Transcript Federated peering the NREN way: eduGAIN and eduroam

Authentication and Authorisation in
eduroam
Klaas Wierenga, AA Workshop TNC
Lyngby, 20th May 2007
Contents
-
Intro eduroam
AA requirements
AA implementation
Authorisation
Summary
eduroam
The goal of eduroam
“open your laptop and be online”
or
• To build an interoperable, scalable and
secure authentication infrastructure that
will be used all over the world enabling
seamless sharing of network resources
eduroam
Access Point
University A
University B
User
DB
Guest
piet@university_b.nl
SURFnet
Trusted 3d party
•
eduroam enables (federated) network access
•
A trusted 3d party exists that guarantees that both peers are ‘trustworthy’ and allowing
for scalability
AA requirements
AA Requirements
- “Reasonable security”
- Not trying to solve every problem of the universe
- Uniquely identifying users at edge of network
- Local choice of authentication method
- Data integrity
- Good identity management
- No tampering with data
- Compliancy with privacy regulations
- No data “leakage”
- Verifiability
- Monitoring
- Logging
Source: JRA5 and TF-Mobility roaming requirements
AA implementation
Secure network access
with 802.1X
Supplicant
Authenticator
RADIUS server
(AP or switch)
University A
User
DB
jan@university_a.nl
Internet
Employee
VLAN
Guest
VLAN
Student
VLAN
• 802.1X
• (VLAN assigment)
signalling
data
eduroam
Supplicant
Authenticator
(AP or switch)
RADIUS server
RADIUS server
User
DB
University A
Guest
University B
SURFnet
piet@university_b.nl
Employee
VLAN
Guest
VLAN
Central RADIUS
Student
VLAN
Proxy server
•
Trust based on RADIUS plus policy
documents
signalling
•
802.1X
data
•
(VLAN assigment)
User
DB
Tunneled authentication
(PEAP/TTLS)
- Uses TLS/SSL tunnel to protect data
- The TLS tunnel is set up using the server
certificate, thus authenticating the server and
preventing man-in-the-middle attacks
- The user sends his credentials through the secure
tunnel to the server, thus authenticating the user
User authentication
Protected by Tunnel
Server authentication
TLS tunnel
`
802.1X Client
EAP RADIUS Server
- Can use dynamic session keys for ‘in the air’ encryption
© Alfa&Ariss
eduroam architecture
-
Security based on 802.1X (WEP/WPA/WPA2)
- Identity-based networking
- Using the Extensible Authentication Protocol (EAP) to allow
for multiple authentication mechanisms
- Mutual authentication (PEAP, TTLS, TLS)
- Protection of credentials (tunneled authentication)
- Layer 2
-
Roaming based on RADIUS proxying
- Remote Authentication Dial In User Service
- Transport-protocol for authentication information
- Using shared secrets between peers
-
Trust fabric based on:
- RADIUS hierarchy
- Policy
Authentication ≈ Authorisation
-
- RADIUS-attribute filtering
- VLAN assignment
RadSec/DNSROAM
- Radius packet format
- Transport: TCP (or SCTP)
- Encryption: TLS (optional)
- TLS => PKI
- DNSROAM combines RadSec with DNS for
dynamically locating the peer
- RadSec RFC is being worked on
Fully hierarchical
EU hierarchy root
RadSec
EU-level
RadSec
RadSec
Country-level
RadSec
RadSec
RadSec
RadSec
RADIUS
• First mixed mode
• Later DNSROAM?
RadSec
‘Real’ Authorisation?
DAMe
- Deploying Authorization Mechanisms for Federated
Services in eduroam
- DAME is a project that builds upon:
- eduroam, which defines an inter-NREN roaming
architecture based on AAA servers (RADIUS) and
the 802.1X standard,
- Shibboleth and eduGAIN
- NAS-SAML, a network access control approach for
AAA environments, developed by the University of
Murcia (Spain), based on SAML (Security Assertion
Markup Language) and XACML (eXtensible Access
Control Markup Language) standards.
1st: Extension of
eduroam with authR
Policy Decision Point
Source Attribute Authority
XACML
Supplicant
Authenticator
(AP or switch)
RADIUS server
University A
RADIUS server
User
DB
User
DB
University B
Gast
piet@university_b.nl
eduroam
•
User mobility controlled by
assertions and policies expressed
in SAML and XACML
Signaling
Central RADIUS
data
Proxy server
SAML
2nd: eduGAIN
AuthN+AuthR backend
-
Link between the AAA servers (now acting as Service Providers) and eduGAIN
3d: Universal Single
Sign On
-
Users will be authenticated once, during the network access control phase
The eduGAIN authentication would be bootstrapped from the NAS-SAML
New method for delivering authentication credentials and new security middleware
4th goal: integrating applications, focusing on grids.
Summary
Summary
- Eduroam provides reasonable security
- AuthZ is reasonable and is slowly being improved
- AuthR is relatively weak but being worked upon
(that is we hope that the eduGAIN guys and girls
with give it to us)
- Currently the main inhibitor is politics
Thank you!
More info: [email protected]