SURFnet AAI

1
SURFnet AAI

• Klaas.Wierenga_at_SURFnet.nl
• Meeting met Microsoft
• 21 April 2004

2
TOC

• AAI
• Network Access
• Application Access
• The holy grail

3
Environment
International connectivity

• Institution A

WLAN
Access Provider WLAN
Institution B
SURFnet backbone
Access Provider GPRS
WLAN
Access Provider POTS
Access Provider ADSL
4
AAI

• Authentication and Authentication Infrastructure
• 2 pilars
• (Guest) Network Access EduRoam
• Application Access with SSO A-Select
• Now working on integration of the two

5
Requirements

• Secure
• Identify users uniquely at the edge of the
  network
• No session hijacking
• Allow for guest usage
• Scalable
• Local user administration and authN!
• Using existing RADIUS infrastructure (f.e.)
• Easy to install and use
• Open
• Support for all common OSes
• Vendor independent
• After proper AuthN open connectivity (no
  firewalls, no NAT, public IP-addresses)

6
IEEE 802.1X

• True port based access solution (Layer 2) between
  client and AP/switch
• Several available authentication-mechanisms
  (EAP-MD5, MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS,
  PEAP)
• Standardised
• Also encrypts all data, using dynamic keys
• RADIUS back end
• Scaleable
• Re-use existing Trust relationships
• Easy integration with dynamic VLAN assignment
• Client software necessary (OS-built in or
  third-party)
• Both for wireless AND wired

7
How does 802.1X work (in combination with 802.1Q)?
Supplicant
RADIUS server Institution A
Authenticator (AP or switch)
User DB
jan_at_student.institution_a.nl
Internet
Guest VLAN
Employee VLAN
Student VLAN
signalling
data
8
EduRoam
Supplicant
RADIUS server Institution B
RADIUS server Institution A
Authenticator (AP or switch)
User DB
User DB
Guest piet_at_institution_b.nl
Internet
Guest VLAN
Employee VLAN
Central RADIUS Proxy server
Student VLAN

• Some 20 Institutions
• Public hotspots in 5 cities
• Train trajectory
• 2 UMTS trials with EAP-SIM

signalling
data
9
Radius proxy hierarchy

• Participation guidelines are being drafted
• Aim is to increase membership. Spain, Norway,
  Slovenia, Czech Republic Greece have indicated
  their willingness to join.

University of Southampton
FCCN
RADIUS Proxy servers connecting to a European
level RADIUS proxy server
10
What is AuthN middleware?

• AuthN middleware decouples authentication from
  the application
• New authentication means dont have an impact on
  the applications and vice versa
• Use authentication means people already have
  (mobile phone, bankcard, ), scalability in
  authentication means
• Recognise authentication strength

11
A-Select
12
Current authSPs

• IP address
• Username/password (LDAP, RADIUS, SQL)
• X.509 cert
• OTP thru SMS
• SecurID thru RADIUS
• Passfaces
• Internet banking

13
Current A-Select enabled apps

• Blackboard
• N_at_tSchool
• WebCT 1-2Q04
• MMBase (CMS)
• Roxen (CMS)
• Oracle Portal
• SunOne Portal 1Q04
• Citrix
• Osiris (SIS)
• Modus (statistics)
• Java lib for small apps
• filters for IIS/ Apache 1.3.x and 2.0.x

14
Work in progress

• Policy Framework for EduRoam (TF-Mobility)
• A-Select with real authorisation (TF-AACE)
• A-Select with federations (Internet2)
• Secure Instant Messaging (Internet2)
• Interworking with other architectures
  (Shibboleth, PAPI, Liberty, Passport?)
• SSO over network and applications (Géant2)

15
Possible AAI architecture
16
More information

• SURFnet and 802.1X
• http//www.surfnet.nl/innovatie/wlan
• TERENA TF-Mobility
• http//www.terena.nl/mobility
• A-Select
• http//a-select.surfnet.nl/
• TERENA TF-AACE
• http//www.terena.nl/tech/task-forces/tf-aace/