Transcript Setting up an eduroam Service Provider

Connect. Communicate. Collaborate
Setting up eduroam
Click to edit Master title style
Issue 2.0
COURSE OBJECTIVES
By the end of the training, you will be able to:
• Describe eduroam services and technology.
• Implement a Service Provider and an Identity
Provider in accordance with eduroam policy.
• Deliver eduroam training to other
organisations within your country.
The training will also give you the opportunity to provide
feedback about eduroam and the eduroam service.
2
COURSE OUTLINE
Module 1 – eduroam Overview.
Module 2 – The eduroam Service.
Module 3 – Setting up an eduroam Service Provider.
Module 4 – Configuring an eduroam Identity Provider.
Module 5 – Log Files, Statistics and Incidents.
Module 6 – Participant Feedback about eduroam
Technology and Services.
3
Module 1: eduroam Overview
WHAT IS eduroam?
eduroam:
• Stands for EDUcation ROAMing.
• Provides secure internet access for
academic roamers.
• User experience - “Open your laptop and be
online.”
5
WHY eduroam?
Researchers:
• Travel with WLAN-enabled notebooks.
• Want transparent, secure network access.
• Want similar experience at visited institution
as home.
Experience facilitated by seamless sharing of
network resources.
Better for roamers, easier for administrators.
6
A BRIEF HISTORY OF eduroam
Initially developed out of the TERENA Mobility
Task Force.
Now part of the GÉANT2 project:
• Joint Research Activity 5 (JRA5).
• Service Activity 5 (SA5).
“Open Your laptop and be online”.
7
HIGH-LEVEL REQUIREMENTS
The eduroam design:
• Enables guest usage of visited networks.
• Guarantees reasonable security and data integrity.
• Identifies users uniquely at the network’s edge.
• Complies with privacy regulations.
• Is verifiable.
• Is open.
• Is scalable, robust, easy to install and use.
• Local user administration and authentication.
8
eduroam: AUTHENTICATION AND AUTHORISATION
Authentication:
• Is the user who they say they are?
• Carried out by user’s home institution.
Authorisation:
• What network access should the user be
granted?
• Determined by visited institution.
9
TERMINOLOGY AND CONCEPTS
Home institution = Identity Provider.
• Provides identity management database.
• Responsible for user authentication.
Visited institution = Service Provider.
• Provides network infrastructure (e.g. Access
points, VLANS, internet access, RADIUS
servers).
• Responsible for user authorisation.
10
AUTHENTICATION AND 802.1x (1)
eduroam uses IEEE 802.1x.
• Layer 2 port-based Network Access Control
standard.
• Detects user at network’s edge.
• Network’s edge = a port on Network Access Server
(NAS).
• NAS could be:
– A Wireless Access Point.
– An 802.1x compatible wired switch.
11
AUTHENTICATION AND 802.1x (2)
• Until identity is proven:
• Allows only 802.1x Extensible
Authentication Protocol (EAP) traffic to
enter the network.
• All other traffic (e.g. DHCP, HTTP) blocked
at data link layer.
12
AUTHENTICATION AND 802.1x (3)
Advantages of 802.1x:
• Uses EAP, allows several authentication methods.
• Therefore compatible with range of authorisation protocols E.g.:
– TLS, TTLS, PEAP.
• Secure:
• Encrypts all data using dynamic keys.
• Easy to integrate with dynamic VLAN assignment (802.1q).
• Scalable:
• RADIUS back-end re-uses existing trust relationships.
• 802.1x supplicants (clients) easy to find and configure:
• MAC OSX, Windows XP, 2000, VISTA: built-in supplicants.
• UNIX and Linux: supplicants readily available.
13
AUTHENTICATION AND 802.1x (4)
EAP over
RADIUS
EAPOL
Supplicant
Authenticator
RADIUS server
(AP or switch)
Institution A
[email protected]_a.nl
Employee
VLAN
f.i. LDAP
User
DB
Internet
Guest
VLAN
Student
VLAN
signalling
data
14
THE AUTHENTICATION PROCESS (1)
Steps:
• User opens laptop in range of Network
Access Server (NAS).
• Attempts to connect to SSID ‘eduroam’.
• NAS detects new supplicant.
• Port enabled and set to ‘unauthorised’.
• Only 802.1x traffic allowed; other traffic blocked.
15
THE AUTHENTICATION PROCESS (2)
Steps (Continued):
• NAS sends out Extensible Authentication Protocol (EAP) request.
• Supplicant returns credentials in EAP response.
• user logs on using "eduroam" credentials (regardless of the location).
• NAS forwards credentials to user’s Identity Provider.
• Identity Provider validates credentials against local user database.
• Validation forwarded to Service Provider.
• Port set to ‘authorized’.
• Normal traffic is allowed.
16
FORWARDING THE USER’S CREDENTIALS (1)
User’s credentials forwarded via hierarchy of RADIUS
servers:
confederation level
servers
.PT
.DK
federation (NREN) level
servers
inst-1
inst-2
inst-3
inst-4
institutional level
servers
[email protected]
17
FORWARDING THE USER’S CREDENTIALS (2)
Realm-based proxying:
• User names in format: “user@realm’s DNS-like
domain name”.
• Used to forward request to next hop in hierarchy.
Institution’s RADIUS server only communicates with:
• Its federation’s RADIUS server.
• Its institution’s NASs.
Shared secrets authenticate other servers in
hierarchy.
18
FORWARDING THE USER’S CREDENTIALS (3)
European confederation has Top-Level RADIUS servers (ETLRs):
• In the Netherlands, and
• In Denmark.
Each has a list of connected country domains.
• .nl, .dk, .hr, .de etc.
Each ETLRs:
• Accepts requests for its connected countries.
• Forwards them to appropriate Federation Level RADIUS server.
• Forwards requests for other countries to other TLRs (e.g. AsiaPacific).
19
FORWARDING THE USER’S CREDENTIALS (4)
Federation Top Level RADIUS servers (FLRs):
• One for each National Roaming Operator (NRO).
• Hold lists of connected institution servers and
associated realms.
• Forwards requests to appropriate institution’s
server,
or
• Forwards requests to its ETLRs.
20
FORWARDING THE USER’S CREDENTIALS (5)
Institutional RADIUS Servers:
• Forwards requests from roamers to its FLRs.
21
ENSURING USER CREDENTIAL SECURITY
Users’ credentials are tunnelled through the RADIUS
hierarchy.
User credential security is a necessity in eduroam.
Recommended approach:
• EAP combined with TLS-type protocol.
• Mutual user-server authentication.
• Encrypted user credentials.
Sending unencrypted credentials is prohibited.
22
eduroam’s TECHNICAL INFRASTRUCTURE
Eduroam confederation infrastructure
Top-level RADIUS Server(s)
RADIUS
RADIUS
Home Federation
Remote Federation
Federation (National)
top level RADIUS
proxy Server(s)
Federation (National)
top level RADIUS
proxy Server(s)
RADIUS
RADIUS
HI
RI
RADIUS Server
RADIUS Server
RADIUS
RI SP
HI IdP
AuthN S
User U
access
network
23
THE AUTHORISATION PROCESS
VLANs in Service Provider each
have different permissions.
Each VLAN connected to different
parts of campus.
When authentication is successful:
Database
Client
NAS
VLAN 1
VLAN 2
RADIUS
VLAN 3
• Service Provider’s RADIUS
server sends configuration
options to NAS.
• NAS assigns client to a
VLAN.
Internet
24
MAIN COMPONENTS OF eduroam
Network Access Server (NAS):
• Wireless Access Point or
• 802.1x compatible wired switch.
Client with configured supplicant.
Hierarchy of RADIUS Authentication Servers (AS).
IEEE 802.1x.
IEEE 802.1q.
• Standard for VLAN assignment.
25
HOW DO THE PIECES FIT TOGETHER? AN EXAMPLE
Supplicant
Authenticator
(AP or switch)
RADIUS server
RADIUS server
User
DB
University A
user
University B
User
DB
XYZnet
joe@university_b.hr
Commercial
VLAN
Employee
VLAN
Student
VLAN
signalling
Central RADIUS
Proxy server
•
Trust: RADIUS & policy documents
•
802.1X + EAP
•
(VLAN assignment)
data
26
KEY eduroam TECHNOLOGIES (1)
Security based on IEEE 802.1x:
• Standard for port-based network access control.
• Provides protection of credentials.
• Integrates with VLAN assignment through IEEE 802.1q:
• Standard for VLAN assignment.
Authentication based on Extensible Authentication Protocol
(EAP):
• Facilitates a variety of authentication mechanisms at
users’ Identity Providers.
27
KEY eduroam TECHNOLOGIES (2)
Roaming based on RADIUS proxying.
• RADIUS = Remote Authentication Dial in
User Service.
• A transport protocol for authentication information.
Trust fabric based on:
• Hierarchy of RADIUS servers.
• The eduroam policy.
28
eduroam OVERVIEW: RECAP
Secure, robust, stable service.
Easy to set up and install.
Allows European scientific community to roam.
• ‘Open your laptop and be online’.
Authentication at home, authorisation at Service
Provider.
29
Module 2: The eduroam Service
THE eduroam CONFEDERATION POLICY
What is the eduroam policy?
• Documents and contracts that define the
responsibilities of:
• The European confederation.
• Federations / NRENs (NROs).
• Institutions.
• Users.
• A contract between the NRO and DANTE.
31
LOCAL eduroam POLICIES
In addition to the confederation’s policy,
NROs may also have their own local eduroam
policy.
• Allows for regional variations.
32
THE EUROPEAN eduroam CONFEDERATION
Hierarchical structure:
• Institutions with eduroam service points
• Belong to
• Federations – one for each country / NREN,
• Which belong to
• The European eduroam confederation,
• Which covers the whole of Europe.
Provides the experience: “Open your laptop and be online”.
• Users given secure network access within the confederation.
33
WHAT IS THE EUROPEAN eduroam CONFEDERATION?
Members:
• Are European NRENs / NROs (National
Roaming Operators).
• Must sign the European eduroam policy.
• Commits them to technological and organisational
requirements.
34
PRINCIPLES OF THE EUROPEAN eduroam
CONFEDERATION
Mutual network access without fees.
Authentication at home; authorisation at Service
Provider.
Identity Providers remain responsible for
roamers.
Member NRENs promote eduroam in their
countries.
European confederation may peer with other
international confederations.
35
MAKING THE EUROPEAN SERVICE WORK
The GÉANT2 Service Activity, SA5:
• Encompasses everything necessary to make the
eduroam service work:
• (Confederation) technical infrastructure.
• Establishing trust between the member federations.
• Supporting infrastructure
– Monitoring and diagnostic facilities.
– The eduroam database, a central data repository.
– The eduroam web site (www.eduroam.org).
– Confederation level user support.
– Trouble Ticketing System (TTS).
– Mailing Lists.
36
THE eduroam SERVICE MODEL
European eduroam service (governed by SA5)
eduroam confederation
service (provided by
the Operational Team –
the O.T.)
national eduroam
service
(provided by
NREN/NRO)
...
national eduroam
service
(provided by
NREN/NRO)
37
USER TYPES AND SERVICE ELEMENTS
Service elements
User group
End user
Inst. Level personnel
Federation-level personnel
Basic monitoring facilities
Yes
Yes
Yes
Full monitoring and
diagnostics facilities
No
Yes (limited to the information
regarding the respective inst.)
Yes
Public access to the
eduroam web site
Yes
Yes
Yes
Access to the internal
eduroam web site
No
Yes (limited to the information
regarding the respective inst)
Yes
Public access to the
eduroam database
Yes
Yes
Yes
Access to the all information
in the eduroam database
No
Yes (limited to the information
regarding the respective inst)
Yes
TTS
No
Yes
Yes
SA5/OT Mailing lists
No
No
Yes
Support from OT
No
No
Yes
38
MONITORING eduroam
What must be monitored?
• Servers.
• Are they accessible?
• Infrastructure.
• Is it working?
• User experience.
• Is it satisfactory?
39
MONITORING CONCEPT: OVERVIEW
Monitoring
Client
RADIUS
Proxy
Server
IdP
RADIUS Server
(loopback server)
40
THE MONITORING PROCESS (1)
Monitoring is a two step process:
• Reject test.
• Accept test.
41
THE MONITORING PROCESS (2)
For both steps:
• Client creates RADIUS attributes.
• Client creates RADIUS request for selected AuthN type.
• Client sends RADIUS request. Starts measuring
response time.
• Monitored RADIUS proxy handles request and returns
response.
• Client evaluates response and updates database.
Monitored server marked okay if it passes both tests.
42
MONITORING SERVERS
ETLRs
monitoring
client
monitoring
database
FTLRs
43
MONITORING INFRASTRUCTURE
ETLRs(s)
TLRS(s)
monitoring
client
monitoring
database
FTLRs(s)
FTLRs(s)
44
TESTING ON DEMAND
realm A
FTLRs(s)
monitoring
client
ETLRs(s)
TLRS(s)
monitoring
database
realm B
FTLRs(s)
45
THE eduroam DATABASE
Database includes:
• National Roaming Operator (NRO)
representatives and contact details.
• Local institutions official contacts.
• Both Service Provider (SP) and Identity Provider
(IdP).
• Information about eduroam hot spots.
• SP location, technical information.
• Monitoring information.
• Information about the usage of the service.
46
NROs AND THE eduroam DATABASE
NROs:
• Should provide the necessary data (general
and usage data).
• Data must be provided in the agreed XML format.
• Data will only be accessible from the eduroam
database server.
47
eduroam DATABASE: THE DATA MODEL
mon_ser_log
PK
id
mon_ser
PK
mon_serid
mon_type
status
a_resp_time
r_resp_time
ts
mon_logid
id
realm
PK
name
mon_realmid
ip
port
timeout
retry
secret
stype
reject_only
radsec
monitoring
last_mon_logid
ts
PK
realmid
type
inst_realm
org_name
address_street
address_city
contact_name
contact_email
contact_phone
info_URL
policy_URL
ts
mon_creds
PK
id
institutionid
longitude
latitude
address_street
address_city
contact_name
contact_phone
contact_email
SSID
enc_level
port_restrict
transp_proxy
IPv6
NAT
AP_no
wired
info_URL
ts
id
tested_realm
tested_country
realmid
mon_type_sel
last_mon_logid
ts
id
scheduled
ts_scheduled
ts_start
ts_end
type
status
service_loc
PK
general data
mon_log
PK
id
mon_realm
id
mon_realmid
mon_type
status
a_resp_time
r_resp_time
mon_serid
ts
mon_logid
institution
PK
country
stype
org_name
address_street
address_city
contact_name
contact_email
contact_phone
info_URL
policy_URL
ts
mon_realm_log
PK
id
id
username
password
mon_realmid
realm_data
PK
id
realmid
number_inst
number_user
number_id
number_IdP
number_SP
number_SPIdP
ts
realm_usage
PK
id
realmid
national_sn
international_sn
date
institution_usage
PK
id
institutionid
local_sn
national_sn
international_sn
date
usage data
monitoring data
48
THE eduroam WEB SITE
www.eduroam.org will include private areas to
support eduroam operations.
• E.g. Information from NROs:
• Contact details.
• Service coverage.
• Usage statistics.
• Number of eligible / active users.
• Infrastructure monitoring information.
49
USER SUPPORT: PROBLEM ESCALATION SCENARIO 1
home federation
OT
visited federation
fed.-level admin.
local institution
admin.
fed.-level admin.
3
local institution
admin.
4
1,2
user
50
USER SUPPORT: PROBLEM ESCALATION SCENARIO 2
home federation
OT
visited federation
4b
4a
fed.-level admin.
4
local institution
admin.
3
fed.-level admin.
5
local institution admin.
1,2
6
user
51
CURRENT eduroam STATUS (1)
33 countries (NROs/NRENs)
connected to the two European
Top Level Radius Servers
(ETLRs)
Policy:
• 28 signed
• 1 LoI (UK)
• we still wait for: Cyprus,
Israel, Lithuania, Malta
• in addition JSCC
(Russia) signed but is
not connected
52
CURRENT eduroam STATUS (2)
The Monitoring Service is up and
running (monitor.eduroam.org).
It covers ETLRs and Federation
Top Level RADIUS Servers
(FTLRs).
Monitoring servers
Monitoring infrastructure
29/33 NROs included
Testing on demand to be added
(access via web)
Further development is planned.
53
CURRENT eduroam STATUS (3)
eduroam database
Status: http://monitor.eduroam.org/database
Demographics and user maps.
• No of SPs.
• No of IdPs.
• Location of SPs.
• Usage.
• Coverage.
• Contacts.
• ...
User-oriented map, based on eduroam database
(http://monitor.eduroam.org/gmap.php)
TTS: https://monitor.eduroam.org/simplesaml/otrs/
Further development is planned.
54
Module 3: Setting up an eduroam Service
Provider
EACH SITE CAN BE UNIQUE
Each eduroam-enabled institution may use different:
• Equipment.
• Software.
• Topology.
Details of eduroam configuration depend upon
factors above…
…But broad principles are the same on any platform.
56
A WORD OF WARNING
First things first:
“An eduroam wireless network is a wireless
network.”
Sounds trivial, but:
• you need to know your stuff regarding Wireless LAN.
• if you have a bad layer 2 WLAN, putting the SSID
“eduroam” on it won't magically make it better.
• if the SSID “eduroam” doesn't perform, it hurts the global
brand, even if it is a local problem.
57
REFERENCE eduroam SETUP (1)
This module describes a reference set-up.
• Based on frequently-used equipment:
• An 802.11g “Enterprise-level” Access Point.
– We have a few LANCOM L-54g in the exercise.
• Radiator OR FreeRADIUS RADIUS server.
– We will use FreeRADIUS 2.0.4 in the exercise.
Reference model assumes ETLRs and FLRs already
set-up.
58
REFERENCE eduroam SETUP (2)
Internet
Switch
192.168.10.1
POWERFAULT DATA ALARM
Admin course workstation 1
Access Point 192.168.10.200
Admin course workstation 2
RADIUS server
192.168.10.253
Admin course workstation n
59
SETTING UP YOUR SERVICE PROVIDER: STEPS
Connect your workstation to the Ethernet switch.
Set up the RADIUS server:
• Connect clients.
• configure proxy server(s).
Configure the access point for eduroam.
Configure the supplicants.
60
SETTING UP THE RADIUS SERVER (1)
EAP authentication requires a PKI.
• But you don't have to care when setting up an SP only.
Compile and install FreeRADIUS
• ./configure --prefix=... --sysconfdir=...
• make
• make install
, edit
• $SYSCONFDIR/raddb/*
• Use vi or another text editor.
61
SETTING UP THE RADIUS SERVER (2)
Defining the clients:
• NAS devices act as clients to RADIUS server.
• Other RADIUS servers in hierarchy also act as clients.
Each client must be defined using <Client> or
client { ... } clause.
• Definition must include a shared secret.
• May include a lot more.
62
SETTING UP THE RADIUS SERVER: CLIENT EXAMPLE
<Client 192.168.10.200/28>
Secret abcdefgh
Identifier antarctica-ap-v4
</Client>
client antarctica-access-points {
ipaddr
= 192.168.10.200
secret
= abcdefgh
netmask
= 28
require_message_authenticator = no
shortname
= antarctica-ap-v4
nastype
= other
virtual_server
= eduroam
}
63
SETTING UP THE RADIUS SERVER (3)
Forwarding of requests to FLRs:
eduroam routing is based on @suffix realms
(RFC4282).
• <Handler> clause is the recommended
method, more flexible than the <Realm>
clause. <Handler> ...(forward to FLR)... </Handler>.
• home_server, home_server_pool and realm
DEFAULT (see proxy.conf) + suffix module.
64
SETTING UP THE RADIUS SERVER (4)
<Handler>
<AuthBy RADIUS>
Host
192.168.10.253
Secret abcdefgh
AuthPort 1812
AcctPort 1813
StripFromReply \
Tunnel-Type, \
Tunnel-Medium-Type,\
Tunnel-Private-Group-ID
</AuthBy>
</Handler>
proxy.conf
home_server tld1-antarctica-v4 {
type
ipaddr
port
secret
response_window
zombie_period
revive_interval
status_check
check_interval
num_answers_to_alive
}
= auth+acct
= 192.168.10.253
= 1812
= abcdefgh
= 20
= 40
= 60
= status-server
= 30
=3
home_server_pool EDUROAM {
type
= fail-over
home_server
= tld1-antarctica-v4
home_server
= tld2-antarctica-v4
}
realm DEFAULT {
pool
nostrip
}
= EDUROAM
65
REQUEST FORWARDING: CAVEAT
Don't blindly accept all RADIUS attributes: filtering
is in order!
IdP might send VLAN assignments.
If you keep the assignment unchanged, the
(remote) IdP decides in which VLAN your users
end up!
StripFromReply and the attr_filter module.
66
FreeRADIUS: SERVER CORE CONFIGURATION
radiusd.conf is the main configuration file.
can reference “virtual servers”.
virtual server defines which modules to execute
for a given request.
We will define the virtual server “eduroam”.
67
FreeRADIUS: VIRTUAL SERVER ‘eduroam’ FOR SPs
server eduroam {
authorize {
auth_log
suffix
preacct {
suffix
}
accounting { }
}
authenticate { }
post-auth {
reply_log
Post-Auth-Type REJECT {
pre-proxy {
pre_proxy_log
if (Packet-Type != Accounting-Request) {
attr_filter.pre-proxy
}
}
post-proxy {
attr_filter.post-proxy
post_proxy_log
}
}
reply_log
}
68
ACTIVITY
Exercise:
Welcome to Antarctica!
.aq is one of the few top-level domains on the planet without an eduroam hotspot.
You are here to change this today.
There is already a FLR for .aq on 192.168.10.253, port 1812 and 1813.
Compile, install and configure FreeRADIUS 2.0.5 in your home directory. Connect
it as a client to the .aq server.
Test the connection with a plaintext login attempt and the
test account: tld@aq, “testpass”
(use the utility radtest for that)
69
SOME HINTS...
Use ./configure --prefix=yourdir to install into your
home directory on the server.
And almost-ready configuration acompanies the
course, and is expected by the server in
yourdir/etc/raddb.
When starting for the first time, use
yourdir/sbin/radiusd –X for some verbose info.
Line 1 in radiusd.conf (prefix) and the link to the
RADIUS dictionary need to be adapted.
70
OPTIONAL: USING RADSEC INSTEAD OF RADIUS
Radiator already has (and FreeRADIUS will soon
have) support for RADIUS over TCP and TLS.
<Handler>
<AuthBy RADSEC>
Host etlr1.eduroam.org
Host etlr2.eduroam.org
Secret mysecret
UseTLS
TLS_CAPath
/.../certs/CAs/
TLS_CertificateFile /.../certs/tld1.eduroam.lu.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile /.../certs/tld1.eduroam.lu.key
</AuthBy>
...
(the equivalent on the server side is an <ServerRADSEC> clause)
71
CONFIGURING THE ACCESS POINTS (1)
Access Point setup is a set of LANCOM L-54g Series
Access Points.
• It's alright if you've never seen this brand before :).
• Setup (as per appendix B.2 on Cookbook v2):
•
•
•
•
•
SSID.
Encryption.
NTP.
RADIUS uplink.
IP address.
72
ACTIVITY
Exercise:
• Configuring an access point.
• use Cookbook v3 (on CD) for walk-through
on LANCOM APs.
73
CONFIGURING THE ACCESS POINTS (2)
RADIUS / AAA Section:
• Must define at least one group. E.g.
ap1200(config)#aaa new-model
ap1200(config)#radius-server host 192.168.10.253 auth-port 1812 acct-port 1813 key <secret>
ap1200(config)#aaa group server radius radsrv
ap1200(config-sg-radius)#server 192.168.10.253 auth-port 1812 acct-port 1813
ap1200(config-sg-radius)#!
ap1200(config-sg-radius)#aaa authentication login eap_methods group radsrv
ap1200(config)#aaa authorization network default group radsrv
ap1200(config)#aaa accounting send stop-record authentication failure
ap1200(config)#aaa accounting session-duration ntp-adjusted
ap1200(config)#aaa accounting update newinfo periodic 15
ap1200(config)#aaa accounting network default start-stop group radsrv
ap1200(config)#aaa accounting network acct_methods start-stop group radsrv
74
CONFIGURING THE ACCESS POINTS (3)
SSID Configuration:
• One dot11 ssid must be configured for each SSID.
• Also configured:
–
–
–
–
Default VLAN for the SSID.
Authentication framework.
Accounting.
SSID to be broadcast (guest mode).
ap1200(config)#dot11 ssid eduroam
ap1200(config-ssid)#vlan 909
ap1200(config-ssid)#authentication open eap eap_methods
ap1200(config-ssid)#authentication network-eap eap_methods
ap1200(config-ssid)#authentication key-management wpa optional
ap1200(config-ssid)#accounting acct_methods
ap1200(config-ssid)#guest-mode
75
CONFIGURING THE ACCESS POINTS (4)
Configuring the Radio Interface:
• Map SSIDs to the radio interface.
• Specify ciphers for each VLAN.
ap1200(config)#interface Dot11Radio 0
ap1200(config-if)# encryption vlan 906 mode ciphers aes-ccm tkip
wep128
ap1200(config-if)# encryption vlan 909 mode ciphers aes-ccm tkip
wep128
ap1200(config-if)#ssid eduroam
76
CONFIGURING THE ACCESS POINTS (5)
Configuring VLAN interfaces:
• For each VLAN used for wireless clients, define:
• One ‘on the air’ (DotRadio) virtual interface.
• One ‘on the wire’ (FastEthernet) virtual interface.
• Bridge the two virtual interfaces together with a bridge
group.
• Configure administrative VLAN.
• For maintenance / management and authentication /
accounting traffic.
77
THE SUPPLICANT (1)
The reference setup assumes use of EAP-TTLS.
• Easiest way to implement eduroam in large
community.
MS Windows has no built-in support for EAP-TTLS…
…But you can use SecureW2.
• Application from Alfa & Ariss Network Security
Solutions.
• Can be some security issues around installation…
• …You can overcome these using a preconfigured
distribution.
78
THE SUPPLICANT (2)
To prepare a preconfigured SecureW2 exe file:
1. Prepare SecureW2.INF file.
2. Prepare NSIS configuration file.
3. Create the exe file with NSIS.
4. Digitally sign the exe file.
79
THE SUPPLICANT (3)
User Installation of SecureW2:
1.Download the preconfigured exe file.
2.Confirm the signature of the exe file.
3.Start the exe file and enter credentials when
prompted.
4.Reboot computer.
5.Choose SecureW2 as the authentication method for
the eduroam network.
6.Connect to eduroam.
80
THE SUPPLICANT (4)
81
ACTIVITY
Exercise:
• Working with a supplicant.
82
Module 4: Configuring an eduroam Identity
Provider
FROM SP TO IdP
We assume you are a Service Provider already.
What more do you need to become an Identity
Provider (IdP)?
• an own realm (group1.aq, …)
• a TLS server certificate.
• a user database.
• a few config changes in the server 
84
FreeRADIUS: CHANGES FOR IdP CONFIG
proxy.conf: declare your realm to be handled locally
realm groupX.aq {
}
•virtual server eduroam: enable EAP handling
authorize {
<other stuff>
eap
}
authenticate {
eap
}
•inner authentication: new virtual server inner-tunnel.
85
VIRTUAL SERVER FOR INNER AUTHENTICATION
authorize {
auth_log
eap
files
mschap
authenticate {
Auth-Type PAP{
pap
}
Auth-Type MS-CHAP{
mschap
}
eap
}
pap
}
post-auth {
reply_log
Post-Auth-Type REJECT {
reply_log
}
}
86
LDAP, ActiveDirectory, ...
The module files in the previous slides reads
users from a plain-text file.
There are plenty of other modules, like:
• ldap – authenticate against LDAP or
ActiveDirectory.
• sql – authenticate against
(my|Postgre|MS-)SQL.
Please read the server documentation for further
details.
87
EAP CONFIGURATION
eap.conf specifies:
- which EAP methods are allowed.
- Certificate for the server.
(for new installations: execute script
„bootstrap“ in raddb/certs to generate selfsigned certificates).
88
EXERCISE: IdP CONFIGURATION
Modify the existing configuration to add your own
realm.
Add the virtual server eduroam_inner_tunnel (in
the supplied config directory under
„sites-available“).
Modify the example user in the users file.
Start the server and authenticate with this user
account (since the certificate is new and selfsigned, server certificate validation needs to be
off [for this exercise only!]).
89
Module 5: Log Files, Statistics and Incidents
WHY KEEP LOG FILES?
Log files are used to track malicious users and to
debug possible problems.
Aim: provide evidence to government agencies:
• Offender’s realm and login time.
• Why not provide the User-Name?
• User-Name attribute could be obfuscated.
– Outer identity could be anonymous or forged.
91
TRACING THE USER’S REALM (1)
You should keep:
• DHCP or ARP sniffing log.
• RADIUS Authorisation log.
• Clock synchronised with Network Time
Protocol (NTP).
92
TRACING THE USER’S REALM (2)
Steps:
• Identify IP address of malicious user.
• Find MAC address in DHCP or ARP sniffing
log.
• Find authentication session in Auth log.
• Take realm and timestamp from Auth log.
93
NEXT STEPS
Approach eduroam Operations Team (OT).
• OT can link realm to a home federation.
• Home federation can find user’s identity
provider.
• Identity provider can find the user name.
• Cross-reference timestamp from service provider’s
auth log with own logs.
94
A CLOSER LOOK AT LOGGING REQUIREMENTS
Let’s look more closely at logging requirements:
• Network addressing.
• Auth logs.
• Reliable time source.
• Technical contact.
95
NETWORK ADDRESSING
Service Providers:
• Should provide visitors with publicly routable IPv4
addresses using DHCP.
• Side-thought: why is NAT considered bad?
• Must be able to find a MAC address from the IP
address.
• Must log:
• Time client’s DHCP lease was issued.
• MAC address of client.
• IP address allocated to client.
96
AUTH LOGS
Identity Providers must log all authentication
attempts, recording:
• Authentication result returned by
authentication database.
• Reason for denial or failure of authentication.
97
AUTH LOGS (2)
At what point should logs be kept?
• After packet reception from client.
• Before handing off to proxy.
• After getting reply from proxy.
• Before sending reply back to client.
Pre-configured modules exist in FreeRADIUS:
auth_detail, pre_proxy_detail, post_proxy_detail, reply_detail
98
RELIABLE TIME SOURCE
All logs must be synchronised to a reliable time
source.
• E.g. using Network Time Protocol (NTP).
• SNTP also okay.
99
TECHNICAL CONTACT
Each federation must designate a technical
contact:
• Must be available via email and telephone
during office hours.
• May be a named individual or an
organisational unit.
• Cover during absence from work must be
provided.
100
STATISTICS: WHO CAN DELIVER WHAT INFO?
your NRO has the FLR server
• can count international roaming usage (for
now).
• can count national roaming usage (for now).
• can not count local usage.
IdP's can’t count usage, only number of auths!
SPs can always count local usage.
How to do this depends on server in use.
101
STATISTICS: FreeRADIUS
FreeRADIUS.
use a script to parse log files and generate statistics out of it
like http://www.eduroam.lu/files/eduroam-daily-stats-03.sh
Generates output like below, can be sent to SSH dropbox at
NRO:
# Order of fields: successful-own successful-national successful-intl failed-own failed-national failed-intl
6
1
0
0
0
0
102
ACTIVITY
Exercise:
• Log files and statistics.
103
OTHER INCIDENTS
Other attacks you might find interesting (not
directly related to eduroam).
• Authentication spamming: someone without a
proper user account starts as many
authentication processes as he can.
• Disassociation of connected clients.
• poisoning MAC tables.
All of these are generic WLAN attacks.
104
ACTIVITY
Exercise:
• Dealing with incidents.
105
Module 6: Feedback on eduroam Technology
and Service
ACTIVITY
Feedback:
• Please give your feedback about eduroam
technology and the eduroam service.
107
FOR MORE INFORMATION
• www.eduroam.org
• www.geant2.net
• www.dante.net
• For information about GÉANT2 training:
www.geant2.net/training
108
RECAP OF COURSE OBJECTIVES
By the end of the training, you will be able to:
• Describe eduroam services and technology.
• Implement a Service Provider and an Identity
Provider in accordance with eduroam policy.
• Deliver eduroam training to other
organisations within your country.
The training will also give you the opportunity to provide
feedback about eduroam and the eduroam service.
109