Paul Dekkers

1
Paul Dekkers April 4th, Turkey
2
ContentsFrom 802.1x to eduroam

• Freshing up
• Background
• Considerations
• Solutions 802.1x
• eduroam

3
Freshing up

• WLANEvery wireless network has a name an
  (in)visible SSID (Service Set Identity)Access
  / encryption with keys
• WEP, Wired Equivalent Privacy
• WPA (with pre-shared key)
• 802.11 (wireless Ethernet, MAC)802.11b,
  802.11g, 802.11a (radio-layer, channels)

4
Background

• Traditional WLAN not safe
• Who uses the network?(abuse, limiting usergroup)
• Are people eavesdropping?(no physical boundries)
• How do we provide access to guests?
• Distribution of secrets (WEP-key)?

5
Traditional WLANs are unsafe

• Even with
• Non broadcasted SSID
• MAC-address restrictions
• WEP, Wired-Equivalent-Privacy

6
Users are mobile
International connectivity

• University A

WLAN
Access Provider WLAN
University B
Internet backbone
Access Provider GPRS/ UMTS
WLAN
Student Dormitory Access
Access Provider ADSL
7
Requirements

• Identify users uniquely at the edge of the
  network
• No session hijacking
• Enable guest usage
• Scalable
• Local user administration and authentication
• Easy to install and use
• At the most one-time installation by the user
• Open
• Secure

8
Solutions

• for guest usage
• WEB based captive portal
• scalable, not safe (no encryption, hijacking)
• VPN/PPPoE
• not scalable, safe path
• 802.1x
• scalable, safe security at the edge of the
  network
• 802.1x is the basis for the next generation
• standards (WPA-Enterprise, 802.11i)

9
Secure access to the network with 802.1X
Supplicant
RADIUS server University A
Authenticator (AP or switch)
User DB
jan_at_student.university_a.nl
Internet
Commercial VLAN
Employee VLAN
Student VLAN

• 802.1X
• (VLAN assigment)

signaling
data
10
802.1x and EAP
Extensible Authentication Protocol

• Different EAP-types
• The (home-)organization decides what type
• EAP-types with SSL/TLS
• Mutual authentication
• Encryption keys are derived from SSL session
• EAP is transported and proxied in RADIUS

11
Common EAP types

• EAP-TLSStrong authentication with client
  certificate
• EAP-TTLSDIAMETER/RADIUS (e.g. u/p in PAP) in TLS
  tunnelusable with all u/p backends
• EAP-PEAPMicrosoft implementation with u/p via
  MSCHAPv2easy deployable with AD
• EAP-FASTusername/password authentication the
  Cisco wayroll out more complex, uses no SSL/TLS
• EAP-SIMStrong authentication using the SIM of
  your phone
• ...
• LEAP, EAP-MD5 are old and weak

12
802.1x
Guest usage eduroam!
Secured tunnel
Supplicant
RADIUS server institution B
RADIUS server institution A
Authenticator (AP or switch)
User DB
User DB
Guest user_at_institution-B.nl
Internet
guest VLAN
regular VLAN
Central RADIUS Proxy server
Trust based on RADIUS plus policy documents
13
eduroam (inter)national roaming
14
eduroam architecture

• Security based on 802.1X
• Protection of credentials EAP
• New technologies (WPA, 802.11i) based on 802.1x
• Different authentication mechanisms possible by
  using EAP (Extensible Authentication prototcol)
• Username/password
• X.509 certificates
• SIM-cards
• Dynamic VLAN assignment
• Roaming based on RADIUS proxying
• Remote Authentication Dial In User Service
• Transport-protocol for authentication information
• Trust fabric based on
• Technical RADIUS hierarchy
• Policy Documents/contracts that define the
  responsibilities of user, institution, NREN and
  the eduroam federation

15
The eduroam policy
16
National policy (federation)

• Mutual access
• Members are connected institutions
• Home institution is/remains responsible for its
  users behaviour.
• Home institution is responsible for proper user
  management
• Home and visited institution must keep sufficient
  logdata
• Appropriate security levels

17
The European eduroam policy (confederation)

• Mutual access
• Home institutions are/remain responsible for
  their users abroad
• Members are NRENs (National federations)
• Members guarantee required security levels by
  their participants
• Members promote eduroam in their countries
• European eduroam may peer with other regions

18
The status of eduroam
19
Status of eduroam

• Over 500 institutions in Europe, Australia and
  Taiwan
• New members
• Lithuania
• Romania
• Hungary
• China
• Hong Kong
• Cyprus
• USA, Japan, Korea will follow shortly

20
eduroam

• Provides global network roaming
• Strong technical foundation
• RADIUS
• 802.1X
• Lingua Franca EAP
• Needs ubiquity

21
Joining eduroam
22
Joining eduroam for an NREN

• Set up a server that proxies that
• Accept requests for .cc-tld and forward to the
  right institution
• Accept requests for non .cc-tld and forward it
  to the European servers
• Send an (encrypted) e-mail to join_at_eduroam.org
  with
• FQDN of toplevel RADIUS-server(s)
• IP-addresses of toplevel RADIUS-servers
• Shared secret to use between European servers and
  national server(s).
• URL of national eduroam website
• Information about test-account
• Contact details admin
• Sign the policy agreement

23
Joining eduroam for an institution

• Set-up your local 802.1X infrastructure
• Accept requests for your-domain.cc-tld and
  process them
• Proxy requests for non-local users to the
  national server
• Send an (encrypted) e-mail to your NREN with
• FQDN of toplevel RADIUS-server(s)
• IP-addresses of toplevel RADIUS-servers
• Shared secret to use between your and their
  server(s).
• URL of your eduroam website
• Information about test-account
• Contact details admin
• Sign the policy document

24
Conclusions
25
Conclusions

• 802.1X provides secure, future ready, scalable
  access to the campus network
• Enabling eduroam is a easy once 802.1X is in
  place
• Handbook,
• (other) easy configuration examples available
• Many have already joined, so

26
Join.
27
More information

• eduroam in SURFnet
• http//www.eduroam.nl
• eduroam in Europe
• http//www.eduroam.org
• TERENA TF-Mobility
• http//www.terena.nl/mobility
• The unofficial IEEE802.11 security page
• http//www.drizzle.com/aboba/IEEE