Before You Begin: Assign Information Classification
Download
Report
Transcript Before You Begin: Assign Information Classification
eduroam 101
Klaas Wierenga
April, 2010
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public
1
Requirements
Identify users uniquely at the edge of the network
No session hijacking
Preserving privacy
Enable guest usage
Scalable
Local user administration and authentication
Easy to install and use
At the most one-time installation by the user
Open
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
eduroam architecture
Security based on 802.1X (WPA, WPA2)
Protection of credentials
Different authentication mechanisms possible by using EAP (Extensible
Authentication prototcol)
Username/password
X.509 certificates
SIM-cards
Integration with VLAN assignment
Roaming based on RADIUS proxying
Remote Authentication Dial In User Service
Transport-protocol for authentication information
Trust fabric based on:
Technical: RADIUS hierarchy
Policy: Documents/contracts that define the responsibilities of user,
institution, NREN and the eduroam federation
AuthN by home institution, AuthZ by visited institution
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Secure access to the network with
802.1X
Supplicant
Authenticator
RADIUS server
(AP or switch)
University A
User
DB
[email protected]_a.nl
Internet
Commercial
VLAN
Employee
VLAN
Student
VLAN
• 802.1X
• (VLAN assignment)
Source: SURFnet
signaling
data
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
eduroam
Supplicant
Authenticator
RADIUS server
(AP or switch)
University A
University B
User
DB
SURFnet
Guest
jan@university_b.nl
Commercial
VLAN
Employee
VLAN
Student
VLAN
signalling
data
Source: SURFnet
Eduroam 101
RADIUS server
User
DB
© 2010 Cisco Systems, Inc. All rights reserved.
Central RADIUS
Proxy server
•
Trust based on RADIUS plus policy
documents
•
802.1X
•
EAP for mutual authentication and privacy
protection
•
(VLAN assigment)
Cisco Public
5
eduroam hierarchy
(virtual) eduroam root
European root
APAN root
.nl
.ac.uk
...
.dk
.
...
(America’s root)
.au
.edu
...
...
.cn
.ca
.pt
...
.es
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
eduroam status
Canada member since June 2008
> 600 Service Providers
Isolated trials in Latin-America, US
Approx. 10 million users
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
Spin-off: RadSec
Eduroam problems:
Dead peer discovery
Fragmentation
Managing shared secret/IP-address based trust
Static hierarchy
DIAMETER not available
RADIUS with:
TLS
TCP
draft-ietf-radext-radsec-02.txt, draft-dekok-radext-tcp-transport01.txt
implementations in Radiator, FreeRADIUS (in progress),
RadSecProxy and OpenWRT and Lancom AP’s
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
9