authentication and authorisation in eduroam klaas wierenga, aa workshop tnc lyngby, 20th may 2007
DESCRIPTION
eduroamTRANSCRIPT
Authentication and Authorisation in eduroam
Klaas Wierenga, AA Workshop TNC
Lyngby, 20th May 2007
Contents
- Intro eduroam- AA requirements- AA implementation- Authorisation- Summary
eduroam
The goal of eduroam
“open your laptop and be online”
or
• To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources
eduroam
University BUniversity A
SURFnet
Trusted 3d party
Access PointUser DB
Guestpiet@university_b.nl
• eduroam enables (federated) network access • A trusted 3d party exists that guarantees that both peers are
‘trustworthy’ and allowing for scalability
AA requirements
AA Requirements- “Reasonable security”
- Not trying to solve every problem of the universe- Uniquely identifying users at edge of network- Local choice of authentication method
- Data integrity- Good identity management- No tampering with data
- Compliancy with privacy regulations- No data “leakage”
- Verifiability- Monitoring- Logging
Source: JRA5 and TF-Mobility roaming requirements
AA implementation
Secure network access with 802.1X
datasignalling
RADIUS serverUniversity A
Internet
Authenticator(AP or switch) User
DB
jan@university_a.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
Supplicant
• 802.1X
• (VLAN assigment)
eduroam
RADIUS serverUniversity B
RADIUS serverUniversity A
SURFnet
Central RADIUSProxy server
Authenticator(AP or switch) User
DBUser DB
Supplicant
Guestpiet@university_b.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
datasignalling
• Trust based on RADIUS plus policy documents
• 802.1X• (VLAN assigment)
Tunneled authentication (PEAP/TTLS)
- Uses TLS/SSL tunnel to protect data- The TLS tunnel is set up using the server certificate,
thus authenticating the server and preventing man-in-the-middle attacks
- The user sends his credentials through the secure tunnel to the server, thus authenticating the user
- Can use dynamic session keys for ‘in the air’ encryption
© Alfa&Ariss
`
802.1X Client EAP RADIUS Server
TLS tunnel
User authenticationProtected by Tunnel
Server authentication
eduroam architecture- Security based on 802.1X (WEP/WPA/WPA2)
- Identity-based networking- Using the Extensible Authentication Protocol (EAP) to allow
for multiple authentication mechanisms- Mutual authentication (PEAP, TTLS, TLS)- Protection of credentials (tunneled authentication)- Layer 2
- Roaming based on RADIUS proxying- Remote Authentication Dial In User Service- Transport-protocol for authentication information- Using shared secrets between peers
- Trust fabric based on:- RADIUS hierarchy- Policy
- Authentication ≈ Authorisation- RADIUS-attribute filtering- VLAN assignment
RadSec/DNSROAM- Radius packet format- Transport: TCP (or SCTP) - Encryption: TLS (optional)
- TLS => PKI
- DNSROAM combines RadSec with DNS for dynamically locating the peer
- RadSec RFC is being worked on
Fully hierarchical
RadSec
RadSec
RADIUS
RadSec RadSec RadSec
RadSec RadSec
RadSec
Country-level
EU-level
EU hierarchy root
• First mixed mode• Later DNSROAM?
‘Real’ Authorisation?
DAMe- Deploying Authorization Mechanisms for Federated
Services in eduroam- DAME is a project that builds upon:
- eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard,
- Shibboleth and eduGAIN - NAS-SAML, a network access control approach for
AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards.
Gastpiet@university_b.nl
RADIUS serverUniversity B
RADIUS serverUniversity A
eduroam
Central RADIUSProxy server
Authenticator(AP or switch) User
DBUser DB
Supplicant
data
• User mobility controlled by assertions and policies expressed in SAML and XACML
XACML
Policy Decision Point
SAML
Source Attribute Authority
Signaling
1st: Extension of eduroam with authR
2nd: eduGAIN AuthN+AuthR backend
- Link between the AAA servers (now acting as Service Providers) and eduGAIN
3d: Universal Single Sign On
- Users will be authenticated once, during the network access control phase- The eduGAIN authentication would be bootstrapped from the NAS-SAML- New method for delivering authentication credentials and new security middleware- 4th goal: integrating applications, focusing on grids.
Summary
Summary- Eduroam provides reasonable security
- AuthZ is reasonable and is slowly being improved- AuthR is relatively weak but being worked upon
(that is we hope that the eduGAIN guys and girls with give it to us)
- Currently the main inhibitor is politics
Thank you!
More info: [email protected]