Transcript EduRoam crash course

EduRoam crash course and future
Géant2 JRA5 meeting
Zürich, January 17 2005
[email protected]
EduRoam crash course
Requirements definition
• Enable NREN users to use the Internet (WLAN
and wired) everywhere in Europe with:
– Minimal administrative overhead (per roaming user)
– Good usability
– Maintaining required security for all partners.
– Scalable!
• Results
– Web: Scalable, Unsafe
– VPN: Hard to scale, Safe
– 802.1X: Safe, Scalable…. but new
– 802.1X and Web-based can both use a RADIUS trust
fabric
3
EduRoam
Supplicant
Authenticator
(AP or switch)
RADIUS server
RADIUS server
User
DB
Institution A
Guest
Institution B
User
DB
Internet
piet@institution_b.nl
Employee
VLAN
signalling
data
Guest
VLAN
Central RADIUS
Student
VLAN
Proxy server
•
Trust fabric based on RADIUS
•
802.1X and EAP (or Web)
•
(802.1Q VLAN assignment)
•
Policies are applied on the different levels
4
Tunneled Authentication (TTLS/PEAP)
•
Uses TLS tunnel to protect data
– The TLS tunnel is established using the Server certificate,
automatically authenticating the server and preventing man-inthe-middle attacks
– Mutual Authentication
User authentication
Protected by Tunnel
Server authentication
TLS tunnel
`
802.1X Client
•
EAP RADIUS Server
Allows use of dynamic session keys for line encryption
© Alfa&Ariss
5
Limitations and possible solutions
EduRoam - Limitations
European Server
.nl
.ac.uk
…
uva.nl
Access Point
.es
uclm.es
Access Point
User database
[email protected]
• AA traffic goes through all intermediate entries
• All links are peer-to-peer agreements / static routes
• Authentication = authorization
7
Alternative – RADIUS / PKI
infra
All parties in the roaming
domain use certificates issued
by the roam.org CA
roam.org
Certificate
Authority
verify certificate
radius.home.org
2a
visiting
2b
2c
visit.org
RADIUS
server
authenticate /
authorize
1
[email protected]
client
e.g. 802.11
access point
2 setup IPSEC /
TLS connection
proxy for
other realms
3
4
5
p2p
verify certificate
radius.visit.org
2d
home
home.org
RADIUS
server
OK
visit.org user
account db
home.org
user
account db
© Telematica Instituut
8
Alternative Solutions - DIAMETER
infra
roam.org
See section 2.8.3 of RFC 3588
“Diameter Base Protocol”
DIAMETER
server
All connections between entities
secured with IPSEC or TLS
(using shared secret, PKI, …)
2
visiting
visit.org
redirector
(broker)
static
route
redirect
to
3
diameter.home.org
DIAMETER
server
authenticate /
authorize
1
[email protected]
client
e.g. 802.11
access point
relay for
other realms
4 dynamic route;
setup secure conn.
5
6
7
static
route
home
home.org
DIAMETER
server
OK
visit.org user
account db
home.org
user
account db
© Telematica Instituut
9
Alternative - RADIUS-DNSSEC
infra
roam.org
secure lookup radius
server associated with
home.org.roam.org
DNS server
authoritative
for roam.org
3
visiting
visit.org
4
DNS server
A:111.222.111.222
CERT:key=a;sd98yhq3ra
caching
forwarder
secure lookup radius 2
server associated with
home.org.roam.org
5
establish connection
dynamically 6
RADIUS
server
authenticate / authorize 1
[email protected]
client
e.g. 802.11
access point
proxy for
other realms
9
7
8
home
home.org
RADIUS
server
OK
p2p
visit.org user
account db
home.org
user
account db
© Telematica Instituut
10
EduRoam – Authorization?
European Server
.nl
.ac.uk
…
.es
Elsevier.nl
uclm.es
[email protected]
User database
• Will you authenticate Rodrigo for access to Elsevier?
• Has Diego passed his PAPI exam?
• In general: How to pass attributes back and forth (SAML?)
11
EduRoam – Access to applications?
European Server
.nl
.ac.uk
uva.nl
Shibboleth
[email protected]
…
.es
uclm.es
A-Select
PAPI
Resource
• How do all these applications communicate? (SAML?)
• But the user tries to connect to the remote resource, not to
the home Shibboleth….
• How can you protect credentials? Tunneled authentication?
12
SSO
Basic concepts
• Tokens
• Client software?
14