high-quality internet for higher education and research eduroam eurocamp, porto, november 9, 2005...
Post on 15-Jan-2016
220 views
TRANSCRIPT
![Page 1: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/1.jpg)
High-quality Internet for higher education and research
eduroam
EuroCAMP, Porto, November 9, [email protected]
![Page 2: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/2.jpg)
High-quality Internet for higher education and research
Contents
• Why 802.1X and eduroam?• Implementation
– Requirements– Technology– Policy
• Status eduroam• Future of eduroam• Conclusions
![Page 3: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/3.jpg)
High-quality Internet for higher education and research
But first…
• What is a federation?• Is eduroam a federation?• Is it a service?• Is it a brand?
• Or…
![Page 4: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/4.jpg)
High-quality Internet for higher education and research
Why 802.1X and eduroam?
![Page 5: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/5.jpg)
High-quality Internet for higher education and research
Wireless LAN is unsafe
root@ibook:~# tcpdump -n -i eth1
19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply
19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply
19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C
![Page 6: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/6.jpg)
High-quality Internet for higher education and research
Users are mobile
AccessProvider
Cable
University A
WLAN
University B
WLAN
AccessProvider
ADSL
International connectivity
AccessProviderWLAN
AccessProviderGPRS/UMTS
SURFnet backbone
![Page 7: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/7.jpg)
High-quality Internet for higher education and research
Requirements
• Identify users uniquely at the edge of the network– No session hijacking
• Enable guest usage• Scalable
– Local user administration and authentication– No exponential administrative load
• Easy to install and use– At the most one-time installation by the user
• Open– Support for all common operating systems– Non-proprietary
• Secure
![Page 8: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/8.jpg)
High-quality Internet for higher education and research
Possible solutions
• Open access: scalable, unsafe• MAC-addres: not scalable, unsafe• WEP: not scalable, unsafe
European research networks:
• Web-gateway+RADIUS: scalable, unsafe • VPN-gateway: not scalable, safe
• 802.1X+RADIUS: scalable, safe, the future (WPA, WPA2)
![Page 9: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/9.jpg)
High-quality Internet for higher education and research
Implementation
![Page 10: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/10.jpg)
High-quality Internet for higher education and research
eduroam architecture
• Security based on 802.1X (or web-based redirect)– Different authentication mechanisms possible– Identity-based networking– Mutual authentication possible (by using the right EAP-
types: PEAP, TTLS, TLS)– Protection of credentials– Integration with VLAN assignment– Provides basis for new wireless security standards WPA
and 802.11i
• Roaming based on RADIUS proxying– Remote Authentication Dial In User Service– Transport-protocol for authentication information
• Trust fabric based on:– Technical: RADIUS hierarchy– Policy: Documents/contracts that define the
responsibilities of user, institution, NREN and the EduRoam federation
![Page 11: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/11.jpg)
High-quality Internet for higher education and research
Secure access to the network with 802.1X
data
signaling
RADIUS server
University A
Internet
Authenticator
(AP or switch) User DB
[email protected]_a.nl
StudentVLAN
CommercialVLAN
EmployeeVLAN
Supplicant
• 802.1X
• (VLAN assigment)
![Page 12: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/12.jpg)
High-quality Internet for higher education and research
eduroam
RADIUS server
University B
RADIUS server
University A
SURFnet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Gast
piet@university_b.nl
StudentVLAN
CommercialVLAN
EmployeeVLAN
data
signalerling
• Trust based on RADIUS plus policy documents
• 802.1X
• (VLAN assigment)
![Page 13: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/13.jpg)
High-quality Internet for higher education and research
Tunneled authentication (PEAP/TTLS)
• Uses TLS/SSL tunnel to protect data– The TLS tunnel is set up using the server certificate, thus
authenticating the server and preventing man-in-the-middle attacks
– The user sends his credentials through the secure tunnel to the server, thus authenticating the user
• Can use dynamic session keys for ‘in the air’ encryption
© Alfa&Ariss
`
802.1X Client EAP RADIUS Server
TLS tunnel
User authentication
Protected by TunnelServer authentication
![Page 14: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/14.jpg)
High-quality Internet for higher education and research
Status
![Page 15: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/15.jpg)
High-quality Internet for higher education and research
Status of eduroam
• Over 400 institutions in Europe, Australia and Taiwan
• USA, Belgium, Sweden will follow shortly
![Page 16: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/16.jpg)
High-quality Internet for higher education and research
Members
FCCN was among the first eduroam participants
![Page 17: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/17.jpg)
High-quality Internet for higher education and research
Future
![Page 18: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/18.jpg)
High-quality Internet for higher education and research
Monitoring: usertracking & weathermap
But what to do with the info?
![Page 19: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/19.jpg)
High-quality Internet for higher education and research
Technology: bypassing the hierarchy overhead?
European Server
.nl .ac.uk …
uva.nl
.pl
Uni.torun.pl
Access Point Access Point User database
• AA traffic goes through all intermediate entries
• All links are peer-to-peer agreements / static routes / p2p secure
• DIAMETER? DNSsec? Radsec
![Page 20: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/20.jpg)
High-quality Internet for higher education and research
Roaming policy
• Minimal security level• Levels of assertion• Who can• SLA’s• Incident response• Policy board
![Page 21: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/21.jpg)
High-quality Internet for higher education and research
Usability: standardisation, localisation, expansion
• Standardisation– Limited set of encryption and SSID choices
• Encryption: 802.1X+WEP, WPA+TKIP, WPA2• SSID: eduroam
• Localisation– Eduroam-around-the-corner– Maps– Local pages
• Expansion– Integration with commercial roaming services
![Page 22: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/22.jpg)
High-quality Internet for higher education and research
AAI Integration: offload AuthZ?
European Server
.nl .ac.uk …
SURFnet.nl
.pt
FCCN.pt
Access Point A-Select Shibboleth
[email protected] FCCN user database
• How do all these applications communicate? (SAML!)
![Page 23: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/23.jpg)
High-quality Internet for higher education and research
Conclusions
![Page 24: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/24.jpg)
High-quality Internet for higher education and research
Conclusions
• 802.1X plus RADIUS provide a secure and future proof solution for access to the network for local users
• Joining eduroam gives the benefit of instant access for (academic) guest users
• Infra stucture not perfect but…– It works ™– It is ready for the future
• Joining eduroam is a small step for administrator-kind but a giant leap for the users, so…..
![Page 25: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/25.jpg)
High-quality Internet for higher education and research
Time to join…..
![Page 26: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/26.jpg)
High-quality Internet for higher education and research
Coming back…
• What is a federation?• Is eduroam a federation?• Is it a service?• Is it a brand?
![Page 27: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/27.jpg)
High-quality Internet for higher education and research
Federations
• Federations enable the sharing of resources• A federation is constituted by a set of agreements between
peers• In a federation agreement there should be a common language• Federations can be part of bigger federations• Federations can cooperate with other federations:
confederations
eduroam currently IS a (single-resource) federation, but may in the near future become a service OF the federation
![Page 28: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/28.jpg)
High-quality Internet for higher education and research
Slightly less authorative source
• Merriam-Webster: an association of persons, parties, or states for mutual assistance and protection
![Page 29: High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl](https://reader034.vdocuments.mx/reader034/viewer/2022051401/56649d2a5503460f949fe36d/html5/thumbnails/29.jpg)
High-quality Internet for higher education and research
More information
• eduroam in SURFnet– http://www.eduroam.nl
• eduroam in Europe– http://www.eduroam.org
• TERENA TF-Mobility– http://www.terena.nl/mobility
• Géant2 Joint Research Activity 5 (authorisation and roaming)– http://www.geant2.net/server/show/nav.758
• The unofficial IEEE802.11 security page– http://www.drizzle.com/~aboba/IEEE