Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Extending SWITCH Public Wireless LAN with EAP-SIM Kurt Baumann SWITCHmobile Project Leader [email protected] 2007 © SWITCH TNC2007 Agenda Introduction SWITCH Public Wireless LAN - a brief history Current Architecture - Symmetric Approach EAP(-SIM) Introduction EAP / EAP-SIM Extension Current Architecture with EAP-SIM Pilot ETHZ - Architecture-Layout Implementation EAP-SIM at ETHZ Rollout-plan Progression of PWLAN Statistics Outlook - Multi Provider Capable Infrastructure Conclusions 2007 © SWITCH TNC2007 2 PWLAN Motivation 2007 © SWITCH TNC2007 3 PWLAN History, Goals and Requirements History • 2004 Concept SWITCH PWLAN: Universities: ETHZ, UNINE, ZHW and SWITCH WISPs: tpn, Monzoon, TheNet • 2005 Trial Phases and institutional extension (EPFL, UniBE, BFH, HSR) inclusive a new WISP, Swisscom. • 06/2006: Productive Phase and technical extension with EAP-SIM Project goals • Extend footprint • Increase mobility for students, staff and researchers • Create a platform that offers more flexibility for other future SWITCH services Project requirements • Traditional SWITCHmobile concept must be obtained (VPN Solution) • Costs for Universities shall be minimized as much as possible symmetrical approach • Solution should be combinable with eduroam • Solution should support other SWITCH activities that depend on roaming access (triple play services) • Solution must be flexible, modular and state of the art 2007 © SWITCH TNC2007 4 PWLAN Symmetric Approach Docking Network University A 1 2 SWITCHmobile ACL SWITCHmobile ACL 3 MPP 4 Landing Page Commercial User WISP 5 Legend: Student_A @PWLAN Campus Network University A Student A 2: User clicks PWLAN provider logo VPN GW Student_A @University_B SWITCHmobile ACL Docking Network University B 1: User opens browser and lands on landing page 3: All corresponding user traffic is forwarded to landing page of PWLAN provider 4: Customer is redirected to landing page of PWLAN provider MPP Student A 5: Customer gets internet access after authentication (NAT) Campus Network University B Internet VPN GW Legend: VPN Tunnel 2007 © SWITCH User Traffic MPP = Multi Provider Portal WISP = Wireless Internet SP TNC2007 5 EAP Definition EAP RFC 3748 EAP stands for Extending Authentication Protocol. It defines an authentication framework, which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE802, without requiring IP. 2007 © SWITCH TNC2007 7 EAP Method How it works EAP over IEEE 802 Supplicant ()()()()()()())()(() Client [ 0 ] EAP starts Authenticator AP [ 0 ] Establish data link [ 1 ] Identity exchange Request- response paradigm [ 1 ] A message is sent and the sender waits for a response before sending an other message - a “lock step” protocol [ 2 ] All exchanges between Client, Authenticator and Authentication-systems are defined in a variety of specific RFC’s [ 3 ] The Authenticator determines whether the authentication is a success or failure 2007 © SWITCH Authentication Server (RADIUS/AAA) Multiple Message Sequences depending on the authentication process Systems for authentication, RADIUS, Corporate Identity Servers, etc. using various protocols and methods. Success? EAP-Success Yes EAP-Failure No TNC2007 [ 2 ] Authentication, process-specific message exchange [ 3 ] Authentication messages: Success or Failure 8 EAP-SIM Definition EAP-SIM RFC 4186 EAP-SIM is a mechanism for mutual authentication and Session-Keyagreement using the Global System for Mobile Communications (GSM) and Subscriber Identity Module (SIM). 2007 © SWITCH TNC2007 10 EAP Method How it works EAP over IEEE 802 Supplicant ()()()()()()())()(() Client [ 0 ] EAP starts Authenticator AP [ 0 ] Establish data link [ 1 ] Identity exchange Request- response paradigm [ 1 ] A message is sent and the sender waits for a response before sending an other message - a “lock step” protocol [ 2 ] All exchanges between Client, Authenticator and Authentication-systems are defined in a variety of specific RFC’s [ 3 ] The Authenticator determines whether the authentication is a success or failure 2007 © SWITCH Authentication Server (RADIUS/AAA) Multiple Message Sequences depending on the authentication process Systems for authentication, RADIUS, Corporate Identity Servers, etc. using various protocols and methods. Success? EAP-Success Yes EAP-Failure No TNC2007 [ 2 ] Authentication, process-specific message exchange [ 3 ] Authentication messages: Success or Failure 11 EAP-SIM Method How it works GSM-Authentication flow: Client/SIM-card GSM-Triplet(s): (RAND,SRES,Kc) 1. Triplet-request 2. GSM-Triplet(s) Server Authentication: MAC_RAND(AAA)=MAC_RAND(SIM) AP SIM calculates RAND AAA/RADIUS (GSM)AuC ITPMAP-Proxy SS7 Network EAP-Req/SIM/Start EAP-Resp/SIM/Start (IMSI@realm) (RAND) RADIUS/EAP-Req SIM/Start RADIUS/EAP-Resp/ SIM/Start (IMSI@realm) GSM-Triplet-Request (GetAuthInfo) (RAND) EAP-Req/SIM/Challenge (RAND,MAC_RAND) RADIUS/EAP-Req/ SIM/Challenge (RAND,MAC_RAND) MAC_SRES(SIM)=MAC_SRES(AAA) EAP-Resp/SIM/Challenge RADIUS/EAP-Resp /SIM/Challenge (MAC_SRES) GSM-Triplet (RAND,SRES,Kc) Client Authentication: (MAC_SRES) 2007 © SWITCH TNC2007 12 EAP-SIM Architecture Extension Current PWLAN- Architecture with EAP-SIM: - Project-Organization - Architecture - Proof of Concept: EAP-SIM@ETHZ - Roll-out Concept 2007 © SWITCH TNC2007 13 EAP-SIM Architecture Project Organization Pilot: Organization • Educational Association: ETHZ and SWITCH • WISP: Swisscom Pilot: Implementation • ETHZ - Reconfiguration WLAN - Implementation Swisscom Components Roll-out: SWITCH leads the Roll-out - Definition of Roll-out plan - Repository: FAQ: Implementation EAP-SIM 2007 © SWITCH TNC2007 14 EAP-SIM Architecture Ideas SCM Router = Swisscom Mobile Router 2007 © SWITCH TNC2007 15 EAP-SIM Architecture High-level concept EAP-SIM: Requirements - Implementation top of 802.1X-enabled network - Separate VLAN, SSID: MOBILE-EAPSIM - Swisscom-like-Implementation: VLAN is a half C-class IP-Addr.-Range Source-, Destination-NAT (SCM-router) DHCP-request handled by SCM-router 2007 © SWITCH TNC2007 16 EAP-SIM Architecture Pilot@ETHZ with Swisscom Swisscom EAP-SIM Mobile setup - New SSID “MOBILE-EAPSIM” - Authentication 802.1X with WEP SSID: MOBILE-EAPSIM - ETHZ reserved official IP for their radius Radius: Radiusx@swisscom - Swisscom-router makes source-destination nat. - Clients are in a separate VLAN (VRF) - Swisscom provides the Subnets and DHCP. SSID:public -> MPP Functions of the router: 1. Forward dhcp-request to MPP 2. Forward dhcp-request to router from Swisscom MPLS VLAN for AP-Management VLAN for EAPSIM data VLAN for ‚Public’ Client data Problems - System does not scale (more WISPs) - The implementation solves most problems on the Swisscom router - Channel 13 support of the Swisscom cards? - Swapping between Wireless Domains? 2007 © SWITCH MPP Tasks of the Router: 1. NAT of the Radiusrequest to Swisscom-Radius 2. DHCP-Server for the EAPSIM Vlan 3. NAT of the MPP Clients, going to Swisscom TNC2007 GRE tunnel between MPP and Swisscom router ADSL connection from Router from Swisscom Swisscom Mobile 17 EAP-SIM Architecture Roll-out Service Deployment - PWLAN Pilot und Roll-out EAP-SIM 2006 Q2 Q3 Q4 Q1 2007 Q2 Q3 Q4 Brainstorming, Info PWLAN-members Definition Architecture, technical solution “Proof of concept” - Build up a test bed SWITCH/ETHZ/Swisscom Service: Tests, Test-results and Documentation Rollout: step by step to further PWLANmembers , Marketing •Up and Running: ETHZ, BFH, EPFL, HSR and SWITCH 2007 © SWITCH TNC2007 18 Statistics Overview Members Internet PWLAN Academic Association represented by ~1600 Hotspots ~330 Hotspots QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. ~ 97’700 People ~175 Hotspots ~265 Hotspots 2007 © SWITCH TNC2007 20 Statistics Monitoring Monzoon GRE VPN GRE Academic Association GRE GRE TheNet VPN VPN TPN VPN Swisscom Starting April 2007 2007 © SWITCH TNC2007 21 Statistics Monitoring 2007 © SWITCH TNC2007 22 Commercial WISP market in Switzerland Market shares 2% 23% 50% 8% Monzoon TPN TheNet Swisscom Others 17% 2007 © SWITCH TNC2007 23 EAP(-SIM) Multi Provider Capable Infrastructure 2007 © SWITCH TNC2007 25 Conclusions SWITCH PWLAN extends the footprint for the Academic Association and for the WISP’s. SWITCH PWLAN corresponds technologically to the most current standards; IEEE802.1x, EAP/EAP-SIM. SWITCH PWLAN makes a further enlargement of the user population possible by a “Multi Provider Capable Infrastructure”. 2007 © SWITCH TNC2007 26 Q&A 2007 © SWITCH 27