1 / 27

Paul Dekkers April 4th, Turkey

Paul Dekkers April 4th, Turkey. Contents From 802.1x to eduroam. Freshing up Background Considerations Solutions: 802.1x eduroam. Freshing up…. WLAN Every wireless network has a name: an (in)visible SSID (Service Set Identity) Access / encryption with “keys”

ephilip
Download Presentation

Paul Dekkers April 4th, Turkey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Paul Dekkers April 4th, Turkey

  2. ContentsFrom 802.1x to eduroam Freshing up Background Considerations Solutions: 802.1x eduroam

  3. Freshing up… • WLANEvery wireless network has a name: an (in)visible SSID (Service Set Identity)Access / encryption with “keys” • WEP, Wired Equivalent Privacy • WPA (with pre-shared key) • 802.11 (“wireless Ethernet”, MAC)802.11b, 802.11g, 802.11a (radio-layer, channels)

  4. Background • Traditional WLAN not safe • Who uses the network?(abuse, limiting usergroup) • Are people eavesdropping?(no physical boundries) • How do we provide access to guests? • Distribution of “secrets” (WEP-key)?

  5. Traditional WLANs are unsafe Even with: • Non broadcasted SSID • MAC-address restrictions • WEP, Wired-Equivalent-Privacy

  6. Users are mobile University A International connectivity WLAN Access Provider WLAN University B Internet backbone Access Provider GPRS/ UMTS WLAN Student Dormitory Access Access Provider ADSL

  7. Requirements Identify users uniquely at the edge of the network No session hijacking Enable guest usage Scalable Local user administration and authentication Easy to install and use At the most one-time installation by the user Open Secure

  8. Solutions … for guest usage: • WEB based captive portal scalable, not safe (no encryption, hijacking) • VPN/PPPoE not scalable, safe path • 802.1x scalable, safe – security at the edge of the network 802.1x is the basis for the next generation standards (WPA-Enterprise, 802.11i)

  9. Secure access to the network with 802.1X Supplicant Authenticator (AP or switch) RADIUS server University A User DB jan@student.university_a.nl Internet Commercial VLAN Employee VLAN Student VLAN • 802.1X • (VLAN assigment) signaling data

  10. 802.1x and EAP Extensible Authentication Protocol • Different EAP-types • The (home-)organization decides what type • EAP-types with SSL/TLS • “Mutual authentication” • Encryption keys are derived from SSL session • EAP is transported and proxied in RADIUS

  11. Common EAP types • EAP-TLSStrong authentication with client certificate • EAP-TTLSDIAMETER/RADIUS (e.g. u/p in PAP) in TLS tunnelusable with all u/p backends • EAP-PEAPMicrosoft implementation with u/p via MSCHAPv2easy deployable with AD • EAP-FASTusername/password authentication the Cisco wayroll out more complex, uses no SSL/TLS • EAP-SIMStrong authentication using the SIM of your phone • ... LEAP, EAP-MD5 are old and weak

  12. 802.1x Guest usage: eduroam! Secured tunnel Supplicant Authenticator (AP or switch) RADIUS server institution A RADIUS server institution B User DB User DB Guest user@institution-B.nl Internet guest VLAN regular VLAN Central RADIUS Proxy server Trust based on RADIUS plus policy documents

  13. eduroam: (inter)national roaming

  14. eduroam architecture Security based on 802.1X Protection of credentials: EAP New technologies (WPA, 802.11i) based on 802.1x Different authentication mechanisms possible by using EAP (Extensible Authentication prototcol) Username/password X.509 certificates SIM-cards Dynamic VLAN assignment Roaming based on RADIUS proxying Remote Authentication Dial In User Service Transport-protocol for authentication information Trust fabric based on: Technical: RADIUS hierarchy Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the eduroam federation

  15. The eduroam policy

  16. National policy (federation) Mutual access Members are connected institutions Home institution is/remains responsible for its users behaviour. Home institution is responsible for proper user management Home and visited institution must keep sufficient logdata Appropriate security levels

  17. The European eduroam policy (confederation) Mutual access Home institutions are/remain responsible for their users abroad Members are NRENs (National federations) Members guarantee required security levels by their participants Members promote eduroam in their countries European eduroam may peer with other regions

  18. The status of eduroam

  19. Status of eduroam Over 500 institutions in Europe, Australia and Taiwan • New members: • Lithuania • Romania • Hungary • China • Hong Kong • Cyprus USA, Japan, Korea will follow shortly

  20. eduroam Provides global network roaming Strong technical foundation: RADIUS 802.1X Lingua Franca: EAP Needs ubiquity

  21. Joining eduroam

  22. Joining eduroam for an NREN Set up a server that proxies that: Accept requests for *.cc-tld and forward to the right institution Accept requests for non *.cc-tld and forward it to the European servers Send an (encrypted) e-mail to join@eduroam.org with: FQDN of toplevel RADIUS-server(s) IP-addresses of toplevel RADIUS-servers Shared secret to use between European servers and national server(s). URL of national eduroam website Information about test-account Contact details admin Sign the policy agreement

  23. Joining eduroam for an institution Set-up your local 802.1X infrastructure Accept requests for your-domain.cc-tld and process them Proxy requests for non-local users to the national server Send an (encrypted) e-mail to your NREN with: FQDN of toplevel RADIUS-server(s) IP-addresses of toplevel RADIUS-servers Shared secret to use between your and their server(s). URL of your eduroam website Information about test-account Contact details admin Sign the policy document

  24. Conclusions

  25. Conclusions 802.1X provides secure, future ready, scalable access to the campus network Enabling eduroam is a easy once 802.1X is in place Handbook, (other) easy configuration examples available Many have already joined, so

  26. Join….

  27. More information eduroam in SURFnet http://www.eduroam.nl eduroam in Europe http://www.eduroam.org TERENA TF-Mobility http://www.terena.nl/mobility The unofficial IEEE802.11 security page http://www.drizzle.com/~aboba/IEEE

More Related