Transcript Network Access

UKERNA Update
James Sankar
8 September 2004
© The JNT Association 2004
JANET WAG focus area
Instant Message
Services
(IP/SMS/MMS)
SMS Gateway
Location
Independent
Networking
GSM,
GPRS,
UMTS
Location Aware
Services
Authentication,
Authorisation,
Accountability
802.11
Bluetooth
8 September 2004
Application
Layer
WISP
© The JNT Association 2004
Community
Based
Networks
Middleware
Layer
Access
Layer
Location Independent Networking (LIN)
What do we mean by LIN?
A trial service that supports the provision of
both wired and/or wireless short term
guest network access (Web-redirect, 802.1X,
VPN/Roamnode) that
-
Allows guest users to authenticate at their
home organisation (via JANET),
Once authenticated grants guest users
with wired or wireless network access at
the visited organisation.
The solution should be secure, scalable, with
minimal administrative and be as “hassle free”
to the guest user.
8 September 2004
© The JNT Association 2004
Location Independent Network access: National Solution
Wireless
LAN
Router
JANET
Deploy RADIUS (AAA) proxy servers
hierarchy (JANET Wireless Advisory
Group)
Aim: To allow users to
authenticate at their home and
gain network access or access
to their own resources
8 September 2004
© The JNT Association 2004
Organisation X
Authentication
Server (XAS)
Organisation Y
(Home
Authentication)
Server (YAS)
National
Authentication
Server (NAS)
Guest user’s resources
Location Independent Networking (LIN)
Recommended Technical Solution:
National Proxy RADIUS Hierarchy (to support a variety of roaming solutions)
European RADIUS
Proxy Server
European RADIUS
Proxy Server
National RADIUS
Proxy Server
National RADIUS
Proxy Server
Organisational
RADIUS Server
A
Organisational
RADIUS Server
B
Organisational
RADIUS Server
C
Organisational
RADIUS Server
D
Plan of work with indicative timescales
Phase 1: Agree LIN architecture, service support, policy (complete)
Phase 2: Build infrastructure & conduct proof of concept tests. (complete)
Phase 3: Issue a Call for a LIN trial (complete)
Start six month trial (January 2005).
8 September 2004
© The JNT Association 2004
Proof of concept test summary
• Infrastructure
–
–
–
–
RADIATOR NRPS, successfully built configured and tested.
Various ORPS successfully built configured and tested at 5 sites.
Authentication between 5 sites successful.
Authentication with European server in progress.
• One site experienced issues with Bluesocket
– Authentication took too long to authenticate the user, a hard coded
time out on BS led to denial.
• Proof of concept report to be written and put online shortly
with participants sample RADIUS configurations and
commentary.
• National LIN map with detailed information online.
• LIN Flyer produced, distributing to 1000+ technical
contacts.
8 September 2004
© The JNT Association 2004
Proof of concept test summary
• 802.1X, web redirect, Roamnode acceptable for trial.
• Security policy tightened with explicit details on how to
– Handle and notify of a security incident.
– Notify of any vulnerabilities related to RADIUS.
• Restriction to use only Mutual Authentication protocols.
– Mutual authentication means that both parties are authenticated.
This is necessary to prevent users from losing their credentials to
authenticators masquerading as "official" eduroam authenticators.
If a user can authenticate the authenticator, then the user knows
that it is safe to pass his credentials to the authenticator for
authentication.
8 September 2004
© The JNT Association 2004
Any questions ?
James Sankar
Email: [email protected]
Telephone: 01235 822 223
8 September 2004
© The JNT Association 2004