Wireless LAN - a brief history Current Architecture - Symmetric ApproachEAP(-SIM) Introduction EAP / EAP-SIM Extension Current Architecture with EAP-SIM
Pilot ETHZ - Architecture-Layout Implementation EAP-SIM at ETHZ Rollout-plan
Progression of PWLAN Statistics Outlook - Multi Provider Capable InfrastructureConclusions
2007 © SWITCH 4TNC2007
PWLAN History, Goals and Requirements
Project goals • Extend footprint • Increase mobility for students, staff and researchers
• Create a platform that offers more flexibility for other future SWITCH services
Project requirements
• Traditional SWITCHmobile concept must be obtained (VPN Solution)
• Costs for Universities shall be minimized as much as possible - symmetrical approach
• Solution should be combinable with eduroam
• Solution should support other SWITCH activities that depend on roaming access (triple play services)
• Solution must be flexible, modular and state of the art
History • 2004 Concept SWITCH PWLAN: Universities: ETHZ, UNINE, ZHW and SWITCHWISPs: tpn, Monzoon, TheNet
• 2005 Trial Phases and institutional extension (EPFL, UniBE, BFH, HSR) inclusivea new WISP, Swisscom.
• 06/2006: Productive Phase and technical extension with EAP-SIM
2007 © SWITCH 5TNC2007
PWLAN Symmetric Approach
Docking Network University A
Campus Network
University A VPN GW
Internet
SWITCHmobile ACL
Docking Network University B
Campus Network
University B VPN GW
SWITCHmobile ACL
Legend: VPN Tunnel User Traffic
CommercialUser
12
34
Legend:
1: User opens browser and lands on landing page
2: User clicks PWLAN provider logo
3: All corresponding user traffic is forwarded to landing page of PWLAN provider
4: Customer is redirected to landing page of PWLAN provider
5: Customer gets internet access after authentication (NAT)
5
Student A
Student_A
@University_B
MPP
MPP
Student AStudent_A
@PWLAN
WISP
SWITCHmobile ACL
Landing
Page
MPP = Multi Provider Portal WISP = Wireless Internet SP
2007 © SWITCH 7TNC2007
EAP Definition
EAPRFC 3748
EAP stands for Extending Authentication Protocol.
It defines an authentication framework, which supports multiple authentication methods.
EAP typically runs directly over data link layers
such as Point-to-Point Protocol (PPP) or IEEE802, without requiring IP.
2007 © SWITCH 8TNC2007
EAP Method How it works
Supplicant
Client
Authenticator
AP
Authentication Server
(RADIUS/AAA)
[ 0 ] EAP starts [ 0 ] Establish data link
EAP over IEEE 802()()()()()()())()(()
[ 1 ] Identity exchange
Request- response paradigm[ 1 ] A message is sent and the sender waits for a response before sending an other message - a “lock step” protocol
Multiple Message Sequences depending on the authentication process
Systems for authentication, RADIUS, Corporate Identity Servers, etc. using various protocols and methods.
[ 2 ] Authentication, process-specific message exchange
[ 2 ] All exchanges between Client, Authenticator and Authentication-systems are defined in a variety of specific RFC’s
Success?
EAP-Success
EAP-Failure
Yes
No
[ 3 ] Authentication messages: Success or Failure
[ 3 ] The Authenticator determines whether the authentication is a success or failure
2007 © SWITCH 10TNC2007
EAP-SIM Definition
EAP-SIMRFC 4186
EAP-SIM is a mechanism for mutual authentication and Session-Key-agreement using the Global System for Mobile Communications (GSM)
and Subscriber Identity Module (SIM).
2007 © SWITCH 11TNC2007
Success?
EAP-Success
EAP-Failure
EAP Method How it works
Supplicant
Client
Authenticator
AP
Authentication Server
(RADIUS/AAA)
Yes
[ 0 ] EAP starts [ 0 ] Establish data link
No
EAP over IEEE 802()()()()()()())()(()
[ 1 ] Identity exchange
Request- response paradigm[ 1 ] A message is sent and the sender waits for a response before sending an other message - a “lock step” protocol
[ 2 ] Authentication, process-specific message exchange
[ 2 ] All exchanges between Client, Authenticator and Authentication-systems are defined in a variety of specific RFC’s
Multiple Message Sequences depending on the authentication process
Systems for authentication, RADIUS, Corporate Identity Servers, etc. using various protocols and methods.
[ 3 ] Authentication messages: Success or Failure
[ 3 ] The Authenticator determines whether the authentication is a success or failure
2007 © SWITCH 12TNC2007
EAP-SIM Method How it works
GSM-Authentication flow: Client/SIM-card AP AAA/RADIUS (GSM)AuC
ITPMAP-Proxy
SS7 Network
EAP-Resp/SIM/Start
(IMSI@realm)
(RAND)
RADIUS/EAP-Resp/
SIM/Start (IMSI@realm)
(RAND)
GSM-Triplet-Request
(GetAuthInfo)
GSM-Triplet
(RAND,SRES,Kc)
GSM-Triplet(s):
(RAND,SRES,Kc)
1. Triplet-request
2. GSM-Triplet(s)
RADIUS/EAP-Req/
SIM/Challenge
(RAND,MAC_RAND)
EAP-Req/SIM/Challenge
(RAND,MAC_RAND)
Server Authentication: MAC_RAND(AAA)=MAC_RAND(SIM)
EAP-Resp/SIM/Challenge
(MAC_SRES)
RADIUS/EAP-Resp
/SIM/Challenge
(MAC_SRES)
Client Authentication:MAC_SRES(SIM)=MAC_SRES(AAA)
RADIUS/EAP-Req
SIM/Start
EAP-Req/SIM/Start
SIM calculates
RAND
2007 © SWITCH 13TNC2007
EAP-SIM Architecture
Extension Current PWLAN- Architecture with EAP-SIM:
- Project-Organization
- Architecture
- Proof of Concept: EAP-SIM@ETHZ
- Roll-out Concept
2007 © SWITCH 14TNC2007
EAP-SIM Architecture Project Organization
Pilot: Organization
• Educational Association:
ETHZ and SWITCH
• WISP:
Swisscom
Pilot: Implementation
• ETHZ
- Reconfiguration WLAN
- Implementation Swisscom
Components
Roll-out:
SWITCH leads the Roll-out
- Definition of Roll-out plan
- Repository:
FAQ: Implementation EAP-SIM
2007 © SWITCH 16TNC2007
EAP-SIM Architecture High-level concept
EAP-SIM: Requirements
- Implementation
top of 802.1X-enabled network
- Separate VLAN,
SSID: MOBILE-EAPSIM
- Swisscom-like-Implementation:
VLAN is a half C-class IP-Addr.-Range
Source-, Destination-NAT (SCM-router)
DHCP-request handled by SCM-router
2007 © SWITCH 17TNC2007
EAP-SIM Architecture Pilot@ETHZ with Swisscom
SSID: MOBILE-EAPSIMRadius: Radiusx@swisscom
SSID:public-> MPP
MPLS
MPP
VLAN for ,Public’ Client dataVLAN for EAPSIM data
VLAN for AP-Management
GRE tunnel between MPP and Swisscom router
Router from Swisscom Mobile
ADSL connection from Swisscom
Tasks of the Router:1. NAT of the Radiusrequest to Swisscom-Radius2. DHCP-Server for the EAP-SIM Vlan3. NAT of the MPP Clients, going to Swisscom
Functions of the router:1. Forward dhcp-request
to MPP2. Forward dhcp-request to router from Swisscom
Swisscom EAP-SIM Mobile setup
- New SSID “MOBILE-EAPSIM”
- Authentication 802.1X with WEP
- ETHZ reserved official IP for their radius
- Swisscom-router makes source-destination nat.
- Clients are in a separate VLAN (VRF)
- Swisscom provides the Subnets and DHCP.
Problems
- System does not scale (more WISPs)
- The implementation solves most problems on the
Swisscom router
- Channel 13 support of the Swisscom cards?
- Swapping between Wireless Domains?
2007 © SWITCH 18TNC2007
EAP-SIM Architecture Roll-out
Service Deployment - PWLAN 2006 2007
Q2 Q3 Q4 Q1 Q2 Q3 Q4Brainstorming, Info PWLAN-members
Definition Architecture, technical solution
“Proof of concept” - Build up a test bed SWITCH/ETHZ/Swisscom
Service: Tests, Test-results and Documentation
Rollout: step by step to further PWLAN-members , Marketing
Pilot und Roll-out EAP-SIM
•Up and Running:
ETHZ, BFH, EPFL, HSR and SWITCH
2007 © SWITCH 20TNC2007
Statistics Overview Members
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Internet
~330 Hotspots
~175 Hotspots
~265 Hotspots
~1600 Hotspots
PWLAN
Academic Association
represented by
~ 97’700 People
2007 © SWITCH 21TNC2007
Statistics Monitoring
Monzoon
TheNet
TPN
Academic
Association
GRE
VPN
GRE
VPNGRE
VPN
SwisscomStarting April 2007
GRE
VPN
2007 © SWITCH 23TNC2007
Commercial WISP market in Switzerland
Market shares
23%
8%
17%
50%
2%
MonzoonTPNTheNetSwisscomOthers
2007 © SWITCH 26TNC2007
Conclusions
SWITCH PWLAN extends the footprint for the Academic Association and for the WISP’s.
SWITCH PWLAN corresponds technologically to the most current standards; IEEE802.1x, EAP/EAP-SIM.
SWITCH PWLAN makes a further enlargement of the user population possible by a “Multi Provider Capable Infrastructure”.
top related