INFN Trip Project

1
INFN Trip Project

• Mirko Corosu
• for
• TRIP WORKGROUP

HEPiX 2004 - Brookheaven
2
Aim of the project

• Authentication and authorization of roaming users
  without any previous registration.
• The system should provide
• IP access
• To users LAN
• To local LAN
• Security
• Compatibility to local infrastructure
• Independence to user OS and hardware

3
Authentication/authorization methods

• We started to analyze two kind of methods
• Mac address authentication (layer 2)
• Web captive portal (layer 3)

4
Software components

• Server side
• Red Hat 9 operating system
• FreeRadius-1.0.1 open source radius
  authentication server
• NoCat-0.82 web captive portal for wireless and
  wired network
• Apache-1.3.27 mod-SSL
• Client side tested
• RedHat 9 and Fedora Core, Windows 2k/XP
• Mozilla and Internet Explorer browser for web
  authentication

5
Wireless access points

• Cisco Aironet 1100 supports
• 802.1q protocol (VLAN tagging)
• Multiple SSID
• Mac address authentication
• 802.1x authentication (EAP/TLS)
• WEP encryption

6
NoCat captive portal

• Captive portal application written in PERL
• Two elements
• Gateway changes iptables rules on a Linux based
  gateway/firewall.
• Authentication server collection of PERL cgis
  which perform the web authentication of the user
  and tell the gateway to open or close firewall
  TCP ports.
• There can be multiple gateway that interact with
  a single authentication server

7
Web authentication
Private network
DHCP
NIS/K5/AFS/MySQL
AFS/CA auth
RADIUS
8
Web authorization/authentication infrastructure

• Features
• Supports different authentication mechanism
  (Linux PAM, X.509 Certificates, Radius, MySql,
  ldap)
• Independence to client OS and hardware
• Problems
• No encryption
• Difficult to grant different privileges based on
  users credentials

9
Mac address authentication

• Features
• Useful to discriminate local users (registered
  mac address) from others
• Possibility to use different VLAN
• Problems
• No encryption
• Doesnt support other authentication/authorization
  method

10
Solution

• Try to integrate different authentication methods

11
First step use one machine
Private network
DHCP
NOCAT gateway NAT/FW (iptable)
NIS/K5/AFS/MySQL auth
AFS/CA auth
NOCAT auth HTTP
RADIUS
12
Second step MAC/Web authentication
LAN1 Local users
Filtered access to local network
Full access to local network
13
Feature of web/mac authentication

• Supports different authentication methods
• Indipendence to user OS/HW
• Different access levels
• One problem
• Connection not encrypted
• Solution 802.1x protocol

14
802.1x protocol

• Features
• Encrypted connection
• Supports different authentication method
• Problems
• Problem on some OSs and hardware

15
Current project goals

• Web MAC address authentication infrastructure
• Automatic installation of the authentication
  server

16
Future development

• 802.1x integration
• Creation of a Radius server infrastructure to
  extend authentication mechanism to all INFN
  sections or
• Put TRIP infrastructure in Kerberos 5 INFN
  framework
• Test of other web captive portal (TINO)

17
Documentation

• Documentation and software can be found at
  http//trip.ge.infn.it/