supporting wireless mobility through flexible architecture john douglass sr. systems architect...
TRANSCRIPT
![Page 1: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/1.jpg)
Supporting Wireless Mobility Through Flexible Architecture
John DouglassSr. Systems [email protected]
Steven McDanielResNet Manager
![Page 2: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/2.jpg)
ASK QUESTIONS!!
![Page 3: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/3.jpg)
Overview
• Why is mobility important?• What were our guiding principles?• LAWN Version 1.0• The evolution of the wireless
systems• Adding 802.1x (WPA-Enterprise)• The Foo of VLAN steering• Future opportunities and challenges
![Page 4: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/4.jpg)
Why is Mobility Important?
• Laptops are a requirement at Georgia Tech.• Cellular phones with wi-fi capabilities are
more prolific now than ever• More and more devices (such as iPads, gaming
devices, robots, lab devices, etc.) are getting into the hands of our users.
![Page 5: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/5.jpg)
Guiding Principles
• User based authentication.• Centralized deployment across campus• Layer 2 mobility that allows for campus
roaming• No client agent – support as much as we can
that runs the protocols required• Keep requirements for access reasonable
![Page 6: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/6.jpg)
(2001-2005) LAWN Version 1.0
![Page 7: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/7.jpg)
How Wireless Grew into a Monster
![Page 8: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/8.jpg)
(2001-2005) LAWN Version 1.0
![Page 9: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/9.jpg)
Evolution of the Beast (Pre 802.1x)• 2006
– Added Wired Network– Added 2nd Wireless Network– Device Login and Cookie Based
Sessions to support mobile and other– http based API (GTLogin AP)
• 2007– Consolidated vendors to reduce the
mix of radio types (compatibility issues)
– Moved to a controller based system and converted APs to LWAPP
![Page 10: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/10.jpg)
(2006-2007) LAWN Version 2.0
![Page 11: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/11.jpg)
2008 Default VLAN (2 networks)
![Page 12: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/12.jpg)
LAWN Login Page
…andthen…
![Page 13: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/13.jpg)
And then…
![Page 14: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/14.jpg)
How Wireless Grew into a Monster
![Page 15: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/15.jpg)
2008 Evolution of the Beast (Pre 802.1x)
• 2008– LAWN bomb 1 (connection tracking)– LAWN bomb 2 (iptables routines)– Multiple Software Firewalls
![Page 16: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/16.jpg)
(2008) LAWN Version 3.0
![Page 17: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/17.jpg)
2009 Evolution of the Beast (Pre 802.1x)
2009– bonded etherchannel for uplinks– Added a 3rd wireless network– Isolation of services (web, DHCP, DB)– Process redistribution– WPA (802.1x) Pilot Begins (using sw firewal)
![Page 18: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/18.jpg)
2009 Default VLAN (3 networks)
![Page 19: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/19.jpg)
Why 802.1x? What’s the big deal?• Improved usability on mobile devices• Allowed us an advanced level of flexibility on
VLAN assignment• Able to use hardware based firewalls• Removed impact of web based attack on
wireless authentication• Improved service availability and recovery• Simplified our architecture and planning
![Page 20: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/20.jpg)
Design Decisions for 802.1x
• Had existing AD backed that we found every major client supported (EAP-PEAP-MSChapV2)
• Need to support network blocking• Need to support user authorization• Need to support user feedback• User, mac, and/or source based VLAN steering
![Page 21: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/21.jpg)
Fall 2007
77.8%
17.8%
4.4%
123
Fall 2010
32.8%
40.6%
26.6%
123
Number of Devices per Freshman
![Page 22: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/22.jpg)
(2009) LAWN Version 4.0
![Page 23: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/23.jpg)
Moving Complexity to MySQL
• Freeradius has a great base language (unlang) but did not have complex functions and is somewhat difficult to understand
• MySQL is widely supported on campus• Freeradius is HIGHLY configurable (you can
specify MySQL queries in the configuration)• Required data easily obtainable
![Page 24: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/24.jpg)
Radius Based VLAN
Assignment
![Page 25: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/25.jpg)
MySQL Foo for VLAN SteeringDelimiter |CREATE FUNCTION determineGroup(client_mac VARCHAR(17), client_username VARCHAR(64), client_ap VARCHAR(64)) RETURNS VARCHAR(64) BEGIN DECLARE returngroup VARCHAR(64); DECLARE clean_mac VARCHAR(17); DECLARE clean_ap VARCHAR(17);
SET clean_mac = REPLACE(LOWER(client_mac),'-',':'); SET clean_ap = REPLACE(LOWER(SUBSTR(client_ap,1,17)),'-',':');
IF EXISTS(SELECT groupname FROM radusergroup WHERE (mac_address = clean_mac OR username = client_username) ORDER BY priority ASC LIMIT 1) THEN SELECT groupname INTO returngroup FROM radusergroup \ WHERE ((username = client_username OR mac_address = clean_mac) AND priority = 100) \ OR (username = client_username AND mac_address = clean_mac AND source_ap = clean_ap AND priority = 150) \ OR (mac_address = client_mac AND priority = 200) \ OR (username = client_username AND mac_address = clean_mac AND priority = 300) \ OR (username = client_username AND priority = 400) \ OR (username = 'DEFAULT') \ ORDER BY priority ASC LIMIT 1; IF returngroup IS NULL THEN IF EXISTS(SELECT uid FROM mage WHERE (uid = client_username AND login > 0) LIMIT 1) THEN SELECT determineGroupByHash(clean_mac, client_username) INTO returngroup; ELSE SET returngroup = 'NOTAUTHORIZED'; END IF; END IF; ELSE IF EXISTS(SELECT uid FROM mage WHERE (uid = client_username AND login > 0) LIMIT 1) THEN SELECT determineGroupByHash(clean_mac, client_username) INTO returngroup; ELSE SET returngroup = 'NOTAUTHORIZED'; END IF; END IF; RETURN returngroup; END|
![Page 26: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/26.jpg)
MySQL Foo for VLAN SteeringDELIMITER | CREATE FUNCTION simpleHash(hashthis VARCHAR(30), hashsize INT) RETURNS INT DETERMINISTIC BEGIN DECLARE hashval INT; DECLARE hashme VARCHAR(30); SET hashme = UPPER(hashthis); SET hashval = CONV(SUBSTR(md5(hashme),-8),16,10) % hashsize; RETURN hashval; END|DELIMITER ;
DELIMITER | CREATE FUNCTION determineGroupByHash(client_mac VARCHAR(17), client_username VARCHAR(64)) RETURNS VARCHAR(64) DETERMINISTIC BEGIN DECLARE hashval INT; DECLARE hashsize INT; DECLARE chain_pref VARCHAR(32); DECLARE returngroup VARCHAR(64); DECLARE rownum INT;
SET @rownum = -1; SET chain_pref = determinePreferredChain(client_mac, client_username); SELECT count(*) INTO hashsize FROM radhashgroup WHERE status = 'ACTIVE' AND chain = chain_pref; SET hashval = simpleHash(client_mac, hashsize); SELECT r1.groupname INTO returngroup FROM (SELECT @rownum:=@rownum+1 AS hash_value, groupname FROM radhashgroup WHERE status =
'ACTIVE' AND chain = chain_pref ORDER BY groupname ASC) as r1 WHERE hash_value = hashval; RETURN returngroup; END|DELIMITER ;
![Page 27: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/27.jpg)
MySQL Foo for VLAN SteeringDELIMITER |CREATE FUNCTION determinePreferredChain(client_mac VARCHAR(17), client_username VARCHAR(64)) RETURNS VARCHAR(64) DETERMINISTIC BEGIN DECLARE returnchain VARCHAR(64); IF EXISTS(SELECT chain FROM user_prefs WHERE (mac_address = client_mac AND username = client_username) LIMIT 1) THEN SELECT chain INTO returnchain FROM user_prefs WHERE (mac_address = client_mac AND username = client_username)
LIMIT 1; ELSE SET returnchain = 'stateful'; END IF; RETURN returnchain; END|DELIMITER ;
In $RADIUS/etc/raddb/sql/mysql/dialup.conf
group_membership_query = "SELECT determineGroup('%{Calling-Station-Id}','%{SQL-User-Name}','%{Called-Station-Id}') as groupname";
![Page 28: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/28.jpg)
MySQL Foo for VLAN Steeringmysql> select * from mage;+---------------+-----------+-------+| account_index | uid | login |+---------------+-----------+-------+| 313171 | blinkie3 | 1 | | 12 | twx63 | 1 | | 23 | mandy | 0 | +---------------+-----------+-------+mysql> select * from radhashgroup;+----+-----------+---------------+---------+| id | groupname | chain | status |+----+-----------+---------------+---------+| 1 | vlan1296 | authenticated | STANDBY | | 2 | vlan1296 | stateful | STANDBY | | 4 | vlan0316 | stateful | ACTIVE | | 8 | vlan1332 | authenticated | ACTIVE | | 6 | vlan0808 | stateful | ACTIVE | | 7 | vlan1312 | stateful | ACTIVE | +----+-----------+---------------+---------+mysql> select * from user_prefs;+----+----------+-------------------+---------------+| id | username | mac_address | chain |+----+----------+-------------------+---------------+| 3 | mandy | 55:b0:3a:67:55:9b | authenticated | +----+----------+-------------------+---------------+
mysql> select * from radusergroup order by priority; +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+| id | username | mac_address | source_ap | groupname | priority | comment |+-----+-----------------+-------------------+-----------+-----------+----------+------------------------+| 375 | blinkie3 | | | vlan1296 | 100 | block_id:3423 | | 393 | mango678 | | | vlan1296 | 100 | block_id:3768 | | 506 | smcdaniel12 | 00:21:6a:78:8b:74 | | vlan1296 | 300 | testing for Steven McD | | 516 | jdouglass187 | | | vlan0316 | 400 | testing for johnd | +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+
![Page 29: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/29.jpg)
(2011) LAWN Version 4.4
![Page 30: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/30.jpg)
User Distribution on 802.1x
VLAN Distribution
WEP vs 802.1x
![Page 31: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/31.jpg)
Significant Challenges for 802.1x
• Not all clients support it (fallback = captive portal)
• Configuration gotchas on all platforms• Difficult to put together accurate timeline of
activity when debugging• AD integration (this adds a new dependency)
![Page 32: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/32.jpg)
Future Opportunities and Challenges
• Many consumer grade devices do not (and will not) support 802.1x (WPA-Enterprise)
• Centralized steering with radius is not as dependent upon controller based or single vendor architecture
• Acts as a new jumping off point for an 802.1x wired solution using similar/identical technologies
![Page 33: Supporting Wireless Mobility Through Flexible Architecture John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu Steven McDaniel ResNet Manager](https://reader036.vdocuments.us/reader036/viewer/2022062408/56649ea35503460f94ba7d30/html5/thumbnails/33.jpg)
For More Information
• http://www.lawn.gatech.edu• http://www.freeradius.org• [email protected]• [email protected]
Evaluation (Be Kind but Honest!!)http://www.resnetsymposium.org/rspm/evaluation/