Upload
gabriel-king
View
216
Download
0
Embed Size (px)
Citation preview
Connect. Communicate. Collaborate
TERENA Networking Conference, 7 june 2005
Eduroam: past, present, and future
Connect. Communicate. CollaborateContents
• What is Eduroam?• Current status of Eduroam• Is anything wrong with Eduroam?• Eduroam-ng and Géant 2• Conclusion
Connect. Communicate. CollaborateUsers are mobile
AccessProvide
rCable
University A
WLAN
University B
WLAN
AccessProvide
rADSL
International
connectivity
AccessProvide
rWLAN
AccessProvide
rGPRS/UMTS
SURFnet backbone
Eduroam enables them to roam seamlessly
Connect. Communicate. CollaborateEduRoam architecture• Security based on 802.1X (or web-based redirect)
– Identity-based networking– Different authentication mechanisms possible– Prevents session hijacking– Mutual authentication possible – Protection of credentials– Integration with VLAN assignment– Provides basis for new wireless security standards WPA and 802.11i
• Roaming based on RADIUS proxying– Remote Authentication Dial In User Service– Transport-protocol for authentication information
• Trust fabric based on:– Technical: RADIUS hierarchy– Policy: Documents/contracts that define the responsibilities of user,
institution, NREN and the EduRoam federation
Connect. Communicate. CollaborateEduRoam
RADIUS server
University B
RADIUS server
University A
SURFnet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Gast
piet@university_b.nl
StudentVLAN
CommercialVLAN
EmployeeVLAN
data
signaling
• Trust based on RADIUS plus policy documents
• 802.1X
• (VLAN assigment)
Connect. Communicate. Collaborate
Tunneled authentication (PEAP/TTLS)
• Uses TLS/SSL tunnel to protect data– The TLS tunnel is set up using the server certificate, thus
authenticating the server and preventing man-in-the-middle attacks– The user sends his credentials through the secure tunnel to the
server, thus authenticating the user
• Can use dynamic session keys for ‘in the air’ encryption
© Alfa&Ariss
`
802.1X Client EAP RADIUS Server
TLS tunnel
User authentication
Protected by TunnelServer authentication
Connect. Communicate. CollaborateStatus of EduRoam
• Over 350 institutions in Europe and Australia
• USA will follow shortly
Connect. Communicate. CollaborateLimitations
• Technology– Static trust– Single points of failure– All authN and authZ traffic flows through hierarchy
• Policy– Not suitable for full service yet
• Usability– Eduroam comes in many flavours– Where are the access points?
• Management & Monitoring– Are all servers up and running?– Who is abusing the service?
• AAI– How to integrate with the European AAI
Connect. Communicate. Collaborate
Eduroam-ng
Connect. Communicate. CollaborateTechnology: bypassing the hierarchy overhead?
European Server
.nl .ac.uk …
uva.nl
.pl
Uni.torun.pl
Access Point Access Point User database
• AA traffic goes through all intermediate entries
• All links are peer-to-peer agreements / static routes / p2p secure
• DIAMETER? DNSsec? (See: Henk Eertink, Future directions in mobility)
Connect. Communicate. CollaborateRoaming policy
• Minimal security level• Levels of assertion• SLA’s• Incident response• Policy board
Connect. Communicate. Collaborate
Usability: standardisation, localisation, expansion
• Standardisation– Limited set of encryption and SSID choices
• Encryption: 802.1X+WEP, WPA+TKIP, WPA2• SSID: eduroam
• Localisation– Eduroam-around-the-corner (See: Martijn Arts)
• Expansion– Integration with commercial roaming services (See:
Martin Bech)
Connect. Communicate. Collaborate
Managing&Monitoring: usertracking & weathermap
(See also : Kostas Kalevras, Large scale WLAN deployments)
Connect. Communicate. CollaborateAAI Integration: offload AuthZ?
European Server
.nl .ac.uk …
uva.nl
.es
uclm.es
Access Point A-Select PAPI
[email protected] UCLM user database
• How do all these applications communicate? (SAML?)
• Or should we do it inline?
(See: Diego Lopez, AAI Infratructures)
Connect. Communicate. CollaborateConclusions
• 802.1X plus RADIUS provide a secure and future proof solution for access to the institutional network
• Infra stucture not perfect yet but…– It works ™– It is ready for the future– Géant2 JRA5 will make it even better
• Joining EduRoam is a small step for administrator-kind but a giant leap for the users, so…..
Connect. Communicate. CollaborateTime to join…..
Connect. Communicate. CollaborateMore information
• EduRoam in SURFnet– http://www.eduroam.nl
• EduRoam in Europa– http://www.eduroam.org
• TERENA TF-Mobility– http://www.terena.nl/mobility
• Géant2 Joint Research Activity 5 (authorisation and roaming)– http://www.geant2.net/ (click on research)
• The unofficial IEEE802.11 security page– http://www.drizzle.com/~aboba/IEEE