Download Slides

Extending SWITCH Public Wireless
LAN with EAP-SIM
Kurt Baumann
SWITCHmobile
Project Leader
[email protected]
2007 © SWITCH
TNC2007
Agenda
Introduction
 SWITCH Public Wireless LAN - a brief history
 Current Architecture - Symmetric Approach
EAP(-SIM)
 Introduction EAP / EAP-SIM
 Extension Current Architecture with EAP-SIM



Pilot ETHZ - Architecture-Layout
Implementation EAP-SIM at ETHZ
Rollout-plan
Progression of PWLAN
 Statistics
 Outlook - Multi Provider Capable Infrastructure
Conclusions
2007 © SWITCH
TNC2007
2
PWLAN Motivation
2007 © SWITCH
TNC2007
3
PWLAN History, Goals and Requirements
History
• 2004 Concept SWITCH PWLAN:
Universities: ETHZ, UNINE, ZHW and SWITCH
WISPs: tpn, Monzoon, TheNet
• 2005 Trial Phases and institutional extension (EPFL, UniBE, BFH, HSR) inclusive
a new WISP, Swisscom.
• 06/2006: Productive Phase and technical extension with EAP-SIM
Project goals
• Extend footprint
• Increase mobility for students, staff and researchers
• Create a platform that offers more flexibility for other future SWITCH services
Project
requirements
• Traditional SWITCHmobile concept must be obtained (VPN Solution)
• Costs for Universities shall be minimized as much as possible symmetrical approach
• Solution should be combinable with eduroam
• Solution should support other SWITCH activities that depend on roaming access
(triple play services)
• Solution must be flexible, modular and state of the art
2007 © SWITCH
TNC2007
4
PWLAN Symmetric Approach
Docking Network
University A
1
2
SWITCHmobile
ACL
SWITCHmobile
ACL
3
MPP
4
Landing
Page
Commercial
User
WISP
5
Legend:
Student_A
@PWLAN
Campus
Network
University A
Student A
2: User clicks PWLAN
provider logo
VPN GW
Student_A
@University_B
SWITCHmobile
ACL
Docking Network
University B
1: User opens browser
and lands on landing
page
3: All corresponding
user traffic is forwarded
to landing page of
PWLAN provider
4: Customer is
redirected to landing
page of PWLAN provider
MPP
Student A
5: Customer gets
internet access after
authentication (NAT)
Campus
Network
University B
Internet
VPN GW
Legend: VPN Tunnel
2007 © SWITCH
User Traffic
MPP = Multi Provider Portal WISP = Wireless Internet SP
TNC2007
5
EAP Definition
EAP
RFC 3748
EAP stands for Extending Authentication Protocol.
It defines an authentication framework, which supports multiple authentication
methods.
EAP typically runs directly over data link layers
such as Point-to-Point Protocol (PPP) or IEEE802, without requiring IP.
2007 © SWITCH
TNC2007
7
EAP Method How it works
EAP over IEEE 802
Supplicant ()()()()()()())()(()
Client
[ 0 ] EAP starts
Authenticator
AP
[ 0 ] Establish data link
[ 1 ] Identity exchange
Request- response paradigm
[ 1 ] A message is sent
and the sender waits for a
response before sending
an other message - a “lock
step” protocol
[ 2 ] All exchanges
between Client,
Authenticator and
Authentication-systems
are defined in a variety of
specific RFC’s
[ 3 ] The Authenticator
determines whether the
authentication is a
success or failure
2007 © SWITCH
Authentication Server
(RADIUS/AAA)
Multiple Message
Sequences depending on
the authentication process
Systems for authentication,
RADIUS, Corporate Identity
Servers, etc. using various
protocols and methods.
Success?
EAP-Success
Yes
EAP-Failure
No
TNC2007
[ 2 ] Authentication,
process-specific
message exchange
[ 3 ] Authentication
messages: Success
or Failure
8
EAP-SIM Definition
EAP-SIM
RFC 4186
EAP-SIM is a mechanism for mutual authentication and Session-Keyagreement using the Global System for Mobile Communications (GSM)
and Subscriber Identity Module (SIM).
2007 © SWITCH
TNC2007
10
EAP Method How it works
EAP over IEEE 802
Supplicant ()()()()()()())()(()
Client
[ 0 ] EAP starts
Authenticator
AP
[ 0 ] Establish data link
[ 1 ] Identity exchange
Request- response paradigm
[ 1 ] A message is sent
and the sender waits for a
response before sending
an other message - a “lock
step” protocol
[ 2 ] All exchanges
between Client,
Authenticator and
Authentication-systems
are defined in a variety of
specific RFC’s
[ 3 ] The Authenticator
determines whether the
authentication is a
success or failure
2007 © SWITCH
Authentication Server
(RADIUS/AAA)
Multiple Message
Sequences depending on
the authentication process
Systems for authentication,
RADIUS, Corporate Identity
Servers, etc. using various
protocols and methods.
Success?
EAP-Success
Yes
EAP-Failure
No
TNC2007
[ 2 ] Authentication,
process-specific
message exchange
[ 3 ] Authentication
messages: Success
or Failure
11
EAP-SIM Method How it works
GSM-Authentication flow:
Client/SIM-card
GSM-Triplet(s):
(RAND,SRES,Kc)
1. Triplet-request
2. GSM-Triplet(s)
Server Authentication:
MAC_RAND(AAA)=MAC_RAND(SIM)
AP
SIM calculates
RAND
AAA/RADIUS (GSM)AuC
ITPMAP-Proxy
SS7 Network
EAP-Req/SIM/Start
EAP-Resp/SIM/Start
(IMSI@realm)
(RAND)
RADIUS/EAP-Req
SIM/Start
RADIUS/EAP-Resp/
SIM/Start (IMSI@realm) GSM-Triplet-Request
(GetAuthInfo)
(RAND)
EAP-Req/SIM/Challenge
(RAND,MAC_RAND)
RADIUS/EAP-Req/
SIM/Challenge
(RAND,MAC_RAND)
MAC_SRES(SIM)=MAC_SRES(AAA) EAP-Resp/SIM/Challenge
RADIUS/EAP-Resp
/SIM/Challenge
(MAC_SRES)
GSM-Triplet
(RAND,SRES,Kc)
Client Authentication:
(MAC_SRES)
2007 © SWITCH
TNC2007
12
EAP-SIM Architecture
Extension Current PWLAN- Architecture with EAP-SIM:
- Project-Organization
- Architecture
- Proof of Concept: EAP-SIM@ETHZ
- Roll-out Concept
2007 © SWITCH
TNC2007
13
EAP-SIM Architecture Project Organization
Pilot: Organization
• Educational Association:
ETHZ and SWITCH
• WISP:
Swisscom
Pilot: Implementation
• ETHZ
- Reconfiguration WLAN
- Implementation Swisscom
Components
Roll-out:
SWITCH leads the Roll-out
- Definition of Roll-out plan
- Repository:
FAQ: Implementation EAP-SIM
2007 © SWITCH
TNC2007
14
EAP-SIM Architecture Ideas
SCM Router = Swisscom Mobile Router
2007 © SWITCH
TNC2007
15
EAP-SIM Architecture High-level concept
EAP-SIM: Requirements
- Implementation
top of 802.1X-enabled network
- Separate VLAN,
SSID: MOBILE-EAPSIM
- Swisscom-like-Implementation:
VLAN is a half C-class IP-Addr.-Range
Source-, Destination-NAT (SCM-router)
DHCP-request handled by SCM-router
2007 © SWITCH
TNC2007
16
EAP-SIM Architecture Pilot@ETHZ with Swisscom
Swisscom EAP-SIM Mobile setup
- New SSID “MOBILE-EAPSIM”
- Authentication 802.1X with WEP
SSID: MOBILE-EAPSIM
- ETHZ reserved official IP for their radius
Radius: Radiusx@swisscom
- Swisscom-router makes source-destination nat.
- Clients are in a separate VLAN (VRF)
- Swisscom provides the Subnets and DHCP.
SSID:public
-> MPP
Functions of the router:
1. Forward dhcp-request
to MPP
2. Forward dhcp-request
to router from Swisscom
MPLS
VLAN for AP-Management
VLAN for EAPSIM data
VLAN for ‚Public’ Client data
Problems
- System does not scale (more WISPs)
- The implementation solves most problems on the
Swisscom router
- Channel 13 support of the Swisscom cards?
- Swapping between Wireless Domains?
2007 © SWITCH
MPP
Tasks of the Router:
1. NAT of the Radiusrequest
to Swisscom-Radius
2. DHCP-Server for the EAPSIM Vlan
3. NAT of the MPP Clients,
going to Swisscom
TNC2007
GRE tunnel between MPP
and Swisscom router
ADSL connection from
Router from Swisscom
Swisscom
Mobile
17
EAP-SIM Architecture Roll-out
Service Deployment - PWLAN
Pilot und Roll-out EAP-SIM
2006
Q2 Q3 Q4
Q1
2007
Q2 Q3
Q4
Brainstorming, Info PWLAN-members
Definition Architecture, technical solution
“Proof of concept” - Build up a test bed
SWITCH/ETHZ/Swisscom
Service: Tests, Test-results and
Documentation
Rollout: step by step to further PWLANmembers , Marketing
•Up and Running:
ETHZ, BFH, EPFL, HSR and SWITCH
2007 © SWITCH
TNC2007
18
Statistics Overview Members
Internet
PWLAN
Academic Association
represented by
~1600 Hotspots
~330 Hotspots
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
~ 97’700 People
~175 Hotspots
~265 Hotspots
2007 © SWITCH
TNC2007
20
Statistics Monitoring
Monzoon
GRE
VPN
GRE
Academic
Association
GRE
GRE
TheNet
VPN
VPN
TPN
VPN
Swisscom
Starting April 2007
2007 © SWITCH
TNC2007
21
Statistics Monitoring
2007 © SWITCH
TNC2007
22
Commercial WISP market in Switzerland
Market shares
2%
23%
50%
8%
Monzoon
TPN
TheNet
Swisscom
Others
17%
2007 © SWITCH
TNC2007
23
EAP(-SIM) Multi Provider Capable Infrastructure
2007 © SWITCH
TNC2007
25
Conclusions
 SWITCH PWLAN extends the
footprint for the Academic Association
and for the WISP’s.
 SWITCH PWLAN corresponds
technologically to the most current
standards; IEEE802.1x, EAP/EAP-SIM.
 SWITCH PWLAN makes a further
enlargement of the user population
possible by a “Multi Provider Capable
Infrastructure”.
2007 © SWITCH
TNC2007
26
Q&A
2007 © SWITCH
27