high-quality internet for higher education and research paul dekkers april 4th, turkey
TRANSCRIPT
High-quality Internet for higher education and research
ContentsFrom 802.1x to eduroam
• Freshing up
• Background
• Considerations
• Solutions: 802.1x
• eduroam
High-quality Internet for higher education and research
Freshing up…
• WLAN
Every wireless network has a name: an (in)visible SSID (Service Set Identity)
Access / encryption with “keys”
– WEP, Wired Equivalent Privacy– WPA (with pre-shared key)
• 802.11 (“wireless Ethernet”, MAC)802.11b, 802.11g, 802.11a (radio-layer, channels)
High-quality Internet for higher education and research
Background
• Traditional WLAN not safe
– Who uses the network?(abuse, limiting usergroup)
– Are people eavesdropping?(no physical boundries)
• How do we provide access to guests?
– Distribution of “secrets” (WEP-key)?
High-quality Internet for higher education and research
Traditional WLANs are unsafe
Even with:• Non
broadcasted SSID
• MAC-address restrictions
• WEP, Wired-Equivalent-Privacy
High-quality Internet for higher education and research
Users are mobile
Student Dormitory
Access
University A
WLAN
University B
WLAN
AccessProvider
ADSL
International connectivity
AccessProviderWLAN
AccessProviderGPRS/UMTS
Internet backbone
High-quality Internet for higher education and research
Requirements
• Identify users uniquely at the edge of the network– No session hijacking
• Enable guest usage
• Scalable– Local user administration and authentication
• Easy to install and use– At the most one-time installation by the user
• Open
• Secure
High-quality Internet for higher education and research
Solutions
… for guest usage:
• WEB based captive portalscalable, not safe (no encryption, hijacking)
• VPN/PPPoEnot scalable, safe path
• 802.1xscalable, safe – security at the edge of the network
802.1x is the basis for the next generationstandards (WPA-Enterprise, 802.11i)
High-quality Internet for higher education and research
Secure access to the network with 802.1X
data
signaling
RADIUS server
University A
Internet
Authenticator
(AP or switch) User DB
[email protected]_a.nl
StudentVLAN
CommercialVLAN
EmployeeVLAN
Supplicant
• 802.1X
• (VLAN assigment)
High-quality Internet for higher education and research
802.1x and EAP
• Different EAP-types
• The (home-)organization decides what type
• EAP-types with SSL/TLS
– “Mutual authentication”– Encryption keys are derived from SSL session
• EAP is transported and proxied in RADIUS
Extensible Authentication Protocol
High-quality Internet for higher education and research
Common EAP types
• EAP-TLSStrong authentication with client certificate
• EAP-TTLSDIAMETER/RADIUS (e.g. u/p in PAP) in TLS tunnelusable with all u/p backends
• EAP-PEAPMicrosoft implementation with u/p via MSCHAPv2easy deployable with AD
• EAP-FASTusername/password authentication the Cisco wayroll out more complex, uses no SSL/TLS
• EAP-SIMStrong authentication using the SIM of your phone
• ...
LEAP, EAP-MD5 are old and weak
High-quality Internet for higher education and research
802.1x
RADIUS server
institution B
RADIUS server
institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
regularVLAN
guestVLAN
Secured tunnel
Guest usage: eduroam!
Trust based on RADIUS plus policy documents
High-quality Internet for higher education and research
eduroam: (inter)national roaming
Top level server
.nl ....ac.uk .no.au
uva.nl
A ccess PointA ccess Point
user@ uninett.no
uninett.nosurfnet.nl unis.no
High-quality Internet for higher education and research
eduroam architecture
• Security based on 802.1X – Protection of credentials: EAP– New technologies (WPA, 802.11i) based on 802.1x– Different authentication mechanisms possible by using EAP
(Extensible Authentication prototcol)• Username/password• X.509 certificates• SIM-cards
– Dynamic VLAN assignment
• Roaming based on RADIUS proxying– Remote Authentication Dial In User Service– Transport-protocol for authentication information
• Trust fabric based on:– Technical: RADIUS hierarchy– Policy: Documents/contracts that define the responsibilities
of user, institution, NREN and the eduroam federation
High-quality Internet for higher education and research
National policy (federation)
• Mutual access• Members are connected institutions• Home institution is/remains responsible for its users
behaviour.• Home institution is responsible for proper user
management• Home and visited institution must keep sufficient
logdata• Appropriate security levels
High-quality Internet for higher education and research
The European eduroam policy (confederation)
• Mutual access• Home institutions are/remain responsible for their
users abroad • Members are NRENs (National federations)• Members guarantee required security levels by their
participants• Members promote eduroam in their countries• European eduroam may peer with other regions
High-quality Internet for higher education and research
Status of eduroamOver 500 institutions in Europe, Australia and Taiwan
New members:
•Lithuania
•Romania
•Hungary
•China
•Hong Kong
•Cyprus
USA, Japan, Korea will follow shortly
High-quality Internet for higher education and research
eduroam
• Provides global network roaming
• Strong technical foundation:– RADIUS– 802.1X
– Lingua Franca: EAP
• Needs ubiquity
High-quality Internet for higher education and research
Joining eduroam for an NREN
• Set up a server that proxies that:– Accept requests for *.cc-tld and forward to the right institution– Accept requests for non *.cc-tld and forward it to the European
servers
• Send an (encrypted) e-mail to [email protected] with:– FQDN of toplevel RADIUS-server(s)– IP-addresses of toplevel RADIUS-servers– Shared secret to use between European servers and national
server(s).– URL of national eduroam website– Information about test-account– Contact details admin
• Sign the policy agreement
High-quality Internet for higher education and research
Joining eduroam for an institution
• Set-up your local 802.1X infrastructure– Accept requests for your-domain.cc-tld and process them– Proxy requests for non-local users to the national server
• Send an (encrypted) e-mail to your NREN with:– FQDN of toplevel RADIUS-server(s)– IP-addresses of toplevel RADIUS-servers– Shared secret to use between your and their server(s).– URL of your eduroam website– Information about test-account– Contact details admin
• Sign the policy document
High-quality Internet for higher education and research
Conclusions
• 802.1X provides secure, future ready, scalable access to the campus network
• Enabling eduroam is a easy once 802.1X is in place
• Handbook,• (other) easy configuration examples available
• Many have already joined, so