eduroam and NREN

Download Report

Transcript eduroam and NREN

Michal Procházka, Jan Oppolzer
[email protected],
[email protected]
CESNET
Michal Procházka
•
•
•
•
•
Senior researcher at Masaryk University
Member of AAI department at CESNET
Member of AAI TF: ELIXIR, EGI
Participating in GEANT GN4p1 projects
More than 8 years experiences in IT security
and AAI
Jan Oppolzer
•
•
•
•
Head of eduID.cz federation operator
Deputy of AAI department at CESNET
eduGAIN steering group delegate
Shibbolethv3 expert
Goal of the training
At the end of the day
Understand how eduroam works
What are the benefits
How to setup eduroam in your country
and institutions
Ask questions
Outline
Survey
What is it?
How it works?
eudoram and NREN
eduroam and organization
Requirements
Production
Survey
How many NRENs?
How many organizations?
How many linux administrators?
What is it?
Global identity federation
Provides network access
Mainly over the WiFi
Benefits
Easy roaming
Every user is idenfied
Useful for auditing and logging
Helps in case of security incident
Communication is encrypted
eduroam requires encrypted communication between
client and AP
Video
https://www.youtube.com/watch?v=0VYp8wZG
43k
How it works?
WiFi
Access Point
RADIUS server
University 123
RADIUS server
User
DB
University ABC
Roaming
Operator
[email protected]
Employee
VLAN
Student
VLAN
Visitor
VLAN
Central RADIUS
Proxy server
signaling
data
From eduroam: The Value of WLAN measurements for the R&E Community presentation
User
DB
Terms
RO – Roaming Operator
ETLRS – European Top-level RADIUS Servers
FLRS – Federation Level RADIUS Server
IdP – eduroam Identity Provider
SP – eduroam Service Provider
NAS – Network Access Element
F-Ticks – Federated Ticker System
Infrastructure
Top level RADIUS server (ETLRS)
National RADIUS Proxy (FLRS)
Institutional RADIUS (IdP and/or SP)
Identity management system (IdM)
Access Points, switches (NAS)
Clients (Supplicant)
Monitoring (F-Ticks)
Protocols and security
802.1x
Supplicant to AP communication
RADIUS protocol
NAS to IdP communication
EAP protocol
Supplicant to IdP communication
PAP, CHAP, TLS, TTLS, MS-CHAPv2, …
TLS protocol
Securing FLRS to ETLRS as well as IdP to
FLRS communication
Diagram from http://mrncciew.com
Authentication Protocols
PAP – Password Authentication Protocol
CHAP – Challenge-response Authentication
Protocol
TLS – Transport Layer Security – X.509 authN
TTLS – Tunneled TLS with e.g. PAP
eduroam and NREN
National point to the global eduroam
Running FLRS
Proxying requests from SPs to IdPs and
ETLRS
Monitoring infrastructure for IdPs
Requirements
Digital certificate accepted by eduroam PMA
Host with public IP address
Ideally two for HA or failover configuration
Web server
Optionally mailing list system
Software for FLRS
radsecproxy
Proxying RADIUS requests
Supports TLS
(r)syslog
Logging
Monitoring
eduroam monitoring
Process
Incoming request is routed to
National IdP
Routed up to the ETLRS
FLRS does not modify RADIUS packets
Only filtering is applied (e.g. remove
VLANs)
F-ticks
Federated Ticker System
Used to monitor FLRS RADIUS servers
Leverage syslog
Example of the message:
F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=LU# CSI=%{Calling-StationId}#RESULT=OK#
Solves also privacy issues
REALM can be exchanged with undisclosed
Second part of the MAC can be hashed
Communication channels
Web pages
Provide information for users and SPs
Must be on eduroam.TLD domain
Mailing list
Global eduroam mailing list
Mailing list for national SPs
eduroam and institution
Processing user authentication
Connection to the local IdM
User support
Usually operates as a SP
Technical Terms
IdP – eduroam identity provider
Supplicant
NAS – Network Access Service
AP – Access Point
switch
Identity provider
Providing user authentication
IdP selects authentication method
Proper user registration
Ideally connected to the organization IdM
IdP must be able to identify the user in
person
Supplicant
Software initiating user authentication (EAP)
Creating secured tunnel to the IdP
Transferring user credentials to the IdP via
selected authN method
Securing data transfer from machine to AP
Included in Windows, Mac OS, Linux, Android,
IOS, …
NAS
WiFi Access Point/switch
Must support 802.1x
Communicating with home IdP using RADIUS
protocol
Shares secret with home IdP
WiFi security: WPA2/AES
Open ports
see 6.3.3 in eduroam Service Definition
Requirements
Digital certificate accepted by FLRS
Access to the IdM system (user authN)
Host with public IP address
Ideally two hosts for HA or failover
Optionally have the access points
Communication channels
Web pages and contact mail for users
Linked from eduroam.TLD
Containing information how to join to
eduroam
Provides information about local
restrictions
Filtered ports
NAT/IP ranges
Sources
https://www.eduroam.org