Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

PPT - Terena

advertisement 
eduroam, security and
authentication
Paul Dekkers
5th of April, Eurocamp, Ljubljana
High-quality Internet for higher education and research
Contents
• 802.1x and wireless innovations
• Authentication protocols
– Types
– Authentication servers
– Examples
• Eduroam Infrastructure
• Conclusion
High-quality Internet for higher education and research
Entities in 802.1x setup
Supplicant
Authenticator
RADIUS server
(AP or switch)
institution
User
DB
Guest
LAN
VLAN
Authentication before (W)LAN access…
High-quality Internet for higher education and research
Wireless technologies
• Encryption with 802.11
–
–
–
–
WEP (RC4 keys)
WPA (RC4 + TKIP)
WPA2 (AES encryption)
802.11i (crème de la crème)
Changes with low impact
• 802.1x is basis for future standards
In time: as common as DHCP
• With 802.1x we can make a 64-bit WEP-key safe
High-quality Internet for higher education and research
EAP
Extensible Authentication Protocol
• Different EAP-types
• EAP-types with SSL/TLS
– “Mutual authentication”
– Provide the encryption-keys
• EAP is transported and proxied within RADIUS
• The home-institution decides what type
High-quality Internet for higher education and research
Common EAP types
• EAP-TLS
Strong authentication with client-certificates
• EAP-TTLS
DIAMETER/RADIUS (e.g. u/p in PAP) in TLS tunnel
can be deployed with most u/p-type backends
• EAP-PEAP
Microsoft implementation with u/p via MSCHAPv2
usable in MS enviroments
Cisco has a different implementation
• EAP-FAST
username/password authentication the Cisco way
installation more complex, uses no SSL/TLS
• EAP-SIM
Strong authentication with SIM-card from phones
• ...
LEAP, EAP-MD5 are old and weak
High-quality Internet for higher education and research
EAP transport
Secured tunnel
Supplicant
Authenticator
(AP or switch)
RADIUS server
RADIUS server
User
DB
institution A
Guest
Internet
user@institution-B.nl
regular
VLAN
guest
VLAN
Central RADIUS
High-quality Internet for higher education and research
Proxy server
institution B
User
DB
End-users
Is the biggest security risk the end-user itself?
High-quality Internet for higher education and research
End-users
Security considerations
• In many cases username/password is good enough
Compare with POP3, IMAP, webmail, …
• SSL client certificates are sometimes easier for users
• Mutual authentication can be confusing:
installers help!
High-quality Internet for higher education and research
RADIUS servers
Well known servers:
• Radiator
• FreeRADIUS
• IAS 2003
– Only advised with Microsoft clients and backend
• Cisco ACS
– Barely used, bad EAP compatibility
High-quality Internet for higher education and research
Radiator example
Understandable monolithic linear configuration (saves time/mistakes!)
LogDir /var/log/radius
AuthPort 1812
AcctPort 1813
Trace 4
<Client 192.87.110.54>
Secret …
IdenticalClients 192.87.110.4
</Client>
<AuthBy FILE>
Identifier GiveItAName
Filename %D/users
</AuthBy>
<Handler>
AuthBy GiveItAName
</Handler>
or:
<Handler>
<AuthBy>
#Identifier GiveItAName
Filename %D/users
</AuthBy>
</Handler>
High-quality Internet for higher education and research
Radiator example
Proxy non-local requests to the eduroam infrastructure:
<Client obelix.a3.surf.net>
Secret …
Identifier SURFnet-proxy
IdenticalClients idefix.a3.surf.net
</Client>
<Handler Client-Identifier=/^(?!SURFnet-proxy$)/>
<AuthBy RADIUS>
Host obelix.a3.surf.net
Host idefix.a3.surf.net
Secret …
AuthPort 1812
AcctPort 1813
StripFromReply Tunnel-Type,Tunnel-Medium-Type,\
Tunnel-Private-Group-ID,TRPZ-VLAN-Name
AddToReply TRPZ-VLAN-Name=GuestVLAN
</AuthBy>
AcctLogFileName %L/proxied-accounting
</Handler>
High-quality Internet for higher education and research
Radiator example: EAP-TTLS
<Handler Realm=surfnet.nl, TunnelledByTTLS=1>
…
</Handler>
<Handler Realm=surfnet.nl, EAP-Message=/.+/>
<AuthBy FILE>
Filename %D/dummy
EAPType TTLS # you can add: TLS, PEAP
EAPTLS_CAFile %D/ca.pem
EAPTLS_CertificateFile %D/server.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/server.key
EAPTLS_PrivateKeyPassword secret
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
SSLeayTrace 2
</AuthBy>
</Handler>
<Handler Realm=surfnet.nl, Request-Type=Accounting-Request>
…
</Handler>
High-quality Internet for higher education and research
Radiator example: tunneled PAP
Using POP3…
<Handler Realm=surfnet.nl, TunnelledByTTLS=1>
RewriteUsername s/^([^@]+).*/$1/
<AuthBy POP3>
Host mail.institution.nl
NoDefault
AuthMode APOP # or BEST, PASS
UseSSL
</AuthBy>
</Handler>
High-quality Internet for higher education and research
Radiator example: tunneled PAP
Using a (LDAP) directory server…
<Handler Realm=surfnet.nl, TunnelledByTTLS=1>
RewriteUsername s/^([^@]+).*/$1/
<AuthBy LDAP2>
Host directory.surfnet.nl
Version 3
BaseDN %0=%1,ou=Accounts,ou=Office,dc=surfnet,dc=nl
Scope base
UsernameAttr uid
AuthAttrDef uid,X-UserID,request
ServerChecksPassword
</AuthBy>
</Handler>
High-quality Internet for higher education and research
Radiator example: TTLS and PEAP
Using a Windows backend (domain/AD)…
<Handler Realm=surfnet.nl, TunnelledByPEAP=1>
<AuthBy LSA>
EAPType MSCHAPv2
</AuthBy>
</Handler>
<Handler Realm=surfnet.nl, TunnelledByTTLS=1>
<AuthBy LSA>
#Domain SURFNET
#DefaultDomain SURFNET
#Group Administrators
#DomainController dc.surfnet.nl
</AuthBy>
</Handler>
For AuthBy LSA Radiator requires ActivePerl 5.6 and to run on a
Windows platform
High-quality Internet for higher education and research
Radiator under Windows
AuthBy LSA requires Radiator under Windows.
Running Radiator under Windows is not hard!
1. Get ActivePerl (from www.activeperl.com)
2. ppm install
http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd
3. ppm install
http://theoryx5.uwinnipeg.ca/ppmpackages/Net_SSLeay.pm.ppd
4. Get Radiator
5. Run perl Makefile.PL install
Run LSA as service or change “Act as part of the
operating system” policy.
High-quality Internet for higher education and research
Microsoft IAS 2003 – Clients & proxies
High-quality Internet for higher education and research
Microsoft IAS 2003 – Create policy
High-quality Internet for higher education and research
Microsoft IAS 2003 – Configure EAP
High-quality Internet for higher education and research
eduroam infrastructure
High-quality Internet for higher education and research
eduroam infrastructure
flexiblity of RADIUS works!
European top level server
.nl
surfnet.nl
Access Point
.ac.uk
.lu
.no
unis.no
uva.nl
Access Point
user@uninett.no
High-quality Internet for higher education and research
...
uninett.no
eduroam infrastructure
grows rapidly!
European top level server
.nl
surfnet.nl
.ac.uk
.lu
Access Point
.no
unis.no
uva.nl
Asian/ Pacific top level
...
uninett.no
Access Point
user@newcastle.edu.au
High-quality Internet for higher education and research
.tw
aarnet.edu.au
.edu.au
...
newcastle.edu.au
current infrastructure
RADIUS has its drawbacks
• RADIUS packet is “visible” on every hop
this is not bad with EAP…
• Traffic between hops is poor
this is not bad with EAP…
• Static routing (based on a @realm)
requires configuration at institution and research network
• Schalable, but:
more connections =
– more configuration
– more load on the top-level servers
more…
High-quality Internet for higher education and research
current infrastructure
UDP RADIUS transport
“dead server”-detection hard
European top level server
.nl
surfnet.nl
Access Point
if not properly
configured…
.ac.uk
.lu
.no
unis.no
uva.nl
Access Point
user@uninett.no
High-quality Internet for higher education and research
...
uninett.no
Something better…
• Disabling redundant hierarchy
– Faster
– More secure
(few places that see the data)
– More reliable
(less “points of failure”)
• Better security on the transport-layer
(tcp/ssl?)
• Flexible configuration
(lookup-service?)
High-quality Internet for higher education and research
Options
• Diameter
RADIUS successor
(Been around for quite some time…)
• RadSec
Part of Radiator
• DNSROAM & RadSec
Experimental part of Radiator
High-quality Internet for higher education and research
RadSec and DNSROAM
• RADIUS packet in TCP of SCTP
more reliable, dead peer detection
• Secured with TLS/PKI (optional)
offers options for limiting participation/federation:
– by certificates signed by a specific CA
– validated by attributes in the certificate (not
yet)
• DNSROAM uses DNS as lookup-service
– dynamic routing based on the RADIUS realm
– possible to deploy for just a part of the
infrastructure
High-quality Internet for higher education and research
RadSec
infra
eduroam.org
Certificate
Authority
3c
3d
RADIUSp2p
(dynamic)
Server
get CA
key
client
e.g. 802.11
access point
3b
home
RADIUSp2p
(dynamic)
Server
2
p2p
4
3a
home.org
logic
authenticate /
authorize
1
user@home.org
get CA
key
visit.org user
p2p
account db
(static)
logic
home.org
user
account db
visiting
visit.org
(image taken from Radiate / Test description and evaluation by Telematica Instituut)
High-quality Internet for higher education and research
RadSec
Replacing RADIUS with RadSec
EU hierarchy root
RadSec
EU-level
RadSec
RadSec
Country-level
RadSec
RadSec
RadSec
RadSec
RADIUS
High-quality Internet for higher education and research
RadSec
RadSec en DNSROAM
infra
DNS based peer
discovery and PKI
based roaming domain
eduroam.org
.org DNS
server
2a
2c
2d
DNS
exists:
server is…
lookup
RADIUS
server for
home.org
RADIUSp2p
(dynamic)
Server
2
client
e.g. 802.11
access point
2b
4c
4d
3
authenticate /
authorize
1
user@home.org
Certificate
Authority
get CA
key
logic
DNS
server
4
5
6
visit.org user
p2p
account db
(static)
p2p
(dynamic)
visiting
visit.org
High-quality Internet for higher education and research
get CA
key
4a
4b
home
home.org
RADIUSp2p
(dynamic)
Server
logic
home.org
user
account db
RadSec
Replacing static connections with dynamic ones
EU-level
RadSec
RadSec
Country-level
RadSec
RadSec
RadSec
RadSec
RADIUS
High-quality Internet for higher education and research
RadSec
RadSec en DNSROAM
Completely dynamic
EU-level
Country-level
RadSec
RadSec
RadSec
RadSec
RadSec
RADIUS
Legacy connections remain possible (using a proxy)
High-quality Internet for higher education and research
Conclusion
• Clients and Institutions won’t have to worry about
wireless technology: 802.1x is the future… while WPA
is becoming commodity WEP is fine too.
• No radical improvements required for the current
infrastructure at an institution.
• EAP is flexible and fits almost every existing backend,
the future will bring more EAP-types (like SSO).
High-quality Internet for higher education and research
Related documents
The department has established itself as one of the very best Danish
The department has established itself as one of the very best Danish
Evaluation and Attitude Assessment BME GK
Evaluation and Attitude Assessment BME GK
Client Service Competency
Client Service Competency
Evaluation Form Full Professor research and industrial/public sector
Evaluation Form Full Professor research and industrial/public sector
Strong Start for America's Children Amendment
Strong Start for America's Children Amendment
Revenue
Revenue
Performance Issue Root Cause Diagnostic Tool
Performance Issue Root Cause Diagnostic Tool
Parent/Student/Teacher Compact
Parent/Student/Teacher Compact
Download
advertisement