Transcript Before You Begin: Assign Information Classification

eduroam 101
Klaas Wierenga
April, 2010
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public
1
Requirements
 Identify users uniquely at the edge of the network
No session hijacking
Preserving privacy
 Enable guest usage
 Scalable
Local user administration and authentication
 Easy to install and use
At the most one-time installation by the user
 Open
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
eduroam architecture
 Security based on 802.1X (WPA, WPA2)
Protection of credentials
Different authentication mechanisms possible by using EAP (Extensible
Authentication prototcol)
Username/password
X.509 certificates
SIM-cards
Integration with VLAN assignment
 Roaming based on RADIUS proxying
Remote Authentication Dial In User Service
Transport-protocol for authentication information
 Trust fabric based on:
Technical: RADIUS hierarchy
Policy: Documents/contracts that define the responsibilities of user,
institution, NREN and the eduroam federation
 AuthN by home institution, AuthZ by visited institution
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Secure access to the network with
802.1X
Supplicant
Authenticator
RADIUS server
(AP or switch)
University A
User
DB
[email protected]_a.nl
Internet
Commercial
VLAN
Employee
VLAN
Student
VLAN
• 802.1X
• (VLAN assignment)
Source: SURFnet
signaling
data
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
eduroam
Supplicant
Authenticator
RADIUS server
(AP or switch)
University A
University B
User
DB
SURFnet
Guest
jan@university_b.nl
Commercial
VLAN
Employee
VLAN
Student
VLAN
signalling
data
Source: SURFnet
Eduroam 101
RADIUS server
User
DB
© 2010 Cisco Systems, Inc. All rights reserved.
Central RADIUS
Proxy server
•
Trust based on RADIUS plus policy
documents
•
802.1X
•
EAP for mutual authentication and privacy
protection
•
(VLAN assigment)
Cisco Public
5
eduroam hierarchy
(virtual) eduroam root
European root
APAN root
.nl
.ac.uk
...
.dk
.
...
(America’s root)
.au
.edu
...
...
.cn
.ca
.pt
...
.es
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
eduroam status
 Canada member since June 2008
 > 600 Service Providers
 Isolated trials in Latin-America, US
 Approx. 10 million users
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
Spin-off: RadSec
 Eduroam problems:
Dead peer discovery
Fragmentation
Managing shared secret/IP-address based trust
Static hierarchy
DIAMETER not available
 RADIUS with:
TLS
TCP
 draft-ietf-radext-radsec-02.txt, draft-dekok-radext-tcp-transport01.txt
 implementations in Radiator, FreeRADIUS (in progress),
RadSecProxy and OpenWRT and Lancom AP’s
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Eduroam 101
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Public
9