michal procházka, jan oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz...

Michal Procházka, Jan Oppolzermichalp@ics.muni.cz,

jan.oppolzer@cesnet.czCESNET

Michal Procházka

• Senior researcher at Masaryk University• Member of AAI department at CESNET• Member of AAI TF: ELIXIR, EGI• Participating in GEANT GN4p1 projects• More than 8 years experiences in IT security

and AAI

Jan Oppolzer

• Head of eduID.cz federation operator • Deputy of AAI department at CESNET• eduGAIN steering group delegate• Shibbolethv3 expert

Goal of the training

At the end of the dayUnderstand how eduroam worksWhat are the benefitsHow to setup eduroam in your country

and institutions

Ask questions

Outline

SurveyWhat is it?How it works?eudoram and NRENeduroam and organizationRequirementsProduction

Survey

How many NRENs?How many organizations?How many linux administrators?

What is it?

Global identity federationProvides network access

Mainly over the WiFi

Benefits

Easy roamingEvery user is idenfied

Useful for auditing and loggingHelps in case of security incident

Communication is encryptededuroam requires encrypted communication between

client and AP

Video

https://www.youtube.com/watch?v=0VYp8wZG43k

How it works?

RADIUS server

University ABC

RADIUS server

University 123

RoamingOperator

Central RADIUS

Proxy server

WiFi

Access Point User DB

User DB

VisitorVLAN

StudentVLAN

EmployeeVLAN

user@uniabc.aq

data

signaling

From eduroam: The Value of WLAN measurements for the R&E Community presentation

Terms

RO – Roaming OperatorETLRS – European Top-level RADIUS ServersFLRS – Federation Level RADIUS ServerIdP – eduroam Identity ProviderSP – eduroam Service ProviderNAS – Network Access ElementF-Ticks – Federated Ticker System

Infrastructure

Top level RADIUS server (ETLRS)National RADIUS Proxy (FLRS)Institutional RADIUS (IdP and/or SP)Identity management system (IdM)Access Points, switches (NAS)Clients (Supplicant)Monitoring (F-Ticks)

Protocols and security

802.1xSupplicant to AP communication

RADIUS protocolNAS to IdP communication

EAP protocolSupplicant to IdP communicationPAP, CHAP, TLS, TTLS, MS-CHAPv2, …

TLS protocolSecuring FLRS to ETLRS as well as IdP to FLRS communication

Diagram from http://mrncciew.com

Authentication Protocols

PAP – Password Authentication ProtocolCHAP – Challenge-response Authentication ProtocolTLS – Transport Layer Security – X.509 authNTTLS – Tunneled TLS with e.g. PAP

eduroam and NREN

National point to the global eduroamRunning FLRSProxying requests from SPs to IdPs and ETLRSMonitoring infrastructure for IdPs

Requirements

Digital certificate accepted by eduroam PMAHost with public IP address

Ideally two for HA or failover configurationWeb serverOptionally mailing list system

Software for FLRS

radsecproxyProxying RADIUS requestsSupports TLS

(r)syslogLoggingMonitoringeduroam monitoring

Process

Incoming request is routed toNational IdPRouted up to the ETLRS

FLRS does not modify RADIUS packetsOnly filtering is applied (e.g. remove

VLANs)

F-ticks

Federated Ticker SystemUsed to monitor FLRS RADIUS serversLeverage syslog

Example of the message:F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=LU# CSI=%{Calling-Station-Id}#RESULT=OK#

Solves also privacy issuesREALM can be exchanged with undisclosedSecond part of the MAC can be hashed

Communication channels

Web pagesProvide information for users and SPsMust be on eduroam.TLD domain

Mailing listGlobal eduroam mailing listMailing list for national SPs

eduroam and institution

Processing user authenticationConnection to the local IdMUser supportUsually operates as a SP

Technical Terms

IdP – eduroam identity providerSupplicantNAS – Network Access Service

AP – Access Pointswitch

Identity provider

Providing user authenticationIdP selects authentication methodProper user registration

Ideally connected to the organization IdMIdP must be able to identify the user in

person

Supplicant

Software initiating user authentication (EAP)Creating secured tunnel to the IdPTransferring user credentials to the IdP via selected authN methodSecuring data transfer from machine to AP

Included in Windows, Mac OS, Linux, Android, IOS, …

NAS

WiFi Access Point/switchMust support 802.1xCommunicating with home IdP using RADIUS protocolShares secret with home IdPWiFi security: WPA2/AESOpen ports

see 6.3.3 in eduroam Service Definition

Requirements

Digital certificate accepted by FLRSAccess to the IdM system (user authN)Host with public IP address

Ideally two hosts for HA or failoverOptionally have the access points

Communication channels

Web pages and contact mail for usersLinked from eduroam.TLDContaining information how to join to

eduroamProvides information about local

restrictionsFiltered portsNAT/IP ranges

Sources

https://www.eduroam.org