high-quality internet for higher education and research eduroam eurocamp, porto, november 9, 2005...

High-quality Internet for higher education and research

eduroam

EuroCAMP, Porto, November 9, [email protected]


Contents

• Why 802.1X and eduroam?• Implementation

– Requirements– Technology– Policy

• Status eduroam• Future of eduroam• Conclusions


But first…

• What is a federation?• Is eduroam a federation?• Is it a service?• Is it a brand?

• Or…


Why 802.1X and eduroam?


Wireless LAN is unsafe

root@ibook:~# tcpdump -n -i eth1

19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request

19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply


19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply


19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C


Users are mobile

AccessProvider

Cable

University A

WLAN

University B

WLAN

AccessProvider

ADSL

International connectivity

AccessProviderWLAN

AccessProviderGPRS/UMTS

SURFnet backbone


Requirements

• Identify users uniquely at the edge of the network– No session hijacking

• Enable guest usage• Scalable

– Local user administration and authentication– No exponential administrative load

• Easy to install and use– At the most one-time installation by the user

• Open– Support for all common operating systems– Non-proprietary

• Secure


Possible solutions

• Open access: scalable, unsafe• MAC-addres: not scalable, unsafe• WEP: not scalable, unsafe

European research networks:

• Web-gateway+RADIUS: scalable, unsafe • VPN-gateway: not scalable, safe

• 802.1X+RADIUS: scalable, safe, the future (WPA, WPA2)


Implementation


eduroam architecture

• Security based on 802.1X (or web-based redirect)– Different authentication mechanisms possible– Identity-based networking– Mutual authentication possible (by using the right EAP-

types: PEAP, TTLS, TLS)– Protection of credentials– Integration with VLAN assignment– Provides basis for new wireless security standards WPA

and 802.11i

• Roaming based on RADIUS proxying– Remote Authentication Dial In User Service– Transport-protocol for authentication information

• Trust fabric based on:– Technical: RADIUS hierarchy– Policy: Documents/contracts that define the

responsibilities of user, institution, NREN and the EduRoam federation


Secure access to the network with 802.1X

data

signaling

RADIUS server

University A

Internet

Authenticator

(AP or switch) User DB

[email protected]_a.nl

StudentVLAN

CommercialVLAN

EmployeeVLAN

Supplicant

• 802.1X

• (VLAN assigment)


eduroam

RADIUS server

University B

RADIUS server

University A

SURFnet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

Gast

piet@university_b.nl

StudentVLAN

CommercialVLAN

EmployeeVLAN

data

signalerling

• Trust based on RADIUS plus policy documents

• 802.1X

• (VLAN assigment)


Tunneled authentication (PEAP/TTLS)

• Uses TLS/SSL tunnel to protect data– The TLS tunnel is set up using the server certificate, thus

authenticating the server and preventing man-in-the-middle attacks

– The user sends his credentials through the secure tunnel to the server, thus authenticating the user

• Can use dynamic session keys for ‘in the air’ encryption

© Alfa&Ariss

`

802.1X Client EAP RADIUS Server

TLS tunnel

User authentication

Protected by TunnelServer authentication


Status


Status of eduroam

• Over 400 institutions in Europe, Australia and Taiwan

• USA, Belgium, Sweden will follow shortly


Members

FCCN was among the first eduroam participants


Future


Monitoring: usertracking & weathermap

But what to do with the info?


Technology: bypassing the hierarchy overhead?

European Server

.nl .ac.uk …

uva.nl

.pl

Uni.torun.pl

Access Point Access Point User database

[email protected]

• AA traffic goes through all intermediate entries

• All links are peer-to-peer agreements / static routes / p2p secure

• DIAMETER? DNSsec? Radsec


Roaming policy

• Minimal security level• Levels of assertion• Who can• SLA’s• Incident response• Policy board


Usability: standardisation, localisation, expansion

• Standardisation– Limited set of encryption and SSID choices

• Encryption: 802.1X+WEP, WPA+TKIP, WPA2• SSID: eduroam

• Localisation– Eduroam-around-the-corner– Maps– Local pages

• Expansion– Integration with commercial roaming services


AAI Integration: offload AuthZ?

European Server

.nl .ac.uk …

SURFnet.nl

.pt

FCCN.pt

Access Point A-Select Shibboleth

[email protected] FCCN user database

• How do all these applications communicate? (SAML!)


Conclusions


Conclusions

• 802.1X plus RADIUS provide a secure and future proof solution for access to the network for local users

• Joining eduroam gives the benefit of instant access for (academic) guest users

• Infra stucture not perfect but…– It works ™– It is ready for the future

• Joining eduroam is a small step for administrator-kind but a giant leap for the users, so…..


Time to join…..


Coming back…

• What is a federation?• Is eduroam a federation?• Is it a service?• Is it a brand?


Federations

• Federations enable the sharing of resources• A federation is constituted by a set of agreements between

peers• In a federation agreement there should be a common language• Federations can be part of bigger federations• Federations can cooperate with other federations:

confederations

eduroam currently IS a (single-resource) federation, but may in the near future become a service OF the federation


Slightly less authorative source

• Merriam-Webster: an association of persons, parties, or states for mutual assistance and protection


More information

• eduroam in SURFnet– http://www.eduroam.nl

• eduroam in Europe– http://www.eduroam.org

• TERENA TF-Mobility– http://www.terena.nl/mobility

• Géant2 Joint Research Activity 5 (authorisation and roaming)– http://www.geant2.net/server/show/nav.758

• The unofficial IEEE802.11 security page– http://www.drizzle.com/~aboba/IEEE