Transcript Review & debate on Deliverable G

Deliverable G
•
TF Mobility Group
A comparison of each national solution was made against
Del C – “requirements”, the following solutions were
assessed
• 802.1x based authentication solution.
• VPN based authentication solution.
• Variation to VPN based authentication solution with client
certificates.
• Web-based redirect authentication solution.
• Roamnode (PPPoE) authentication solution.
22nd September 2003
1
Deliverable G
TF Mobility Group
802.1x based authentication solution
–
Layer 2 solution, standard is still maturing, some cheaper AP
that support 802.1x are appearing on the market.
–
–
Uses EAP or EAPOL.
Uses RADIUS for authentication, authorisation and
accounting.
Can be scaled using a RADIUS Proxy Hierarchy to enable the
visitor to authenticate at their home institution.
–
–
–
–
–
Admin overhead involves loading 802.1x client on mobile
devices, RADIUS configurations and VLAN assignment.
Non 802.1x client support offered via website support and may
look into general web-redirect authentication system.
EAP-TLS and TTLS security support with WPA, TKIP, 802.11i
extensions).
Accountability via RADIUS logging and user reports to
helpdesk (e.g. stolen mobile device).
22nd September 2003
2
Deliverable G
TF Mobility Group
VPN based authentication solution
–
Layer 3 solution, mature standard.
–
Can be scaled using an overlay network of assigned address
space for VPN Gateways or control lists of VPN Gateways.
Admin overhead in loading VPN client on mobile devices,
configuration of VPN gateways, access lists & VLANs.
Strong security via encrypted tunnels for each connection.
Accountability via the user’s home institution as the user
authenticates and gets their IP address from there, also
reports to the helpdesk e.g. stolen mobile device.
–
–
–
VPN based authentication solution with client certificates
–
Admin overhead required to install client certificates on mobile
devices and maintain / manage a PKI.
22nd September 2003
3
Deliverable G
TF Mobility Group
Web based redirect authentication solution
–
Requires a http or https supported web browser, no additional
client software is likely to be required
–
Uses RADIUS for authentication, authorisation and
accounting.
Can be scaled using a RADIUS Proxy Hierarchy with
authentication at visitor user home institution.
Minimum admin overhead as unknown authentication requests
are forwarded back across a RADIUS proxy hierarchy.
–
–
–
–
Less secure than other authentication solutions due to web
based login page for authentication and no provision to protect
authentication of authorised users in a VLAN from seeing each
others traffic
Accountability via RADIUS logging and user reports to
helpdesk (e.g. stolen mobile device).
22nd September 2003
4
Deliverable G
TF Mobility Group
Roamnode (PPPoE) authentication solution
–
–
–
–
–
–
–
Uses PPPoE.
Decouples process of establishing a physical network from
establishing a logical network connection.
Uses RADIUS back end for AAA service.
Uses an overlay network for visitor users.
Uses a VPN gateway via an IP-in-IP tunnel.
Requires proprietary equipment at the home and visited
institution and client operating systems with PPPoE support.
Accountability via RADIUS logging and user reports to
helpdesk (e.g. stolen mobile device).
22nd September 2003
5
Conclusion
TF Mobility Group
–
A European AAA based on one solution is not practical.
–
A solution that supports the various national solutions is needed.
Recommendations: A phased development / testing approach
Conduct feasibility
tests on creating
an scalable VPN
solution
Subject to
feasibility, build
the proposed
VPN solution
Extend solution
to agree
mechanisms for
exchange of
credentials (e.g.
PKI)
Resolve scaling and
interoperability issues
for all AAA (802.1x,
VPN, VPN +PKI, webbased redirect, PPPoE)
Consolidate
findings into
a trial report
Build and scale a RADIUS
proxy hierarchy for non-VPN
AAA
22nd September 2003
Could extend to
VPN if
possible?
6
TF Mobility Group
Revised Recommendations
(as a result of discussions in Berlin) - A phased development / testing approach
Conduct feasibility
tests on creating
an scalable VPN
solution
Resolve scaling and
interoperability issues
for 802.1x, VPN, webbased redirect, PPPoE)
Subject to
feasibility, build
the proposed
CASG solution
Extend to VPN in parallel
Build and scale a RADIUS
proxy hierarchy for non-VPN
AAA
Consolidate
findings into
a trial report
Work on software changes to
PPPoE to facilitate roaming
22nd September 2003
7
TF Mobility Group
Update on inter NREN tests
Organizational
RADIUS Server
D
Currently
linked to
FCCN,
Portugal
Currently
linked to
SURFnet,
Netherlands
Organizational
RADIUS Server
A
Organizational
RADIUS Server
E
National
RADIUS
Proxy Server
National
RADIUS
Proxy Server
Organizational
RADIUS Server
B
22nd September 2003
Organizational
RADIUS Server
F
Backup
Top-level
RADIUS
Proxy Server
Organizational
RADIUS Server
G
National
RADIUS
Proxy Server
Currently
linked to
CARNET,
Croatia
Top-level
RADIUS
Proxy Server
Currently
hosted at
SURFnet
etlr1.radius.terena.nl (192.87.36.6)
etlr2.radius.terena.nl (195.169.131.2)
Organizational
RADIUS Server
C
Currently
directly linked
to the
University of
Southampton
8