authentication and authorisation in eduroam klaas wierenga, aa workshop tnc lyngby, 20th may 2007
Post on 08-Jan-2018
228 Views
Preview:
DESCRIPTION
TRANSCRIPT
Authentication and Authorisation in eduroam
Klaas Wierenga, AA Workshop TNC
Lyngby, 20th May 2007
Contents
- Intro eduroam- AA requirements- AA implementation- Authorisation- Summary
eduroam
The goal of eduroam
“open your laptop and be online”
or
• To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources
eduroam
University BUniversity A
SURFnet
Trusted 3d party
Access PointUser DB
Guestpiet@university_b.nl
• eduroam enables (federated) network access • A trusted 3d party exists that guarantees that both peers are
‘trustworthy’ and allowing for scalability
AA requirements
AA Requirements- “Reasonable security”
- Not trying to solve every problem of the universe- Uniquely identifying users at edge of network- Local choice of authentication method
- Data integrity- Good identity management- No tampering with data
- Compliancy with privacy regulations- No data “leakage”
- Verifiability- Monitoring- Logging
Source: JRA5 and TF-Mobility roaming requirements
AA implementation
Secure network access with 802.1X
datasignalling
RADIUS serverUniversity A
Internet
Authenticator(AP or switch) User
DB
jan@university_a.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
Supplicant
• 802.1X
• (VLAN assigment)
eduroam
RADIUS serverUniversity B
RADIUS serverUniversity A
SURFnet
Central RADIUSProxy server
Authenticator(AP or switch) User
DBUser DB
Supplicant
Guestpiet@university_b.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
datasignalling
• Trust based on RADIUS plus policy documents
• 802.1X• (VLAN assigment)
Tunneled authentication (PEAP/TTLS)
- Uses TLS/SSL tunnel to protect data- The TLS tunnel is set up using the server certificate,
thus authenticating the server and preventing man-in-the-middle attacks
- The user sends his credentials through the secure tunnel to the server, thus authenticating the user
- Can use dynamic session keys for ‘in the air’ encryption
© Alfa&Ariss
`
802.1X Client EAP RADIUS Server
TLS tunnel
User authenticationProtected by Tunnel
Server authentication
eduroam architecture- Security based on 802.1X (WEP/WPA/WPA2)
- Identity-based networking- Using the Extensible Authentication Protocol (EAP) to allow
for multiple authentication mechanisms- Mutual authentication (PEAP, TTLS, TLS)- Protection of credentials (tunneled authentication)- Layer 2
- Roaming based on RADIUS proxying- Remote Authentication Dial In User Service- Transport-protocol for authentication information- Using shared secrets between peers
- Trust fabric based on:- RADIUS hierarchy- Policy
- Authentication ≈ Authorisation- RADIUS-attribute filtering- VLAN assignment
RadSec/DNSROAM- Radius packet format- Transport: TCP (or SCTP) - Encryption: TLS (optional)
- TLS => PKI
- DNSROAM combines RadSec with DNS for dynamically locating the peer
- RadSec RFC is being worked on
Fully hierarchical
RadSec
RadSec
RADIUS
RadSec RadSec RadSec
RadSec RadSec
RadSec
Country-level
EU-level
EU hierarchy root
• First mixed mode• Later DNSROAM?
‘Real’ Authorisation?
DAMe- Deploying Authorization Mechanisms for Federated
Services in eduroam- DAME is a project that builds upon:
- eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard,
- Shibboleth and eduGAIN - NAS-SAML, a network access control approach for
AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards.
Gastpiet@university_b.nl
RADIUS serverUniversity B
RADIUS serverUniversity A
eduroam
Central RADIUSProxy server
Authenticator(AP or switch) User
DBUser DB
Supplicant
data
• User mobility controlled by assertions and policies expressed in SAML and XACML
XACML
Policy Decision Point
SAML
Source Attribute Authority
Signaling
1st: Extension of eduroam with authR
2nd: eduGAIN AuthN+AuthR backend
- Link between the AAA servers (now acting as Service Providers) and eduGAIN
3d: Universal Single Sign On
- Users will be authenticated once, during the network access control phase- The eduGAIN authentication would be bootstrapped from the NAS-SAML- New method for delivering authentication credentials and new security middleware- 4th goal: integrating applications, focusing on grids.
Summary
Summary- Eduroam provides reasonable security
- AuthZ is reasonable and is slowly being improved- AuthR is relatively weak but being worked upon
(that is we hope that the eduGAIN guys and girls with give it to us)
- Currently the main inhibitor is politics
Thank you!
More info: Klaas.Wierenga@surfnet.nl
top related