Transcript TERENA GA - Wierenga

Terena Mobility Taskforce
update
Klaas Wierenga
SURFnet
<[email protected]>
Contents Page
•
•
•
•
Background
Current status
Future plans
Discussion
2
Background
•
TF Mobility (Taskforce) officially began on January 1 2003.
– The group has an 18 month lifetime.
•
Aim: ”coordinating research and testing in Europe regarding real usage
and scalability of mobility solutions inside the academic community”.
•
Mobility solutions are defined as
– a way to transfer authentication information between organisations
so that a user from different organisation may gain wired or
wireless access to 1) the visiting organisation’s network or 2) the
visitor’s home network for home authentication and network access.
•
Work Areas
– Identify inter-NREN roaming requirements.
– Evaluate current national roaming solutions.
– Select inter-NREN solution and test.
– Evaluate mobile equipment, technology and next generation mobile
technology for handover and roaming (mobile IPv4 & v6).
3
Requirements definition
• Enable NREN users to use the Internet (WLAN
and wired) everywhere in Europe with:
– Minimal administrative overhead (per roaming
user)
– Good usability
– Maintaining required security for all partners.
– Scalable!
4
Web-based with RADIUS
RADIUS based Web interface
authentication at the University
of Tampere
AAA
Server
Access
4. Control Device Internet
3.
5.
1.
Docking Network
The Finnish are scaling their solution by
using a hierarchy of RADIUS proxy
servers for their national infrastructure
2.
WWW-browser
5
VPN
Wbone – VPN
roaming solution
to 4 universities /
colleges in state
of Bremen.
VPN-Gateways
Docking
network
G-WiN
Campus Network
SWITCHmobile –
VPN solution
deployed at 7
universities across
Switzerland.
Intranet X
DHCP, DNS,
free Web
VPN-Gateways
Docking
network
A "virtual campus" initiative in
Lisbon, and been testing and
developing a VPN & PKI
infrastructure.
G-WiN
Campus Network
Intranet X
DHCP, DNS,
free Web
PPPoE –
University of
Bristol
6
Cross-domain 802.1X with VLAN
assignment
Supplicant
Authenticator
(AP or switch)
RADIUS server
Institution A
Guest
Institution B
User
DB
Internet
piet@institution_b.nl
Employee
VLAN
RADIUS server
User
DB
Guest
VLAN
Student
VLAN
Central RADIUS
Proxy server
Authentication at home institution, 802.1X , TTLS (SecureW2), (proxy) RADIUS. One time
passwords are also transmitted via SMS to guest users.
A RADIUS Hierarchy is proposed to scale this to a European wide solution.
7
Current status
•
•
Documentation of national WLAN roaming solutions – complete
Characteristics identified as
– 802.1X - “The future”, easy to scale, secure but cutting
edge, thus expensive.
– VPN - Widely available, expensive, secure & hard to scale.
– Web based – cheap, widely available, easy to scale, but not
secure.
•
WLAN Product testing matrix – 1st draft completed
•
Preliminary selection for inter-NREN roaming – in draft,
conclusions are
– No national solution meets all the requirements.
– The group has chosen not to consider the following
– Local VPN access.
– PKI
– An architecture that supports the various national
solutions is needed, a three stream approach is
recommended…
8
Future plans
Conduct feasibility
tests on creating
an scalable VPN
solution
Resolve scaling and
interoperability issues
for 802.1x, VPN, webbased redirect, PPPoE)
Subject to
feasibility, build
the proposed
CASG solution
Extend to VPN in parallel
Build and scale a RADIUS
proxy hierarchy for non-VPN
AAA
Consolidate
findings into
a trial report
Work on software changes to
PPPoE to facilitate roaming
The testing of inter-NREN roaming solutions has already started !
9
Controlled Address Space for VPN
Gateways
•
•
•
Design and work plan documentation underway.
Interoperability tests of VPN to RADIUS proxy hierarchy agreed.
Further work to follow.
10
Radius proxy hierarchy
FUNET
SURFnet
University of
Southampton
FCCN
RADIUS Proxy servers
connecting to a European
level RADIUS proxy server
(DFN)
•
Participation
guidelines are
being drafted
•
Aim is to
increase
membership.
Spain, Norway,
Slovenia, Czech
Republic &
Greece have
indicated their
willingness to
join.
CARnet
11
Thank you for your time
Any questions ?
Klaas Wierenga
+31 30 2 305 305
[email protected]
12