High-quality Internet for higher education and research
eduroam
EuroCAMP, Porto, November 9, [email protected]
High-quality Internet for higher education and research
Contents
• Why 802.1X and eduroam?• Implementation
– Requirements– Technology– Policy
• Status eduroam• Future of eduroam• Conclusions
High-quality Internet for higher education and research
But first…
• What is a federation?• Is eduroam a federation?• Is it a service?• Is it a brand?
• Or…
High-quality Internet for higher education and research
Why 802.1X and eduroam?
High-quality Internet for higher education and research
Wireless LAN is unsafe
root@ibook:~# tcpdump -n -i eth1
19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply
19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply
19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request
19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C
High-quality Internet for higher education and research
Users are mobile
AccessProvider
Cable
University A
WLAN
University B
WLAN
AccessProvider
ADSL
International connectivity
AccessProviderWLAN
AccessProviderGPRS/UMTS
SURFnet backbone
High-quality Internet for higher education and research
Requirements
• Identify users uniquely at the edge of the network– No session hijacking
• Enable guest usage• Scalable
– Local user administration and authentication– No exponential administrative load
• Easy to install and use– At the most one-time installation by the user
• Open– Support for all common operating systems– Non-proprietary
• Secure
High-quality Internet for higher education and research
Possible solutions
• Open access: scalable, unsafe• MAC-addres: not scalable, unsafe• WEP: not scalable, unsafe
European research networks:
• Web-gateway+RADIUS: scalable, unsafe • VPN-gateway: not scalable, safe
• 802.1X+RADIUS: scalable, safe, the future (WPA, WPA2)
High-quality Internet for higher education and research
Implementation
High-quality Internet for higher education and research
eduroam architecture
• Security based on 802.1X (or web-based redirect)– Different authentication mechanisms possible– Identity-based networking– Mutual authentication possible (by using the right EAP-
types: PEAP, TTLS, TLS)– Protection of credentials– Integration with VLAN assignment– Provides basis for new wireless security standards WPA
and 802.11i
• Roaming based on RADIUS proxying– Remote Authentication Dial In User Service– Transport-protocol for authentication information
• Trust fabric based on:– Technical: RADIUS hierarchy– Policy: Documents/contracts that define the
responsibilities of user, institution, NREN and the EduRoam federation
High-quality Internet for higher education and research
Secure access to the network with 802.1X
data
signaling
RADIUS server
University A
Internet
Authenticator
(AP or switch) User DB
[email protected]_a.nl
StudentVLAN
CommercialVLAN
EmployeeVLAN
Supplicant
• 802.1X
• (VLAN assigment)
High-quality Internet for higher education and research
eduroam
RADIUS server
University B
RADIUS server
University A
SURFnet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Gast
piet@university_b.nl
StudentVLAN
CommercialVLAN
EmployeeVLAN
data
signalerling
• Trust based on RADIUS plus policy documents
• 802.1X
• (VLAN assigment)
High-quality Internet for higher education and research
Tunneled authentication (PEAP/TTLS)
• Uses TLS/SSL tunnel to protect data– The TLS tunnel is set up using the server certificate, thus
authenticating the server and preventing man-in-the-middle attacks
– The user sends his credentials through the secure tunnel to the server, thus authenticating the user
• Can use dynamic session keys for ‘in the air’ encryption
© Alfa&Ariss
`
802.1X Client EAP RADIUS Server
TLS tunnel
User authentication
Protected by TunnelServer authentication
High-quality Internet for higher education and research
Status
High-quality Internet for higher education and research
Status of eduroam
• Over 400 institutions in Europe, Australia and Taiwan
• USA, Belgium, Sweden will follow shortly
High-quality Internet for higher education and research
Members
FCCN was among the first eduroam participants
High-quality Internet for higher education and research
Future
High-quality Internet for higher education and research
Monitoring: usertracking & weathermap
But what to do with the info?
High-quality Internet for higher education and research
Technology: bypassing the hierarchy overhead?
European Server
.nl .ac.uk …
uva.nl
.pl
Uni.torun.pl
Access Point Access Point User database
• AA traffic goes through all intermediate entries
• All links are peer-to-peer agreements / static routes / p2p secure
• DIAMETER? DNSsec? Radsec
High-quality Internet for higher education and research
Roaming policy
• Minimal security level• Levels of assertion• Who can• SLA’s• Incident response• Policy board
High-quality Internet for higher education and research
Usability: standardisation, localisation, expansion
• Standardisation– Limited set of encryption and SSID choices
• Encryption: 802.1X+WEP, WPA+TKIP, WPA2• SSID: eduroam
• Localisation– Eduroam-around-the-corner– Maps– Local pages
• Expansion– Integration with commercial roaming services
High-quality Internet for higher education and research
AAI Integration: offload AuthZ?
European Server
.nl .ac.uk …
SURFnet.nl
.pt
FCCN.pt
Access Point A-Select Shibboleth
[email protected] FCCN user database
• How do all these applications communicate? (SAML!)
High-quality Internet for higher education and research
Conclusions
High-quality Internet for higher education and research
Conclusions
• 802.1X plus RADIUS provide a secure and future proof solution for access to the network for local users
• Joining eduroam gives the benefit of instant access for (academic) guest users
• Infra stucture not perfect but…– It works ™– It is ready for the future
• Joining eduroam is a small step for administrator-kind but a giant leap for the users, so…..
High-quality Internet for higher education and research
Time to join…..
High-quality Internet for higher education and research
Coming back…
• What is a federation?• Is eduroam a federation?• Is it a service?• Is it a brand?
High-quality Internet for higher education and research
Federations
• Federations enable the sharing of resources• A federation is constituted by a set of agreements between
peers• In a federation agreement there should be a common language• Federations can be part of bigger federations• Federations can cooperate with other federations:
confederations
eduroam currently IS a (single-resource) federation, but may in the near future become a service OF the federation
High-quality Internet for higher education and research
Slightly less authorative source
• Merriam-Webster: an association of persons, parties, or states for mutual assistance and protection
High-quality Internet for higher education and research
More information
• eduroam in SURFnet– http://www.eduroam.nl
• eduroam in Europe– http://www.eduroam.org
• TERENA TF-Mobility– http://www.terena.nl/mobility
• Géant2 Joint Research Activity 5 (authorisation and roaming)– http://www.geant2.net/server/show/nav.758
• The unofficial IEEE802.11 security page– http://www.drizzle.com/~aboba/IEEE