setting up eduroam l.
Download
Skip this Video
Download Presentation
Setting up eduroam

Loading in 2 Seconds...

play fullscreen
1 / 109

Setting up eduroam - PowerPoint PPT Presentation


  • 230 Views
  • Uploaded on

Setting up eduroam. Issue 2.0. COURSE OBJECTIVES. By the end of the training, you will be able to: Describe eduroam services and technology. Implement a Service Provider and an Identity Provider in accordance with eduroam policy.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Setting up eduroam' - lisle


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
course objectives
COURSE OBJECTIVES
  • By the end of the training, you will be able to:
    • Describe eduroam services and technology.
    • Implement a Service Provider and an Identity Provider in accordance with eduroam policy.
    • Deliver eduroam training to other organisations within your country.
  • The training will also give you the opportunity to provide feedback about eduroam and the eduroam service.
course outline
COURSE OUTLINE
  • Module 1 – eduroam Overview.
  • Module 2 – The eduroam Service.
  • Module 3 – Setting up an eduroam Service Provider.
  • Module 4 – Configuring an eduroam Identity Provider.
  • Module 5 – Log Files, Statistics and Incidents.
  • Module 6 – Participant Feedback about eduroam Technology and Services.
what is eduroam
WHAT IS eduroam?

eduroam:

Stands for EDUcation ROAMing.

Provides secure internet access for academic roamers.

User experience - “Open your laptop and be online.”

why eduroam
WHY eduroam?

Researchers:

Travel with WLAN-enabled notebooks.

Want transparent, secure network access.

Want similar experience at visited institution as home.

Experience facilitated by seamless sharing of network resources.

Better for roamers, easier for administrators.

a brief history of eduroam
A BRIEF HISTORY OF eduroam

Initially developed out of the TERENA Mobility Task Force.

Now part of the GÉANT2 project:

Joint Research Activity 5 (JRA5).

Service Activity 5 (SA5).

“Open Your laptop and be online”.

high level requirements
HIGH-LEVEL REQUIREMENTS

The eduroam design:

Enables guest usage of visited networks.

Guarantees reasonable security and data integrity.

Identifies users uniquely at the network’s edge.

Complies with privacy regulations.

Is verifiable.

Is open.

Is scalable, robust, easy to install and use.

Local user administration and authentication.

eduroam authentication and authorisation
eduroam: AUTHENTICATION AND AUTHORISATION

Authentication:

Is the user who they say they are?

Carried out by user’s home institution.

Authorisation:

What network access should the user be granted?

Determined by visited institution.

terminology and concepts
TERMINOLOGY AND CONCEPTS

Home institution = Identity Provider.

Provides identity management database.

Responsible for user authentication.

Visited institution = Service Provider.

Provides network infrastructure (e.g. Access points, VLANS, internet access, RADIUS servers).

Responsible for user authorisation.

authentication and 802 1x 1
AUTHENTICATION AND 802.1x (1)

eduroam uses IEEE 802.1x.

Layer 2 port-based Network Access Control standard.

Detects user at network’s edge.

Network’s edge = a port on Network Access Server (NAS).

NAS could be:

A Wireless Access Point.

An 802.1x compatible wired switch.

authentication and 802 1x 2
AUTHENTICATION AND 802.1x (2)

Until identity is proven:

Allows only 802.1x Extensible Authentication Protocol (EAP) traffic to enter the network.

All other traffic (e.g. DHCP, HTTP) blocked at data link layer.

authentication and 802 1x 3
AUTHENTICATION AND 802.1x (3)

Advantages of 802.1x:

Uses EAP, allows several authentication methods.

Therefore compatible with range of authorisation protocols E.g.:

TLS, TTLS, PEAP.

Secure:

Encrypts all data using dynamic keys.

Easy to integrate with dynamic VLAN assignment (802.1q).

Scalable:

RADIUS back-end re-uses existing trust relationships.

802.1x supplicants (clients) easy to find and configure:

MAC OSX, Windows XP, 2000, VISTA: built-in supplicants.

UNIX and Linux: supplicants readily available.

authentication and 802 1x 4
AUTHENTICATION AND 802.1x (4)

f.i. LDAP

EAP over RADIUS

EAPOL

Supplicant

Authenticator

(AP or switch)‏

RADIUS server

Institution A

User DB

jan@student.institution_a.nl

Internet

Guest

VLAN

Employee

VLAN

Student

VLAN

signalling

data

the authentication process 1
THE AUTHENTICATION PROCESS (1)

Steps:

User opens laptop in range of Network Access Server (NAS).

Attempts to connect to SSID ‘eduroam’.

NAS detects new supplicant.

Port enabled and set to ‘unauthorised’.

Only 802.1x traffic allowed; other traffic blocked.

the authentication process 2
THE AUTHENTICATION PROCESS (2)
  • Steps (Continued):
    • NAS sends out Extensible Authentication Protocol (EAP) request.
    • Supplicant returns credentials in EAP response.
      • user logs on using "eduroam" credentials (regardless of the location).
    • NAS forwards credentials to user’s Identity Provider.
    • Identity Provider validates credentials against local user database.
    • Validation forwarded to Service Provider.
    • Port set to ‘authorized’.
      • Normal traffic is allowed.
forwarding the user s credentials 1
FORWARDING THE USER’S CREDENTIALS (1)
  • User’s credentials forwarded via hierarchy of RADIUS servers:
forwarding the user s credentials 2
FORWARDING THE USER’S CREDENTIALS (2)

Realm-based proxying:

User names in format: “user@realm’s DNS-like domain name”.

Used to forward request to next hop in hierarchy.

Institution’s RADIUS server only communicates with:

Its federation’s RADIUS server.

Its institution’s NASs.

Shared secrets authenticate other servers in hierarchy.

forwarding the user s credentials 3
FORWARDING THE USER’S CREDENTIALS (3)

European confederation has Top-Level RADIUS servers (ETLRs):

In the Netherlands, and

In Denmark.

Each has a list of connected country domains.

.nl, .dk, .hr, .de etc.

Each ETLRs:

Accepts requests for its connected countries.

Forwards them to appropriate Federation Level RADIUS server.

Forwards requests for other countries to other TLRs (e.g. Asia-Pacific).

forwarding the user s credentials 4
FORWARDING THE USER’S CREDENTIALS (4)

Federation Top Level RADIUS servers (FLRs):

One for each National Roaming Operator (NRO).

Hold lists of connected institution servers and associated realms.

Forwards requests to appropriate institution’s server,

or

Forwards requests to its ETLRs.

forwarding the user s credentials 5
FORWARDING THE USER’S CREDENTIALS (5)

Institutional RADIUS Servers:

Forwards requests from roamers to its FLRs.

ensuring user credential security
ENSURING USER CREDENTIAL SECURITY

Users’ credentials are tunnelled through the RADIUS hierarchy.

User credential security is a necessity in eduroam.

Recommended approach:

EAP combined with TLS-type protocol.

Mutual user-server authentication.

Encrypted user credentials.

Sending unencrypted credentials is prohibited.

the authorisation process
THE AUTHORISATION PROCESS
  • VLANs in Service Provider each have different permissions.
  • Each VLAN connected to different parts of campus.
  • When authentication is successful:
    • Service Provider’s RADIUS server sends configuration options to NAS.
    • NAS assigns client to a VLAN.
main components of eduroam
MAIN COMPONENTS OF eduroam

Network Access Server (NAS):

Wireless Access Point or

802.1x compatible wired switch.

Client with configured supplicant.

Hierarchy of RADIUS Authentication Servers (AS).

IEEE 802.1x.

IEEE 802.1q.

Standard for VLAN assignment.

how do the pieces fit together an example
HOW DO THE PIECES FIT TOGETHER? AN EXAMPLE

Supplicant

Authenticator

(AP or switch)‏

RADIUS server

University A

RADIUS server

University B

User DB

User DB

user

joe@university_b.hr

XYZnet

Commercial

VLAN

Employee

VLAN

Central RADIUS

Proxy server

Student

VLAN

  • Trust: RADIUS & policy documents
  • 802.1X + EAP
  • (VLAN assignment)‏

signalling

data

key eduroam technologies 1
KEY eduroam TECHNOLOGIES (1)

Security based on IEEE 802.1x:

Standard for port-based network access control.

Provides protection of credentials.

Integrates with VLAN assignment through IEEE 802.1q:

Standard for VLAN assignment.

Authentication based on Extensible Authentication Protocol (EAP):

Facilitates a variety of authentication mechanisms at users’ Identity Providers.

key eduroam technologies 2
KEY eduroam TECHNOLOGIES (2)

Roaming based on RADIUS proxying.

RADIUS = Remote Authentication Dial in User Service.

A transport protocol for authentication information.

Trust fabric based on:

Hierarchy of RADIUS servers.

The eduroam policy.

eduroam overview recap
eduroam OVERVIEW: RECAP
  • Secure, robust, stable service.
  • Easy to set up and install.
  • Allows European scientific community to roam.
    • ‘Open your laptop and be online’.
  • Authentication at home, authorisation at Service Provider.
the eduroam confederation policy
THE eduroam CONFEDERATION POLICY
  • What is the eduroam policy?
    • Documents and contracts that define the responsibilities of:
      • The European confederation.
      • Federations / NRENs (NROs).
      • Institutions.
      • Users.
    • A contract between the NRO and DANTE.
local eduroam policies
LOCAL eduroam POLICIES
  • In addition to the confederation’s policy,
  • NROs may also have their own local eduroam policy.
    • Allows for regional variations.
the european eduroam confederation
THE EUROPEAN eduroam CONFEDERATION
  • Hierarchical structure:
    • Institutions with eduroam service points
      • Belong to
    • Federations – one for each country / NREN,
      • Which belong to
    • The European eduroam confederation,
      • Which covers the whole of Europe.
  • Provides the experience: “Open your laptop and be online”.
    • Users given secure network access within the confederation.
what is the european eduroam confederation
WHAT IS THE EUROPEAN eduroam CONFEDERATION?
  • Members:
    • Are European NRENs / NROs (National Roaming Operators).
    • Must sign the European eduroam policy.
      • Commits them to technological and organisational requirements.
principles of the european eduroam confederation
PRINCIPLES OF THE EUROPEAN eduroam CONFEDERATION
  • Mutual network access without fees.
  • Authentication at home; authorisation at Service Provider.
  • Identity Providers remain responsible for roamers.
  • Member NRENs promote eduroam in their countries.
  • European confederation may peer with other international confederations.
making the european service work
MAKING THE EUROPEAN SERVICE WORK
  • The GÉANT2 Service Activity, SA5:
    • Encompasses everything necessary to make the eduroam service work:
      • (Confederation) technical infrastructure.
      • Establishing trust between the member federations.
      • Supporting infrastructure
        • Monitoring and diagnostic facilities.
        • The eduroam database, a central data repository.
        • The eduroam web site (www.eduroam.org).
        • Confederation level user support.
        • Trouble Ticketing System (TTS).
        • Mailing Lists.
the eduroam service model
THE eduroam SERVICE MODEL

European eduroam service (governed by SA5)

eduroam confederation service (provided by the Operational Team – the O.T.)

national eduroam service(provided by NREN/NRO)

...

national eduroam service(provided by NREN/NRO)

user types and service elements
USER TYPES AND SERVICE ELEMENTS

Service elements

User group

End user

Inst. Level personnel

Federation-level personnel

Basic monitoring facilities

Yes

Yes

Yes

Full monitoring and diagnostics facilities

No

Yes (limited to the information regarding the respective inst.)

Yes

Public access to the eduroam web site

Yes

Yes

Yes

Access to the internal eduroam web site

No

Yes (limited to the information regarding the respective inst)

Yes

Public access to the eduroam database

Yes

Yes

Yes

Access to the all information in the eduroam database

No

Yes (limited to the information regarding the respective inst)

Yes

TTS

No

Yes

Yes

SA5/OT Mailing lists

No

No

Yes

Support from OT

No

No

Yes

monitoring eduroam
MONITORING eduroam
  • What must be monitored?
    • Servers.
      • Are they accessible?
    • Infrastructure.
      • Is it working?
    • User experience.
      • Is it satisfactory?
monitoring concept overview
MONITORING CONCEPT: OVERVIEW

RADIUS

Proxy

Server

RADIUS requests (PAP, EAP etc.)‏

Monitoring

Client

RADIUS response

IdP

RADIUS Server

(loopback server)‏

the monitoring process 1
THE MONITORING PROCESS (1)
  • Monitoring is a two step process:
    • Reject test.
    • Accept test.
the monitoring process 2
THE MONITORING PROCESS (2)
  • For both steps:
    • Client creates RADIUS attributes.
    • Client creates RADIUS request for selected AuthN type.
    • Client sends RADIUS request. Starts measuring response time.
    • Monitored RADIUS proxy handles request and returns response.
    • Client evaluates response and updates database.
  • Monitored server marked okay if it passes both tests.
monitoring servers
MONITORING SERVERS

ETLRs

monitoring client

monitoring

database

FTLRs

monitoring infrastructure
MONITORING INFRASTRUCTURE

ETLRs(s)

TLRS(s)‏

monitoring client

monitoring

database

FTLRs(s)

FTLRs(s)‏

testing on demand
TESTING ON DEMAND

realm A

FTLRs(s)

monitoring client

ETLRs(s)

TLRS(s)‏

monitoring

database

realm B

FTLRs(s)

the eduroam database
THE eduroam DATABASE
  • Database includes:
    • National Roaming Operator (NRO) representatives and contact details.
    • Local institutions official contacts.
      • Both Service Provider (SP) and Identity Provider (IdP).
    • Information about eduroam hot spots.
      • SP location, technical information.
    • Monitoring information.
    • Information about the usage of the service.
nros and the eduroam database
NROs AND THE eduroam DATABASE
  • NROs:
    • Should provide the necessary data (general and usage data).
      • Data must be provided in the agreed XML format.
      • Data will only be accessible from the eduroam database server.
the eduroam web site
THE eduroam WEB SITE
  • www.eduroam.org will include private areas to support eduroam operations.
    • E.g. Information from NROs:
      • Contact details.
      • Service coverage.
      • Usage statistics.
      • Number of eligible / active users.
    • Infrastructure monitoring information.
user support problem escalation scenario 1
USER SUPPORT: PROBLEM ESCALATION SCENARIO 1

home federation

OT

visited federation

fed.-level admin.

local institution admin.

fed.-level admin.

3

local institution admin.

1,2

4

user

user support problem escalation scenario 2
USER SUPPORT: PROBLEM ESCALATION SCENARIO 2

home federation

OT

visited federation

4b

4a

fed.-level admin.

4

local institution admin.

3

fed.-level admin.

5

local institution admin.

1,2

6

user

current eduroam status 1
CURRENT eduroam STATUS (1)
  • 33 countries (NROs/NRENs) connected to the two European Top Level Radius Servers (ETLRs)
  • Policy:
    • 28 signed
    • 1 LoI (UK)
    • we still wait for: Cyprus, Israel, Lithuania, Malta
    • in addition JSCC (Russia) signed but is not connected
current eduroam status 2
CURRENT eduroam STATUS (2)
  • The Monitoring Service is up and running (monitor.eduroam.org).
  • It covers ETLRs and Federation Top Level RADIUS Servers (FTLRs).
  • Monitoring servers
  • Monitoring infrastructure
  • 29/33 NROs included
  • Testing on demand to be added (access via web)
  • Further development is planned.
current eduroam status 3
CURRENT eduroam STATUS (3)
  • eduroam database
  • Status: http://monitor.eduroam.org/database
  • Demographics and user maps.
    • No of SPs.
    • No of IdPs.
    • Location of SPs.
    • Usage.
    • Coverage.
    • Contacts.
    • ...
  • User-oriented map, based on eduroam database(http://monitor.eduroam.org/gmap.php)
  • TTS: https://monitor.eduroam.org/simplesaml/otrs/
  • Further development is planned.
each site can be unique
EACH SITE CAN BE UNIQUE

Each eduroam-enabled institution may use different:

Equipment.

Software.

Topology.

Details of eduroam configuration depend upon factors above…

…But broad principles are the same on any platform.

a word of warning
A WORD OF WARNING

First things first:

“An eduroam wireless network is a wireless network.”

Sounds trivial, but:

you need to know your stuff regarding Wireless LAN.

if you have a bad layer 2 WLAN, putting the SSID “eduroam” on it won't magically make it better.

if the SSID “eduroam” doesn't perform, it hurts the global brand, even if it is a local problem.

reference eduroam setup 1
REFERENCE eduroam SETUP (1)

This module describes a reference set-up.

Based on frequently-used equipment:

An 802.11g “Enterprise-level” Access Point.

We have a few LANCOM L-54g in the exercise.

Radiator OR FreeRADIUS RADIUS server.

We will use FreeRADIUS 2.0.4 in the exercise.

Reference model assumes ETLRs and FLRs already set-up.

setting up your service provider steps
SETTING UP YOUR SERVICE PROVIDER: STEPS

Connect your workstation to the Ethernet switch.

Set up the RADIUS server:

Connect clients.

configure proxy server(s).

Configure the access point for eduroam.

Configure the supplicants.

setting up the radius server 1
SETTING UP THE RADIUS SERVER (1)

EAP authentication requires a PKI.

But you don't have to care when setting up an SP only.

Compile and install FreeRADIUS

./configure --prefix=... --sysconfdir=...

make

make install

, edit

$SYSCONFDIR/raddb/*

Use vi or another text editor.

setting up the radius server 2
SETTING UP THE RADIUS SERVER (2)

Defining the clients:

NAS devices act as clients to RADIUS server.

Other RADIUS servers in hierarchy also act as clients.

Each client must be defined using <Client> or client { ... } clause.

Definition must include a shared secret.

May include a lot more.

setting up the radius server client example
SETTING UP THE RADIUS SERVER: CLIENT EXAMPLE

<Client 192.168.10.200/28>

Secret abcdefgh

Identifier antarctica-ap-v4

</Client>

client antarctica-access-points {

ipaddr = 192.168.10.200

secret = abcdefgh

netmask = 28

require_message_authenticator = no

shortname = antarctica-ap-v4

nastype = other

virtual_server = eduroam

}

setting up the radius server 3
SETTING UP THE RADIUS SERVER (3)

Forwarding of requests to FLRs:

eduroam routing is based on @suffix realms (RFC4282).

<Handler> clause is the recommended method, more flexible than the <Realm> clause. <Handler> ...(forward to FLR)... </Handler>.

home_server, home_server_pool and realm DEFAULT (see proxy.conf) + suffix module.

setting up the radius server 4
SETTING UP THE RADIUS SERVER (4)

proxy.conf

home_server tld1-antarctica-v4 {

type = auth+acct

ipaddr = 192.168.10.253

port = 1812

secret = abcdefgh

response_window = 20

zombie_period = 40

revive_interval = 60

status_check = status-server

check_interval = 30

num_answers_to_alive = 3

}

home_server_pool EDUROAM {

type = fail-over

home_server = tld1-antarctica-v4

home_server = tld2-antarctica-v4

}

realm DEFAULT {

pool = EDUROAM

nostrip

}

  • <Handler>
  • <AuthBy RADIUS>
  • Host 192.168.10.253
  • Secret abcdefgh
  • AuthPort 1812
  • AcctPort 1813
  • StripFromReply \
  • Tunnel-Type, \
  • Tunnel-Medium-Type,\
  • Tunnel-Private-Group-ID
  • </AuthBy>
  • </Handler>
request forwarding caveat
REQUEST FORWARDING: CAVEAT

Don't blindly accept all RADIUS attributes: filtering is in order!

IdP might send VLAN assignments.

If you keep the assignment unchanged, the (remote) IdP decides in which VLAN your users end up!

StripFromReply and the attr_filter module.

freeradius server core configuration
FreeRADIUS: SERVER CORE CONFIGURATION
  • radiusd.conf is the main configuration file.
  • can reference “virtual servers”.
  • virtual server defines which modules to execute for a given request.
  • We will define the virtual server “eduroam”.
freeradius virtual server eduroam for sps
FreeRADIUS: VIRTUAL SERVER ‘eduroam’ FOR SPs
  • server eduroam {
  • authorize {
  • auth_log
  • suffix
  • }
  • authenticate { }
  • post-auth {
  • reply_log
  • Post-Auth-Type REJECT {
  • reply_log
  • }
  • }

preacct {

suffix

}

accounting { }

pre-proxy {

pre_proxy_log

if (Packet-Type != Accounting-Request) {

attr_filter.pre-proxy

}

}

post-proxy {

attr_filter.post-proxy

post_proxy_log

}

}

activity
ACTIVITY

Exercise:

Welcome to Antarctica!

.aq is one of the few top-level domains on the planet without an eduroam hotspot.

You are here to change this today.

There is already a FLR for .aq on 192.168.10.253, port 1812 and 1813.

Compile, install and configure FreeRADIUS 2.0.5 in your home directory. Connect it as a client to the .aq server.

Test the connection with a plaintext login attempt and the

test account: tld@aq, “testpass”

(use the utility radtest for that)‏

some hints
SOME HINTS...
  • Use ./configure --prefix=yourdir to install into your home directory on the server.
  • And almost-ready configuration acompanies the course, and is expected by the server in yourdir/etc/raddb.
  • When starting for the first time, use yourdir/sbin/radiusd –Xfor some verbose info.
  • Line 1 in radiusd.conf (prefix) and the link to the RADIUS dictionary need to be adapted.
optional using radsec instead of radius
OPTIONAL: USING RADSEC INSTEAD OF RADIUS

Radiator already has (and FreeRADIUS will soon have) support for RADIUS over TCP and TLS.

<Handler>

<AuthBy RADSEC>

Host etlr1.eduroam.org

Host etlr2.eduroam.org

Secret mysecret

UseTLS

TLS_CAPath /.../certs/CAs/

TLS_CertificateFile /.../certs/tld1.eduroam.lu.pem

TLS_CertificateType PEM

TLS_PrivateKeyFile /.../certs/tld1.eduroam.lu.key

</AuthBy>

...

(the equivalent on the server side is an <ServerRADSEC> clause)

configuring the access points 1
CONFIGURING THE ACCESS POINTS (1)

Access Point setup is a set of LANCOM L-54g Series Access Points.

It's alright if you've never seen this brand before :-).

Setup (as per appendix B.2 on Cookbook v2):

SSID.

Encryption.

NTP.

RADIUS uplink.

IP address.

activity73
ACTIVITY

Exercise:

Configuring an access point.

use Cookbook v3 (on CD) for walk-through on LANCOM APs.

configuring the access points 2
CONFIGURING THE ACCESS POINTS (2)

RADIUS / AAA Section:

Must define at least one group. E.g.

ap1200(config)#aaa new-model

ap1200(config)#radius-server host 192.168.10.253 auth-port 1812 acct-port 1813 key <secret>

ap1200(config)#aaa group server radius radsrv

ap1200(config-sg-radius)#server 192.168.10.253 auth-port 1812 acct-port 1813

ap1200(config-sg-radius)#!

ap1200(config-sg-radius)#aaa authentication login eap_methods group radsrv

ap1200(config)#aaa authorization network default group radsrv

ap1200(config)#aaa accounting send stop-record authentication failure

ap1200(config)#aaa accounting session-duration ntp-adjusted

ap1200(config)#aaa accounting update newinfo periodic 15

ap1200(config)#aaa accounting network default start-stop group radsrv

ap1200(config)#aaa accounting network acct_methods start-stop group radsrv

configuring the access points 3
CONFIGURING THE ACCESS POINTS (3)

SSID Configuration:

One dot11 ssid must be configured for each SSID.

Also configured:

Default VLAN for the SSID.

Authentication framework.

Accounting.

SSID to be broadcast (guest mode).

ap1200(config)#dot11 ssid eduroam

ap1200(config-ssid)#vlan 909

ap1200(config-ssid)#authentication open eap eap_methods

ap1200(config-ssid)#authentication network-eap eap_methods

ap1200(config-ssid)#authentication key-management wpa optional

ap1200(config-ssid)#accounting acct_methods

ap1200(config-ssid)#guest-mode

configuring the access points 4
CONFIGURING THE ACCESS POINTS (4)

Configuring the Radio Interface:

Map SSIDs to the radio interface.

Specify ciphers for each VLAN.

ap1200(config)#interface Dot11Radio 0

ap1200(config-if)# encryption vlan 906 mode ciphers aes-ccm tkip wep128

ap1200(config-if)# encryption vlan 909 mode ciphers aes-ccm tkip wep128

ap1200(config-if)#ssid eduroam

configuring the access points 5
CONFIGURING THE ACCESS POINTS (5)

Configuring VLAN interfaces:

For each VLAN used for wireless clients, define:

One ‘on the air’ (DotRadio) virtual interface.

One ‘on the wire’ (FastEthernet) virtual interface.

Bridge the two virtual interfaces together with a bridge group.

Configure administrative VLAN.

For maintenance / management and authentication / accounting traffic.

the supplicant 1
THE SUPPLICANT (1)

The reference setup assumes use of EAP-TTLS.

Easiest way to implement eduroam in large community.

MS Windows has no built-in support for EAP-TTLS…

…But you can use SecureW2.

Application from Alfa & Ariss Network Security Solutions.

Can be some security issues around installation…

…You can overcome these using a preconfigured distribution.

the supplicant 2
THE SUPPLICANT (2)

To prepare a preconfigured SecureW2 exe file:

Prepare SecureW2.INF file.

Prepare NSIS configuration file.

Create the exe file with NSIS.

Digitally sign the exe file.

the supplicant 3
THE SUPPLICANT (3)

User Installation of SecureW2:

Download the preconfigured exe file.

Confirm the signature of the exe file.

Start the exe file and enter credentials when prompted.

Reboot computer.

Choose SecureW2 as the authentication method for the eduroam network.

Connect to eduroam.

activity82
ACTIVITY

Exercise:

Working with a supplicant.

from sp to idp
FROM SP TO IdP
  • We assume you are a Service Provider already.
  • What more do you need to become an Identity Provider (IdP)?
    • an own realm (group1.aq, …)
    • a TLS server certificate.
    • a user database.
    • a few config changes in the server 
freeradius changes for idp config
FreeRADIUS: CHANGES FOR IdP CONFIG
  • proxy.conf: declare your realm to be handled locally

realm groupX.aq {

}

  • virtual server eduroam: enable EAP handling

authorize {

<other stuff>

eap

}

authenticate {

eap

}

  • inner authentication: new virtual server inner-tunnel.
virtual server for inner authentication
VIRTUAL SERVER FOR INNER AUTHENTICATION

authenticate {

Auth-Type PAP{

pap

}

Auth-Type MS-CHAP{

mschap

}

eap

}

  • authorize {
  • auth_log
  • eap
  • files
  • mschap
  • pap
  • }
  • post-auth {
  • reply_log
  • Post-Auth-Type REJECT {
  • reply_log
  • }
  • }
ldap activedirectory
LDAP, ActiveDirectory, ...
  • The module files in the previous slides reads users from a plain-text file.
  • There are plenty of other modules, like:
    • ldap – authenticate against LDAP or ActiveDirectory.
    • sql – authenticate against (my|Postgre|MS-)SQL.
  • Please read the server documentation for further details.
eap configuration
EAP CONFIGURATION
  • eap.conf specifies:
    • which EAP methods are allowed.
    • Certificate for the server.

(for new installations: execute script „bootstrap“ in raddb/certs to generate self-signed certificates).

exercise idp configuration
EXERCISE: IdP CONFIGURATION
  • Modify the existing configuration to add your own realm.
  • Add the virtual server eduroam_inner_tunnel (in the supplied config directory under „sites-available“).
  • Modify the example user in the users file.
  • Start the server and authenticate with this user account (since the certificate is new and self-signed, server certificate validation needs to be off [for this exercise only!]).
why keep log files
WHY KEEP LOG FILES?

Log files are used to track malicious users and to debug possible problems.

Aim: provide evidence to government agencies:

Offender’s realm and login time.

Why not provide the User-Name?

User-Name attribute could be obfuscated.

Outer identity could be anonymous or forged.

tracing the user s realm 1
TRACING THE USER’S REALM (1)

You should keep:

DHCP or ARP sniffing log.

RADIUS Authorisation log.

Clock synchronised with Network Time Protocol (NTP).

tracing the user s realm 2
TRACING THE USER’S REALM (2)

Steps:

Identify IP address of malicious user.

Find MAC address in DHCP or ARP sniffing log.

Find authentication session in Auth log.

Take realm and timestamp from Auth log.

next steps
NEXT STEPS

Approach eduroam Operations Team (OT).

OT can link realm to a home federation.

Home federation can find user’s identity provider.

Identity provider can find the user name.

Cross-reference timestamp from service provider’s auth log with own logs.

a closer look at logging requirements
A CLOSER LOOK AT LOGGING REQUIREMENTS

Let’s look more closely at logging requirements:

Network addressing.

Auth logs.

Reliable time source.

Technical contact.

network addressing
NETWORK ADDRESSING

Service Providers:

Should provide visitors with publicly routable IPv4 addresses using DHCP.

Side-thought: why is NAT considered bad?

Must be able to find a MAC address from the IP address.

Must log:

Time client’s DHCP lease was issued.

MAC address of client.

IP address allocated to client.

auth logs
AUTH LOGS

Identity Providers must log all authentication attempts, recording:

Authentication result returned by authentication database.

Reason for denial or failure of authentication.

auth logs 2
AUTH LOGS (2)

At what point should logs be kept?

After packet reception from client.

Before handing off to proxy.

After getting reply from proxy.

Before sending reply back to client.

Pre-configured modules exist in FreeRADIUS:

auth_detail, pre_proxy_detail, post_proxy_detail, reply_detail

reliable time source
RELIABLE TIME SOURCE

All logs must be synchronised to a reliable time source.

E.g. using Network Time Protocol (NTP).

SNTP also okay.

technical contact
TECHNICAL CONTACT

Each federation must designate a technical contact:

Must be available via email and telephone during office hours.

May be a named individual or an organisational unit.

Cover during absence from work must be provided.

statistics who can deliver what info
STATISTICS: WHO CAN DELIVER WHAT INFO?

your NRO has the FLR server

can count international roaming usage (for now).

can count national roaming usage (for now).

can not count local usage.

IdP's can’t count usage, only number of auths! SPs can always count local usage.

How to do this depends on server in use.

statistics freeradius
STATISTICS: FreeRADIUS

FreeRADIUS.

use a script to parse log files and generate statistics out of it

like http://www.eduroam.lu/files/eduroam-daily-stats-03.sh

Generates output like below, can be sent to SSH dropbox at NRO:

# Order of fields: successful-own successful-national successful-intl failed-own failed-national failed-intl

6

1

0

0

0

0

activity103
ACTIVITY

Exercise:

Log files and statistics.

other incidents
OTHER INCIDENTS

Other attacks you might find interesting (not directly related to eduroam).

Authentication spamming: someone without a proper user account starts as many authentication processes as he can.

Disassociation of connected clients.

poisoning MAC tables.

All of these are generic WLAN attacks.

activity105
ACTIVITY

Exercise:

Dealing with incidents.

activity107
ACTIVITY

Feedback:

Please give your feedback about eduroam technology and the eduroam service.

for more information
FOR MORE INFORMATION

www.eduroam.org

www.geant2.net

www.dante.net

For information about GÉANT2 training: www.geant2.net/training

recap of course objectives
RECAP OF COURSE OBJECTIVES
  • By the end of the training, you will be able to:
    • Describe eduroam services and technology.
    • Implement a Service Provider and an Identity Provider in accordance with eduroam policy.
    • Deliver eduroam training to other organisations within your country.
  • The training will also give you the opportunity to provide feedback about eduroam and the eduroam service.