Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Before You Begin: Assign Information Classification
Document related concepts
Remote Desktop Services wikipedia , lookup
Deep packet inspection wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Spanning Tree Protocol wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Wireless security wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Transcript
eduroam Klaas Wierenga Security SEVT, August 25, 2009 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 The goal of eduroam “open your laptop and be online” • To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 Requirements Identify users uniquely at the edge of the network No session hijacking Preserving privacy Enable guest usage Scalable Local user administration and authentication Easy to install and use At the most one-time installation by the user Secure Open Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 Evaluated in TERENA TF-Mobility Standard solutions provided by AP’s: Open access: scalable, not secure MAC-addres : not scalable, not secure WEP : not scalable, not secure Alternative solutions: Web-gateway+RADIUS (captive portal) VPN-gateway 802.1X+RADIUS Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 Open network + web gateway Open (limited) network, gateway between (W)LAN and de rest of the network intercepts all traffic (session intercept) Can use a RADIUS backend to verify user credentials Guest use easy Browser necessary (but ubiquitous) Hard to maintain accountability Session hijacking Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 Open network + VPN Gateway Open (limited) network, client must authenticate on a VPNconcentrator to get to rest of the network Client software needed Proprietary Hard to scale VPN-concentrators are expensive Guest use hard (sometimes VPN in VPN) All traffic encrypted NB: this is about VPN for network access, not for confidentiality! Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 IEEE 802.1X True port based access solution (Layer 2) between client and AP/switch Association between layer 2 and layer 3 address needed Several available authentication-mechanisms through the use of EAP (Extensible Authentication Protocol) Standardised Also encrypts all data, using dynamic keys, at the wireless path RADIUS back-end: Scalable Re-use existing trust relationships Easy integration with dynamic VLAN assignment (802.1Q) Client software necessary (OS-built in or third-party) Future proof (WPA, WPA2/802.11i) For wireless and wired Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7 eduroam architecture Secure access based on 802.1X (WPA, WPA2) Protection of credentials Different authentication mechanisms possible by using EAP (Extensible Authentication prototcol) Username/password X.509 certificates SIM-cards Integration with dynamic VLAN assignment (802.1Q) Roaming based on RADIUS proxying Remote Authentication Dial In User Service Transport-protocol for authentication information Trust fabric based on: Technical: RADIUS hierarchy Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the eduroam federation AuthN by home institution, AuthZ by visited institution Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 Secure access to the network with 802.1X Supplicant Authenticator RADIUS server (AP or switch) University A User DB [email protected]_a.nl Internet Commercial VLAN Employee VLAN Student VLAN • 802.1X • (VLAN assigment) Source: SURFnet signaling data Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 eduroam Supplicant Authenticator RADIUS server (AP or switch) RADIUS server User DB University A University B User DB SURFnet Guest pete@university_b.ac. uk Commercial VLAN Employee VLAN Student VLAN Proxy server • Trust based on RADIUS plus policy documents • 802.1X • EAP for mutual authentication and privacy protection • (VLAN assigment) signalling data Central RADIUS Source: SURFnet Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 Tunneled authentication Tue Oct 10 00:05:15 2006: DEBUG: Packet dump: *** Received from 145.99.133.194 port 1025 .... Code: Access-Request Identifier: 1 Authentic: k<145><206><152><185><0><0><0><249><26><0><0><208>D<1><16> Attributes: User-Name = "[email protected]" NAS-IP-Address = 145.99.133.194 Called-Station-Id = "001217d45bc7" Calling-Station-Id = "0012f0906ccb" NAS-Identifier = "001217d45bc7" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 EAP-Message = <2><0><0><1>[email protected] Message-Authenticator = <27>`y<208><232><252><177>.<160><230><177>I<218 ><243>\ RADIUS@visited Tue Oct 10 00:17:32 2006: DEBUG: Handling request with Handler 'TunnelledByTTLS= 1, Realm=/guest.showcase.surfnet.nl/i' Tue Oct 10 00:17:32 2006: DEBUG: Deleting session for [email protected] case.surfnet.nl, 145.99.133.194, Tue Oct 10 00:17:32 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-ID Tue Oct 10 00:17:32 2006: DEBUG: Reading users file /etc/radiator/db/showcase-gu est-users Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE looks for match with Klaas.Wie [email protected] [[email protected]] Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE ACCEPT: : Klaas.Wierenga@guest .showcase.surfnet.nl [[email protected]] Tue Oct 10 00:17:32 2006: DEBUG: AuthBy FILE result: ACCEPT, Tue Oct 10 00:17:32 2006: DEBUG: Access accepted for [email protected] se.surfnet.nl Tue Oct 10 00:17:32 2006: DEBUG: Returned TTLS tunnelled Diameter Packet dump: Code: Access-Accept RADIUS + TLS Channel(s) RADIUS@home eduroam hierarchy Access Point Id Repository • EAP-tunnel terminates @home! Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 eduroam hierarchy (virtual) eduroam root European root APAN root .nl .ac.uk ... .dk . ... (America’s root) .au .edu ... ... .cn .ca .pt ... .es Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 eduroam status Canada member since June 2008 > 600 Service Providers Trials in Latin-America, US Approx. 10 million users Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 Spin-off: RadSec Eduroam problems: Dead peer discovery Fragmentation Managing shared secret/IP-address based trust Static hierarchy DIAMETER not available RADIUS with: TLS TCP draft-ietf-radext-radsec-02.txt, draft-dekok-radext-tcp-transport01.txt implementations in Radiator, FreeRADIUS (in progress), RadSecProxy and OpenWRT and Lancom AP’s Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 Cisco & eduroam • > 80% WLAN deployments is Cisco • < 1% RADIUS deployments is Cisco – FreeRADIUS, Radiator dominant – No TTLS support, Proxy issues • < 5% Supplicants is Cisco – SecureW2, Xsupplicant, Intel client dominant – Free supplicants • > 80% EAP-TTLS – ~ 10% PEAP – EAP-FAST too new, no perceived high benefit • Working with Joe Salowey, Nancy Cam-Winget to introduce EAP-FAST in eduroam • Working with Joe, Nancy and Hao Zhou in IETF emu and radext WG’s on RadSec and tunnel bindings Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 More info Whitepaper (EDCS-771033): http://wwwin-eng.cisco.com/Eng/CTO/Security/eduroam.doc Website: http://www.eduroam.org eduroam cookbook: http://www.eduroam.org/downloads/docs/GN2-08-230-DJ5.1.5.3eduroamCookbook.pdf TERENA task force on Mobility http://www.terena.org/activities/tf-mobility/ Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
