802.11u, Hotspot 2.0 and possible implications for eduroam

Eduroam and IEEE
802.11u
Dave Stephenson
Wireless Networking Business Unit
Strategic Initiatives and CTO Office
February 27, 2012
© 2012 Cisco and/or its affiliates. All rights reserved.
1
• 802.11u – Interworking with External Networks
• Purpose:
Interworking with External Networks is a key enabler to allow IEEE 802.11 devices to
interwork with external networks, as typically found in hotspots or other public networks
irrespective of whether the service is subscription based or free.
Interworking Service aids network discovery and selection, enabling information transfer
from external networks, and enabling emergency services. It provides information to the
STAs (mobile devices) about the networks prior to association.
Interworking Service addresses MAC layer enhancements that allow higher layer
functionality to provide the overall end-to-end interworking solution.
• Status: IEEE 802.11u-2011 is a fully ratified IEEE standard
© 2012 Cisco and/or its affiliates. All rights reserved.
2
• Network discovery and selection (NDS)
Generic Advertisement Service (GAS) along with Access Network Query
Protocol (ANQP) and the Interworking element provide lightweight support for
network selection
GAS provides support for other higher-layer network discovery, service
advertisement and mobility management protocols
• Generalized QoS L3  L2 mapping
• Service Provider (aka SSPN) Interface
• Support for emergency services including Emergency Alert Service
(EAS)
• Standardized SAP for higher-layer mobility management protocols (only
for client devices)
© 2012 Cisco and/or its affiliates. All rights reserved.
3
© 2012 Cisco and/or its affiliates. All rights reserved.
4
• SSID is the sole identifier used for Wi-Fi network selection
• If the Wi-Fi network is open (no encryption)
Whether mobile device’s connection manager recognizes the SSID or not, the
mobile device can join
• If the Wi-Fi network is encrypted
If the mobile device’s connection manager does not recognize the SSID, no
further action is taken
To join, the mobile device must possess a pre-provisioned profile which
contains the binding of {SSID, credential, EAP method(s), AAA server ID, trust
anchors}
• There is no way for the Hotspot to signal roaming partners—the only
option is for the SP to manage long lists of roaming-partner
SSIDs/profiles in the mobile
© 2012 Cisco and/or its affiliates. All rights reserved.
5
• All the legacy methods (i.e., pre-11u) still work! And can be used!
• The new question is whether the mobile device has credentials to
successfully authenticate with the Wi-Fi access network, NOT whether
the SSID is recognized
• IEEE 802.11 GAS/ANQP provides 3 types of identifiers a mobile device can
use to determine whether successful authentication is possible
• Realms, provided in NAI Realm List
• PLMN ID, provided in 3GPP Cellular Information List
• OUI, provided in Roaming Consortium List
• This ANQP-provided information identifies the authentication domains of the
hotspot operator and all of its roaming partners
• The hotspot is responsible for carrying out authentication, often using Proxy
AAA service
• The home SP is no longer required to manage long SSIDs lists on every
mobile device—this responsibility has been transferred to the network
© 2012 Cisco and/or its affiliates. All rights reserved.
6
• NAI Realm List
A list of realms (i.e., username@realm) which can be successfully authenticated
If the mobile device finds a realm in the list matching one of its credentials, successful authentication
is possible
Either EAP-TLS (certificate credential) or EAP-TTLS with MSCHAPv2 (username/password
credential) is used depending on the credential type provisioned by the Home SP
• 3GPP Cellular Information
A PLMN ID list; a PLMN ID is assigned to every cellular operator and has the form {MCC, MNC}
If the mobile device finds a PLMN ID in the list matching the one from its SIM credential, successful
authentication is possible
Either EAP-SIM (2G/3G SIM credential) or EAP-AKA (4G USIM credential) are used
• Roaming Consortium List
A list of OUIs (organizationally unique identifier)—essentially the OUI part of a MAC address obtained
from IEEE (note: IEEE 802.11u also uses the term “OI”)
If the mobile device finds an OUI in the list matching the one it’s been provisioned with, successful
authentication is possible
This method can be used with Aggregators (Hotspot operator does not necessarily know all the
authenticable realms) and for other special purposes
For OUIs in the beacon, this is a very battery efficient roaming method (no ANQP queries needed)
Eduroam could identify their authentication service using an OUI
© 2012 Cisco and/or its affiliates. All rights reserved.
7
Legacy
Client
Manual Setup
1. Power-on or unlock the phone
2. Select Wi-Fi network
(vulnerable to rogue AP)
3. Go to Webauth
4. Browse webpage and enter
right credential, usually ID/PWD
5. Choose roaming plan
6. Start Internet
802.11u
Client
Can you tell me your
network info?
Before I associate?
Automatic Setup
1. Power-on or unlock the phone
2. Handset automatically validates
network and initiates connection.
NAI Realm / 3GPP Cellular Info
Domain Name (hotspot operator’s FQDN)
Yes! Here it is:
Realm: cisco.com
EAP Method = EAP-TTLS
• Makes Wi-Fi easy-to-use and secure like 3G cellular
• 802.11u enabled network is compatible with non-11u devices!
© 2012 Cisco and/or its affiliates. All rights reserved.
8
AP/WLC
Beacon with 802.11u Interworking IE
Probe Request
Probe Response
GAS Initial Request
Used if
response
requires GAS
fragmentation
GAS Initial Response
GAS Comeback Request
GAS Comeback Response
AAA Server
Number of queries
and query content
is mobile
implementation
dependent
Pre-association protocol
using 802.11 public action frames
for GAS L2 transport.
ANQP provides NAI Realm, 3GPP
PLMN ID, etc. so mobile can select
roaming candidate network
Authentication (null)
Authentication Response
802.11u-enabled
connection
manager
supplies
SSID to join
Association Request (SSID)
Association Response (AID)
802.11u doesn’t
change the
authentication
procedure
802.1X (EAPOL-Start)
802.1X (EAP-Identity Request)
802.1X (EAP-Identity Response)
802.1X (EAP-Auth. Exchange)
RADIUS (EAP-Auth. Exchange)
PLMN ID and/or
Realm + EAP Method
learned from GAS
exchange
RADIUS (Access-Accept)
802.1X (EAP-Success)
4-Way Handshake (PTK, GTK)
© 2012 Cisco and/or its affiliates. All rights reserved.
9
• Wi-Fi networks also provide the following information for …
Policy-based network selection (who is the hotspot operator?)
Domain Name List (i.e., the domain name(s) of the hotspot operator)
Aids for connection manager (their use is implementation dependent)
IP Address Type Availability (e.g., IPv4 or IPv6)
Aids to human network selection (aka manual selection)
Venue Name (e.g., “San Francisco Airport”)
• ANQP also provides more information related to access to emergency
services (including location)
© 2012 Cisco and/or its affiliates. All rights reserved.
10
Octets:
Element ID
Length
1
1
B0 - B3
B4
B5
B6
B7
Network
Type
Internet
ASRA
ESR
UESA
Venue Info
(optional)
HESSID
(optional)
0 or 2
0 or 6
• This element is in beacons and probe responses
• Network type:
One of: {private | private with guest access | chargeable | free}
STAs can selectively scan for desired network type
• Internet: set to 1 if SSID provides internet access
• ASRA: set to 1 if Web-auth/WISPR configured on this SSID
• ESR (emergency services reachable): set to 1 if emergency services are
reachable on this SSID
• UESA (un-authenticated emergency services accessible): set to 1 if emergency
services are accessible for terminals not having valid security credentials on
this SSID
© 2012 Cisco and/or its affiliates. All rights reserved.
11
• This element is in beacons and probe responses
• Client scans & receives beacon having this element and can
quickly determine if there are any Wi-Fi networks for which it has
valid security credentials
• Each SP or consortium of SPs must register with IEEE to obtain OI
• Element gives OI for top 3 SPs (or consortium of SPs) having
roaming agreements with Wi-Fi access network provider;
remainder available via GAS-ANQP query
• Number of GAS-ANQP OIs provides number of additional OIs
which will be returned on a GAS-ANQP query (see subsequent
slide)
© 2012 Cisco and/or its affiliates. All rights reserved.
12
NAI Realm List
Realm #1
Realm #2
EAP Method #1
EAP Type (normal or expanded)
Etc.
EAP Method #1
EAP Type (normal or expanded)
Credential Types
Tunneled EAP Type
(if used, normal, expanded or non-EAP)
Credential Types
Credential Types
EAP Method #2
EAP Type (normal or expanded)
Credential Types
EAP Method #2
EAP Type (normal or expanded)
Credential Types
Tunneled EAP Type
(if used, normal, expanded or non-EAP)
Credential Types
Tunneled EAP Type
(if used, normal, expanded or non-EAP)
Credential Types
Etc.
© 2012 Cisco and/or its affiliates. All rights reserved.
• Credential Type
Tunneled EAP Type
(if used, normal, expanded or non-EAP)
Zero or more types in list
SIM, USIM, Certificate,
NFC Secure element,
Hardtoken, Softoken,
Username/password
Credential Types
Etc.
13
© 2012 Cisco and/or its affiliates. All rights reserved.
14
• Excerpts from IEEE 802.11u-2011:
Each OI identifies an SP or group of SPs (i.e., a roaming consortium) …
whose security credentials can be used to authenticate with the AP
transmitting this [OI]
Eduroam is a roaming consortium and could register for its own OI
A terminal can have a locally stored binding between an OI and a set of
security credentials with which it can authenticate to the network identified by
the OI.
• Notes on ANQP and OIs
ANQP does not provide the binding between OI and realm or PLMN ID
For each member realm of an OI, there does not have to be an entry in the
3GPP Cellular Information List or NAI Realm List—therefore, ANQP using OIs
can support a very large number of realms
© 2012 Cisco and/or its affiliates. All rights reserved.
15
• For roaming partners:
AAA routing is based on the realm provided via EAP
When a realm is provided in ANQP, the hotspot infrastructure has been
configured with routing information for the authentication request
Realms can be explicitly provided in the NAI Realm List or implicitly provided in
the 3GPP Cellular Information List
Either the Wi-Fi infrastructure (e.g., AP or access controller) or the visited AAA
server is configured with this routing information
• For aggregators:
AAA routing could be based on a prepended aggregator tag, e.g.,
iPass/daves@cisco.com
Aggregator tags are not needed if the hotspot’s AAA server has routing
knowledge for all the realms represented by the OIs
My understanding is that this is the case with Eduroam
The aggregator’s client realms (e.g., cisco.com) do not need to be provided in
other ANQP elements
© 2012 Cisco and/or its affiliates. All rights reserved.
16
• Question: how does the mobile device’s connection manager
know whether a particular credential can be used with a given
aggregator?
Out-of-scope of IEEE 802.11u
Might be solved by the Wi-Fi Alliance’s Hotspot 2.0 program
© 2012 Cisco and/or its affiliates. All rights reserved.
17
© 2012 Cisco and/or its affiliates. All rights reserved.
18
Thank you.
© 2012 Cisco and/or its affiliates. All rights reserved.
20
• Provides QoS Map (DSCP to UP mapping) for consistent packet
marking and queuing for all clients in the BSS
• Provides for each service to have the proper QoS over the air
There is no standardized mapping of end-to-end QoS (DSCP) to L2 QoS
Voice and Video endpoints can use this information element to provide proper
mapping for each flow (e.g., voice, video, signaling) over the air
• Hot Spot usage
Multiple service providers can share an AP at a hotspot (e.g., airport hotspot)
Each SP can have their own end-to-end DSCP marking practice and networkspecific QoSMap  all will have harmonized L2 QoS on the shared AP
© 2012 Cisco and/or its affiliates. All rights reserved.
21
• Permissions received from SP are saved in a MIB and enforced for each
client
• Provides standardized support for permissions and rate limiting for each
QoS level
Maximum data rate permitted for each access category
Maximum data transfer (in bytes) permitted for each access category
Permission to use a specific access category (e.g., voice)
• Provides for enforcement of security requirements, location
requirements
Can forces dis-association of client if hotspot in non-permitted location or
cipher too weak
© 2012 Cisco and/or its affiliates. All rights reserved.
22
• Features supporting Emergency Services
Identification of WLANs wherein emergency services are reachable
Provision for access emergency services in an RSN (802.1x network) when
client does NOT have valid security credentials
Expedited Bandwidth Request element
Used with admission control procedures to identify a flow as an emergency call
• Support for Emergency Alert Service (EAS)
Uses CAP—common alerting protocol
E.g., Amber alert, severe thunderstorm warning, etc.
© 2012 Cisco and/or its affiliates. All rights reserved.
23
• Applies only to client devices
• Standardized SAP having MAC primitives to support 802.21 event
service and command service (but generic enough to support other
mobility management protocols), eg:
Network discovery—tells MIH when a new network is discovered (as opposed
to a new AP in the same network)
ESS-Link-going-down—tells MIH when device is leaving the network (as
opposed to transitioning away from an AP)
© 2012 Cisco and/or its affiliates. All rights reserved.
24