tf mobility group 22nd september 20031 a comparison of each national solution was made against del c...
TRANSCRIPT
![Page 1: TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649cc55503460f9498ea8c/html5/thumbnails/1.jpg)
22nd September 2003 1
TF Mobility Group
• A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed
• 802.1x based authentication solution.
• VPN based authentication solution.
• Variation to VPN based authentication solution with client certificates.
• Web-based redirect authentication solution.
• Roamnode (PPPoE) authentication solution.
Deliverable G
![Page 2: TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649cc55503460f9498ea8c/html5/thumbnails/2.jpg)
22nd September 2003 2
TF Mobility Group
802.1x based authentication solution
– Layer 2 solution, standard is still maturing, some cheaper AP that support 802.1x are appearing on the market.
– Uses EAP or EAPOL.
– Uses RADIUS for authentication, authorisation and accounting.
– Can be scaled using a RADIUS Proxy Hierarchy to enable the visitor to authenticate at their home institution.
– Admin overhead involves loading 802.1x client on mobile devices, RADIUS configurations and VLAN assignment.
– Non 802.1x client support offered via website support and may look into general web-redirect authentication system.
– EAP-TLS and TTLS security support with WPA, TKIP, 802.11i extensions).
– Accountability via RADIUS logging and user reports to helpdesk (e.g. stolen mobile device).
Deliverable G
![Page 3: TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649cc55503460f9498ea8c/html5/thumbnails/3.jpg)
22nd September 2003 3
TF Mobility Group
VPN based authentication solution
– Layer 3 solution, mature standard.
– Can be scaled using an overlay network of assigned address space for VPN Gateways or control lists of VPN Gateways.
– Admin overhead in loading VPN client on mobile devices, configuration of VPN gateways, access lists & VLANs.
– Strong security via encrypted tunnels for each connection.
– Accountability via the user’s home institution as the user authenticates and gets their IP address from there, also reports to the helpdesk e.g. stolen mobile device.
VPN based authentication solution with client certificates
– Admin overhead required to install client certificates on mobile devices and maintain / manage a PKI.
Deliverable G
![Page 4: TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649cc55503460f9498ea8c/html5/thumbnails/4.jpg)
22nd September 2003 4
TF Mobility Group
Web based redirect authentication solution
– Requires a http or https supported web browser, no additional client software is likely to be required
– Uses RADIUS for authentication, authorisation and accounting.
– Can be scaled using a RADIUS Proxy Hierarchy with authentication at visitor user home institution.
– Minimum admin overhead as unknown authentication requests are forwarded back across a RADIUS proxy hierarchy.
– Less secure than other authentication solutions due to web based login page for authentication and no provision to protect authentication of authorised users in a VLAN from seeing each others traffic
– Accountability via RADIUS logging and user reports to helpdesk (e.g. stolen mobile device).
Deliverable G
![Page 5: TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649cc55503460f9498ea8c/html5/thumbnails/5.jpg)
22nd September 2003 5
TF Mobility Group
Roamnode (PPPoE) authentication solution
– Uses PPPoE.
– Decouples process of establishing a physical network from establishing a logical network connection.
– Uses RADIUS back end for AAA service.
– Uses an overlay network for visitor users.
– Uses a VPN gateway via an IP-in-IP tunnel.
– Requires proprietary equipment at the home and visited institution and client operating systems with PPPoE support.
– Accountability via RADIUS logging and user reports to helpdesk (e.g. stolen mobile device).
Deliverable G
![Page 6: TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649cc55503460f9498ea8c/html5/thumbnails/6.jpg)
22nd September 2003 6
TF Mobility GroupConclusion
– A European AAA based on one solution is not practical.
– A solution that supports the various national solutions is needed.
Recommendations: A phased development / testing approach
Resolve scaling and interoperability issues for all AAA (802.1x,
VPN, VPN +PKI, web-based redirect, PPPoE)
Consolidate findings into a trial report
Build and scale a RADIUS proxy hierarchy for non-VPN
AAA
Conduct feasibility tests on creating an scalable VPN
solution
Subject to feasibility, build the proposed VPN solution
Extend solution to agree
mechanisms for exchange of
credentials (e.g. PKI)
Could extend to VPN if
possible?
![Page 7: TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649cc55503460f9498ea8c/html5/thumbnails/7.jpg)
22nd September 2003 7
TF Mobility Group
Revised Recommendations
(as a result of discussions in Berlin) - A phased development / testing approach
Resolve scaling and interoperability issues for 802.1x, VPN, web-
based redirect, PPPoE)
Consolidate findings into a trial report
Build and scale a RADIUS proxy hierarchy for non-VPN
AAA
Conduct feasibility tests on creating an scalable VPN
solution
Subject to feasibility, build the proposed
CASG solution
Extend to VPN in parallel
Work on software changes to PPPoE to facilitate roaming
![Page 8: TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649cc55503460f9498ea8c/html5/thumbnails/8.jpg)
22nd September 2003 8
TF Mobility GroupUpdate on inter NREN tests
Organizational RADIUS Server
C
Organizational RADIUS Server
C
Top-level RADIUS
Proxy Server
Top-level RADIUS
Proxy Server
Organizational RADIUS Server
E
Organizational RADIUS Server
E
Organizational RADIUS Server
D
Organizational RADIUS Server
D
Organizational RADIUS Server
G
Organizational RADIUS Server
G
Organizational RADIUS Server
F
Organizational RADIUS Server
F
National RADIUS
Proxy Server
National RADIUS
Proxy Server
National RADIUS
Proxy Server
National RADIUS
Proxy Server
Currently directly linked to the University of Southampton
Currently hosted at SURFnet
Currently linked to FCCN, Portugal
Currently linked to CARNET, Croatia
BackupTop-level RADIUS
Proxy Server
BackupTop-level RADIUS
Proxy Server
etlr1.radius.terena.nl (192.87.36.6)
etlr2.radius.terena.nl (195.169.131.2)Organizational RADIUS Server
A
Organizational RADIUS Server
A
National RADIUS
Proxy Server
National RADIUS
Proxy Server
Organizational RADIUS Server
B
Organizational RADIUS Server
B
Currently linked to SURFnet, Netherlands