High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers

High-quality Internet for higher education and research

5th of April, Eurocamp, Ljubljana

eduroam, security and authentication

Paul Dekkers


Contents

• 802.1x and wireless innovations

• Authentication protocols– Types– Authentication servers– Examples

• Eduroam Infrastructure

• Conclusion


Entities in 802.1x setup

Authentication before (W)LAN access…

RADIUS server

institution

Authenticator

(AP or switch) User DB

Supplicant

GuestVLANLAN


Wireless technologies

• Encryption with 802.11

– WEP (RC4 keys)– WPA (RC4 + TKIP)– WPA2 (AES encryption)– 802.11i (crème de la crème)

Changes with low impact

• 802.1x is basis for future standardsIn time: as common as DHCP

• With 802.1x we can make a 64-bit WEP-key safe


EAP

Extensible Authentication Protocol

• Different EAP-types

• EAP-types with SSL/TLS

– “Mutual authentication”– Provide the encryption-keys

• EAP is transported and proxied within RADIUS

• The home-institution decides what type


Common EAP types

• EAP-TLSStrong authentication with client-certificates

• EAP-TTLSDIAMETER/RADIUS (e.g. u/p in PAP) in TLS tunnelcan be deployed with most u/p-type backends

• EAP-PEAPMicrosoft implementation with u/p via MSCHAPv2usable in MS enviromentsCisco has a different implementation

• EAP-FASTusername/password authentication the Cisco wayinstallation more complex, uses no SSL/TLS

• EAP-SIMStrong authentication with SIM-card from phones

• ...

LEAP, EAP-MD5 are old and weak


EAP transport

RADIUS server

institution B

RADIUS server

institution A

Internet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

Guest

[email protected]

regularVLAN

guestVLAN

Secured tunnel


End-users

Is the biggest security risk the end-user itself?


End-users

Security considerations

• In many cases username/password is good enoughCompare with POP3, IMAP, webmail, …

• SSL client certificates are sometimes easier for users

• Mutual authentication can be confusing:installers help!


RADIUS servers

Well known servers:

• Radiator

• FreeRADIUS

• IAS 2003– Only advised with Microsoft clients and backend

• Cisco ACS– Barely used, bad EAP compatibility


Radiator exampleUnderstandable monolithic linear configuration (saves time/mistakes!)

LogDir /var/log/radiusAuthPort 1812AcctPort 1813Trace 4

<Client 192.87.110.54>Secret …IdenticalClients 192.87.110.4

</Client>

<AuthBy FILE>Identifier GiveItANameFilename %D/users

</AuthBy>

<Handler>AuthBy GiveItAName

</Handler>

<Handler><AuthBy>

#Identifier GiveItAName

Filename %D/users</AuthBy>

</Handler>

or:


Radiator exampleProxy non-local requests to the eduroam infrastructure:

<Client obelix.a3.surf.net>Secret …Identifier SURFnet-proxyIdenticalClients idefix.a3.surf.net

</Client>

<Handler Client-Identifier=/^(?!SURFnet-proxy$)/><AuthBy RADIUS>

Host obelix.a3.surf.netHost idefix.a3.surf.netSecret …AuthPort 1812AcctPort 1813StripFromReply Tunnel-Type,Tunnel-Medium-Type,\

Tunnel-Private-Group-ID,TRPZ-VLAN-NameAddToReply TRPZ-VLAN-Name=GuestVLAN

</AuthBy>AcctLogFileName %L/proxied-accounting

</Handler>


Radiator example: EAP-TTLS

<Handler Realm=surfnet.nl, TunnelledByTTLS=1>…

</Handler>

<Handler Realm=surfnet.nl, EAP-Message=/.+/><AuthBy FILE>

Filename %D/dummyEAPType TTLS # you can add: TLS, PEAPEAPTLS_CAFile %D/ca.pemEAPTLS_CertificateFile %D/server.crtEAPTLS_CertificateType PEMEAPTLS_PrivateKeyFile %D/server.keyEAPTLS_PrivateKeyPassword secretEAPTLS_MaxFragmentSize 1024AutoMPPEKeysSSLeayTrace 2

</AuthBy></Handler>

<Handler Realm=surfnet.nl, Request-Type=Accounting-Request>…

</Handler>


Radiator example: tunneled PAP

Using POP3…

<Handler Realm=surfnet.nl, TunnelledByTTLS=1>RewriteUsername s/^([^@]+).*/$1/<AuthBy POP3>

Host mail.institution.nlNoDefaultAuthMode APOP # or BEST, PASSUseSSL

</AuthBy></Handler>


Radiator example: tunneled PAP

Using a (LDAP) directory server…

<Handler Realm=surfnet.nl, TunnelledByTTLS=1>RewriteUsername s/^([^@]+).*/$1/<AuthBy LDAP2>

Host directory.surfnet.nlVersion 3BaseDN %0=%1,ou=Accounts,ou=Office,dc=surfnet,dc=nlScope baseUsernameAttr uidAuthAttrDef uid,X-UserID,requestServerChecksPassword

</AuthBy></Handler>


Radiator example: TTLS and PEAP

Using a Windows backend (domain/AD)…

<Handler Realm=surfnet.nl, TunnelledByPEAP=1><AuthBy LSA>

EAPType MSCHAPv2</AuthBy>

</Handler>

<Handler Realm=surfnet.nl, TunnelledByTTLS=1><AuthBy LSA>

#Domain SURFNET#DefaultDomain SURFNET#Group Administrators#DomainController dc.surfnet.nl

</AuthBy></Handler>

For AuthBy LSA Radiator requires ActivePerl 5.6 and to run on a Windows platform


Radiator under Windows

AuthBy LSA requires Radiator under Windows.Running Radiator under Windows is not hard!

1. Get ActivePerl (from www.activeperl.com)2. ppm install

http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd

3. ppm install http://theoryx5.uwinnipeg.ca/ppmpackages/Net_SSLeay.pm.ppd

4. Get Radiator5. Run perl Makefile.PL install

Run LSA as service or change “Act as part of the operating system” policy.


Microsoft IAS 2003 – Clients & proxies


Microsoft IAS 2003 – Create policy


Microsoft IAS 2003 – Configure EAP


eduroam infrastructure



flexiblity of RADIUS works!

European top level server

.nl ....ac.uk .no.lu

uva.nl

A ccess PointA ccess Point

user@ uninett.no

uninett.nosurfnet.nl unis.no



grows rapidly!



uva.nl


user@ new castle.edu.au


A sian/ Pacifi c top level

....tw .edu.au

new castle.edu.auaarnet.edu.au


current infrastructure

RADIUS has its drawbacks

• RADIUS packet is “visible” on every hopthis is not bad with EAP…

• Traffic between hops is poor this is not bad with EAP…

• Static routing (based on a @realm)requires configuration at institution and research network

• Schalable, but: more connections = – more configuration– more load on the top-level servers

more…


current infrastructure

UDP RADIUS transport“dead server”-detection hard



uva.nl


user@ uninett.no


if not properly configured…


Something better…

• Disabling redundant hierarchy– Faster– More secure

(few places that see the data)

– More reliable(less “points of failure”)

• Better security on the transport-layer (tcp/ssl?)

• Flexible configuration (lookup-service?)


Options

• DiameterRADIUS successor(Been around for quite some time…)

• RadSecPart of Radiator

• DNSROAM & RadSecExperimental part of Radiator


RadSec and DNSROAM

• RADIUS packet in TCP of SCTPmore reliable, dead peer detection

• Secured with TLS/PKI (optional)offers options for limiting participation/federation:– by certificates signed by a specific CA– validated by attributes in the certificate (not

yet)

• DNSROAM uses DNS as lookup-service– dynamic routing based on the RADIUS realm– possible to deploy for just a part of the

infrastructure


RadSec

cliente.g. 802.11 access point

p2p(dynamic)

RADIUSServer

logic

p2p(dynamic)

RADIUSServer

logic

visiting

visit.org user account db

home

home.org user

account db

infra

p2p(static)

1authenticate /

authorize [email protected]

eduroam.org

visit.org

home.org

Certificate Authority

4p2p

3a 3b

3c

3d

2

get CA key

get CA key

(image taken from Radiate / Test description and evaluation by Telematica Instituut)


RadSec

Replacing RADIUS with RadSec

RadSec

RadSec

RADIUS

RadSec RadSec RadSec

RadSec RadSec

RadSec

Country-level

EU-level

EU hierarchy root


RadSec en DNSROAM

cliente.g. 802.11 access point

p2p(dynamic)

RADIUSServer

logic

p2p(dynamic)

RADIUSServer

logic

visiting

visit.org user account db

home

home.org user

account db

infra

p2p(static)

1authenticate /

authorize [email protected]

eduroam.org

visit.org

home.org

Certificate Authority

DNS based peer discovery and PKI based roaming domain

DNSserver

2

3

4

6p2p

(dynamic)

lookup RADIUS server for home.org

exists: is… 4a 4b

4c

4d

5

.org DNSserver

DNSserver

2a

2d

2b2c

get CA key

get CA key


RadSec

Replacing static connections with dynamic ones

RadSec

RADIUS

RadSec RadSec

RadSec

RadSec RadSec

RadSec

Country-level

EU-level


RadSec en DNSROAM

Completely dynamic

Legacy connections remain possible (using a proxy)

RadSec

RADIUS

RadSec RadSec RadSec RadSec

Country-level

EU-level


Conclusion

• Clients and Institutions won’t have to worry about wireless technology: 802.1x is the future… while WPA is becoming commodity WEP is fine too.

• No radical improvements required for the current infrastructure at an institution.

• EAP is flexible and fits almost every existing backend, the future will bring more EAP-types (like SSO).

Documents

High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers