radius - Belnet - Events

events.belnet.be
  • No tags were found...

radius - Belnet - Events

Workshop eduroamBelnet – Frédéric LibotteBruxelles – 10 mai 2012


Agenda de la réunion13h30 Introduction13h45 Technical infrastructure14h00 How to implement eduroam + Demo15h30 Future of the service15h45 Your questions & conclusions16h00 Networking drink10/05/2012Belnet - Workshop eduroam


Introduction


Tour de table• Votre nom, organisation?• Experiences éventuelles?• Vos attentes pour cette réunion?10/05/2012Belnet - Workshop eduroam


Le Belnet Service Portfolio10/05/2012Belnet - Workshop eduroam


Qu’est-ce que c’est ?~’education roaming’= un accès simple et sécurisé aux réseaux sans fillocal, mais aussi de toutes les autres institutionsparticipantes= une initiative commune des principaux réseaux derecherche européensPour qui? Etudiants, chercheurs et enseignants10/05/2012Belnet - Workshop eduroam


Une initiative européenne depuis 2003• Europe= -enabledNow also now in: USA, Canada,AustraliaMore info: www.eduroam.org• Belgium+ 30 Universities & collegesparticipating in Belnet’s eduroamserviceMore info: www.eduroam.be10/05/2012Belnet - Workshop eduroam


Pourquoi eduroam ?Les avantages:• Mobilité accrue: les utilisateurs des institutions R&Edisposent d'un accès sans fil à l'internet• Enregistrement efficace: l'utilisateur n'a besoin que d'uncompte unique sur n’importe quel campus utilisant eduroam• Sécurité: gestion propre des comptes d'utilisateur et desprivilèges d'accès• Economie de coûts: eduroam est disponible sans fraissupplémentaires, uniquement pour les institutions R&E10/05/2012Belnet - Workshop eduroam


eduroam WorkshopTechnical InfrastructureBelnet – A. Adamantiadis, S.Gulinck, N.LoriauBruxelles - 10 mai 2012


Technical infrastructureTechnical Framework– Principles– Components– Authentication flowDemo– Objectives– Test environment– Radiator installationFuture of the service10/05/2012Belnet - Workshop eduroam


Technical Framework


PrinciplesTo install eduroam, you need:– Wi-Fi access points and/or 802.1x switches– RADIUS server– User database / LDAP / ADeduroam is a hierarchy of RADIUS servers– Your only point of contact is BelnetDocumentation available on http://www.eduroam.be10/05/2012Belnet - Workshop eduroam


Principleseduroam is:– A trust-based relationship between members– An agreement on roaming technologiesChain of trust:– All direct peers must be known on beforehand– A shared secrets must be enabled “out-of-band”– Agreement on authentication protocols & methods10/05/2012Belnet - Workshop eduroam


PrinciplesHierarchy of authentication servers“Confederation”InternationalTop-LevelAS“Federation”BelgianTop-LevelASFrenchTop-LevelAS“Institution”ASASASASInstitution-A.beInstitution-B.beInstitution-C.frInstitution-D.fr10/05/2012Belnet - Workshop eduroam


ComponentsClient / SupplicantNetwork Access Server / Authenticator / ServiceProviderAuthentication Server / Identity ProviderUser identity source10/05/2012Belnet - Workshop eduroam


ComponentsClient / Supplicant– SW on end user's device which handles network authentication– Minimum requirements: WPA2, EAP-TTLS, PEAP enabled10/05/2012Belnet - Workshop eduroam


ComponentsNetwork Access Server / Authenticator / ServiceProvider– IEEE 802.1X enabled switch or wireless access point whichprovides Clients access to the (W)LAN– Seperate VLAN for home and visiting end users10/05/2012Belnet - Workshop eduroam


ComponentsAuthentication Server / Identity Provider– Remote Authentication Dial In User Service compliant (RFC2865/2866)– NOT a user database– Authenticates home end users against local user database– Forwards requests of visiting end users– Softwares:• Radiator• FreeRADIUS• MS Windows 2008R210/05/2012Belnet - Workshop eduroam


ComponentsUser identity source– LDAP/AD– Local database / SQL10/05/2012Belnet - Workshop eduroam


Protocols and MethodsEAP Framework– Extensible Authentication Protocol (RFC 5247)– NOT a wire protocol nor an authentication mechanism– Defines authentication data formats– Negotiates which authentication method/type should be used10/05/2012Belnet - Workshop eduroam


Protocols & MethodsEAP Methods/Types "How does EAP authenticate"– Uses EAP framework to remotely authenticate end user's credentials tohis home institute's Identity Provider– 40+ different methods exit > use common secure ones!• Outer Authentication: EAP-TTLS (RFC 5281), PEAP• Inner Authentication: MSCHAPv2 (RFC 2759)10/05/2012Belnet - Workshop eduroam


Protocols & MethodsEAP Encapsulation "How EAP can betransported"– In order to transport EAP messages, they must be encapsulated– Between client and SP (802.1x)• EAP over LAN = “EAPOL”– Between Sp & IdP, IdP & IdP• RADIUS10/05/2012Belnet - Workshop eduroam


SecurityEAP, 802.1X and RADIUS must be securedService ProviderInstitution-A.beClientIdentity Provideruser@institution-B.beInstitution-A.be10/05/2012Belnet - Workshop eduroam


SecurityEAP, 802.1X and RADIUS must be securedChoice of security mechanisms is importantService ProviderInstitution-A.beClientIdentity Provideruser@institution-B.beInstitution-A.be10/05/2012Belnet - Workshop eduroam


SecurityOuter authentication– Goal : securely transport the EAP messages between peers– Authenticate the server (to avoid MitM attacks)– PEAP, EAP-TTLSInner authentication– Transmit unique user attributes (credentials)– via MSCHAPv210/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (1/11)BelgianTop-LevelRadiusIdentity ProviderIdentity ProviderService ProviderInstitution-A.beInstitution-B.beInstitution-A.be1The User contacts theService Provider (SP)(Wireless Access Point)of institution A (SSID = eduroam)user@institution-B.be10/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (2/11)BelgianTop-LevelRadiusIdentity ProviderIdentity ProviderService ProviderInstitution-A.beInstitution-B.beInstitution-A.be2SP of institution A asks the user's identity.Not yet the credentials!2user@institution-B.be10/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (3/11)BelgianTop-LevelRadiusIdentity ProviderIdentity ProviderService ProviderInstitution-A.beInstitution-B.beInstitution-A.be23User identity is transmitted to IdentityProvider (IdP) (RADIUS server)of institution Ausing EAP Access-Request messageuser@institution-B.be10/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (4/11)BelgianTop-LevelRadiusIdentity ProviderIdentity ProviderService ProviderInstitution-A.beInstitution-B.beInstitution-A.be24Based on the identity the IdPof the institution A knows that user doesn'tbelong to its own user database and will transmitthe Access-Request to the Belgian RADIUSserver.user@institution-B.be10/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (5/11)BelgianTop-LevelRadiusIdentity ProviderIdentity ProviderService ProviderInstitution-A.beInstitution-B.beInstitution-A.be5Based on the realm part of the identity theBelgian RADIUS server transmitsthe Access-Requestto the RADIUS server of institution B2user@institution-B.be10/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (6a/11)Identity Provider6BelgianTop-LevelRadiusIdentity ProviderInstitution-A.beInstitution-B.beService ProviderInstitution-A.be26aNow the IdP of institution Bknows the User and a TLS tunnelis established between Userand RADIUS server usingEAP encapsulation mechanism(outer authentication)user@institution-B.be10/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (6b/11)Identity Provider6BelgianTop-LevelRadiusIdentity ProviderInstitution-A.beInstitution-B.beService ProviderInstitution-A.be6bThe User checks during TLS establishmentthe RADIUS server certificateof his institution.2user@institution-B.be10/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (7/11)Identity Provider6BelgianTop-LevelRadius7Identity ProviderInstitution-A.beInstitution-B.beService ProviderInstitution-A.be27Now the User is authenticatedagainst its own institute's IdP,using traditional mechanisms(challenges, certificates, token...)(Inner authentication)user@institution-B.be10/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (8/11)Identity Provider6BelgianTop-LevelRadius7Identity ProviderInstitution-A.beInstitution-B.beService ProviderInstitution-A.be28If the User is correctly authenticated,the RADIUS server of institution Bsends an Access-Acceptto the Belgian RADIUS server,otherwise it sends an Access-Rejectuser@institution-B.be10/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (9/11)Identity Provider6BelgianTop-LevelRadius7Identity ProviderService ProviderInstitution-A.be9Institution-B.beInstitution-A.beuser@institution-B.be29Belgian RADIUS server sends theAccess-Accept to institution A10/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (10/11)Identity Provider6BelgianTop-LevelRadius7Identity ProviderService ProviderInstitution-A.be9Institution-B.beInstitution-A.beuser@institution-B.be21010The IdP of institution A tellshis SP to grant accessto the User and provide all informationrelated to the local eduroam access policy( vlan, IP address, ...)10/05/2012Belnet - Workshop eduroam


Authentication FlowNational Level (11/11)Identity Provider6BelgianTop-LevelRadius7Identity ProviderService ProviderInstitution-A.be9Institution-B.beInstitution-A.beuser@institution-B.be21011User can now accessLAN and Internet10/05/2012Belnet - Workshop eduroam


Authentication FlowInternational LevelInternationalTop-LevelRadiusBelgianTop-LevelRadiusFrenchTop-LevelRadiusIdP Institution-A.beIdP Institution-C.frSP Institution-A.beuser@institution-C.frIdentical to national flowwith one extra step betweennat. – int. – nat. RADIUS servers10/05/2012Belnet - Workshop eduroam


How to implement eduroam + Demo


How to implement eduroamObjectives:– Configuration of Radiator RADIUS server– Authenticate users against test domain eduroamtest.be– Discuss other options– Best practices10/05/2012 Belnet - Workshop eduroam41


Prerequisites (out of scope)Wi-Fi access point that must:– be IEEE 802.1X compliant– broadcast the SSID “eduroam”– offer IEEE 802.11b or better– implement WPA/TKIP or better (Belnet strongly recommendsWPA2-AES!)– Allow traffic on defined ports (please refer to eduroam.org)User database:– LDAP– Active Directory10/05/2012 Belnet - Workshop eduroam42


Prerequisites (out of scope)Server certificates– Don't use a self-signed server certificate– Successfully import server & chain certificate into Windows– Use dcs.belnet.be to get a free signed server certificateCorrect server time– Important for the setup of TLS-tunnels– Use Belnet's NTP server time.belnet.be to get the correct timeFirewalls & Ports– UDP 1812– UDP 181310/05/2012 Belnet - Workshop eduroam43


Demo environement:Components overviewroaming1.belnet.beroaming2.belnet.bewap-2wap-1wap-3wlan-ctrl.eduroamtest.beradius.eduroamtest.beldap.eduroamtest.be10/05/2012 Belnet - Workshop eduroam44


Hierarchy“Inter-federation”InternationalTop-LevelAS“Federation”BelgianTop-LevelASroaming1.belnet.beroaming2.belnet.beFrenchTop-LevelAS“Institution”ASASASASbelnet.beeduroamtest.beInstitution-C.frInstitution-D.fr10/05/2012 Belnet - Workshop eduroam45


Authentication FlowBelgianTop-Level Radiusroaming1.belnet.beroaming2.belnet.beradius.belnet.beldap.belnet.beSSID = “eduroam”radius.eduroamtest.beldap.eduroamtest.bewap.belnet.bewlan-ctrl.belnet.beA user from institution eduroamtest.bewill send access requestto Belnet's “eduroam” WLAN followingeduroam authentication flowuser1@eduroamtest.be10/05/2012 Belnet - Workshop eduroam46


Radiator InstallationWhy “Radiator”?– Belnet uses this product– Easy & straightforward to deploy on Linux, Windows, ...– Broad support for Identity & Access Management backends– One of the first solutions which supported RadSec10/05/2012 Belnet - Workshop eduroam


Radiator InstallationServer set-up:– Ubuntu Server 10.04 LTS “out-of-the-box”– Radiator 4.9 for a virtual home organization “eduroamtest.be” ina Linux environment– Valid server certificate10/05/2012 Belnet - Workshop eduroam


Radiator Installationroaming1.belnet.beroaming2.belnet.bewap-2wap-1wap-3wlan-ctrl.eduroamtest.beradius.eduroamtest.beldap.eduroamtest.be10/05/2012 Belnet - Workshop eduroam


Radiator Installation :Link with LDAProaming1.belnet.beroaming2.belnet.bewap-2wap-1wap-3wlan-ctrl.eduroamtest.beradius.eduroamtest.beldap.eduroamtest.be10/05/2012 Belnet - Workshop eduroam


Radiator Installation :Configuring RADIUS client (wlan controller)roaming1.belnet.beroaming2.belnet.bewap-2wap-1wap-3wlan-ctrl.eduroamtest.beradius.eduroamtest.beldap.eduroamtest.be10/05/2012 Belnet - Workshop eduroam


Radiator Installation :Configuring the remote RADIUSroaming1.belnet.beroaming2.belnet.bewap-2wap-1wap-3wlan-ctrl.eduroamtest.beradius.eduroamtest.beldap.eduroamtest.be10/05/2012 Belnet - Workshop eduroam


Radiator Installation :Configuring proxy RADIUSroaming1.belnet.beroaming2.belnet.bewap-2wap-1wap-3wlan-ctrl.eduroamtest.beradius.eduroamtest.beldap.eduroamtest.be10/05/2012 Belnet - Workshop eduroam


Radiator Installation :Configuring top level RADIUSroaming1.belnet.beroaming2.belnet.bewap-2wap-1wap-3wlan-ctrl.eduroamtest.beradius.eduroamtest.beldap.eduroamtest.be10/05/2012 Belnet - Workshop eduroam54


Registration @ Belneteduroam web-interface– Facilitate the configuration of your eduroam parameters• RADIUS servers• Shared secrets• Test accounts10/05/2012 Belnet - Workshop eduroam55


FreeRADIUSSame demo with FreeRADIUS10/05/2012Belnet - Workshop eduroam


Future of the service


Future of the serviceWithin Belnet– Realtime monitoringIn general– Replacement of RADIUS by RadSec10/05/2012Belnet - Workshop eduroam


BelnetRealtime monitoring– Create a website for the Belgian eduroam federation where thestatus of each realm can be viewed– In analogy of the European eduroam confederation website:• monitor.eduroam.org10/05/2012Belnet - Workshop eduroam


International - RadSec (1/4)Problems with conventional UDP RADIUS proxyingRADIUSServerRADIUSServerXUser DBPackets can besniffed:Username: user1IP: 203.63.154.1...(If not using TTLSor PEAP)Packets canbe dropped dueto congestionUser DB10/05/2012Belnet - Workshop eduroam


International - RadSec (2/4)RadSec proxyingRADIUSServerRadSecProxyRadSecProxyRADIUSServer...Jki@3!o8$(,qTG1#iwh0è...RadSec RADIUSpackets encryptedwith TLS on aTCP/IP streamUser DBUser DB10/05/2012Belnet - Workshop eduroam


International – RadSec (3/4)RadSec:• Is based on TCP: transport integrity guaranteed• Supports encryption of all messages throughTLS tunnel by default• Supports mutual authentication by Public Keycertificates by default• Supports (with DNS) Peer-to-Peer connectionbetween RADIUS servers10/05/2012Belnet - Workshop eduroam


International – RadSec (4/4)By whom?– Ideally everybody jumps at once, but in practice this willgo in phases, i.e. per federationHow?– Within existing RADIUS infrastructure a RadSec proxycan be enabled for translation– After enough institutions are RadSec enabled the fullswitch can be made and RADIUS servers are fullydecommissioned10/05/2012Belnet - Workshop eduroam


Conclusion


ConclusionTechnical FrameworkDemoFuture of the serviceBelnet is there to help youQ&A10/05/2012Belnet - Workshop eduroam


What do you think?


Tour de table finalVotre organisation est-elle prête à rejoindreeduroam?Non? Pourquoi?Qu’avez-vous besoin en plus de Belnet pourcommencer?10/05/2012Belnet - Workshop eduroam


Thank you

More magazines by this user
Similar magazines