EAP-TLS in eduroam using TCS Personal Certificates José Manuel Macías Luna, RedIRIS Juan C. Sánchez-DelBarrio, BSC TF-MnM Lyon, 16 Feb 2011.

Slides:



Advertisements
Similar presentations
Suchin Rengan Principal Technical Architect Salesforce.com
Advertisements

P u t y o u r h e a d o n m y s h o u l d e r.
REFEDS. Rome, October 2009 The OpenID Case Why It’s Not a Bad Idea to Play with The Big Guys.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Report on Attribute Certificates By Ganesh Godavari.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Using InCommon Client Certs for eduroam Jeff Hagley and Ryan Martin October 3 rd, 2011 Internet2 Fall Member Meeting.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Senior Technical Writer
HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,
Windows 2003 and 802.1x Secure Wireless Deployments.
February 2006Colby College ITS Using FTP. February 2006Colby College ITS Topics FTP Options at Colby For Mac Users For Windows Users.
Creative Commons Share Alike Attribution 3.0 Active Directory on ARM Running an Embedded Active Directory Domain Controller on the BeagleBoard.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
5 Copyright © 2008, Oracle. All rights reserved. Configuring the Oracle Network Environment.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Penn State/Napster 2.0 Trial Russell S. Vaught Associate Vice Provost Information Technology.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
NIS overview Centralized user/password pool Before LDAP. NIS: ypcat passwd reveals shadow password to “John the dictionary cracker”. NIS OK in a trusted.
10.1 Silberschatz, Galvin and Gagne ©2005 Operating System Principles 10.4 File System Mounting A file system must be mounted before it can be accessed.
Shibboleth 2.0 IdP Training: Authentication January, 2009.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Service Connection Point Troels Ravn Software Developer Navision Software a/s November
Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,
An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.
Apache Web Server Quick and Dirty for AfNOG 2015 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Apache Web Server Quick and Dirty Evelyn NAMARA for AfNOG 2014 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Comité Réseau des Universités News from CRU activities: Identity federation, eduroam, PKI, SCS, Sympa, security policies cru.fr 7th.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
UMBC’s WebAuth Robert Banz – UMBC
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Workshop roaming services: eduroam / govroam
Orientation for International Students 2016 Information Services & Techology Pekka Kuronen.
Complete the new customer information and click Next. Adding a Reseller-of-record when creating a new customer.
JN0-561 Juniper Juniper Networks Certified Internet Associate, J-series Visit:
Using InCommon Client Certs for eduroam Jeff Hagley and Ryan Martin October 3 rd, 2011 Internet2 Fall Member Meeting.
RadSec Proxy Stig Venaas RadSec Proxy Generic proxy, any number of UDP and/or TLS clients and/or servers Can run on same host as a.
Revocation in WebPKI Phill Hallam-Baker Comodo. Standards intersection PKIX OTHER.
Today’s Applications Web API Browser Native app Web API Web API
Connect communicate collaborate An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University.
Networks ∙ Services ∙ People Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Managing and Extending Active Directory Federation Services Brian Puhl Technology Architect Microsoft Corporation SIA318.
PC Manager Meeting February 23, Today Updates Next Meeting Windows Policy Security This Month: Lessons Learned: Building the Symantec Patch (Andy.
Creative Commons Share Alike Attribution 3.0 Active Directory on ARM Running an Embedded Active Directory Domain Controller on the BeagleBoard.
JLR, Tozny, and DHS Isaac Potoczny-Jones
Wireless Network Setting (Windows XP)
Applying eduGAIN to network operations The perfSONAR case
Cisco AnyConnect Secure Mobility Client
Authentication Interact Cloud.
CWMS Configuration Making our PowerPoint simpler and more distinctive.
Shibboleth Integration Fairfield University
University of Stuttgart University of Murcia
Security in OSG Rob Quick
KMIP Client Registration Ideas for Discussion
Cryptographic Usage Mask
Security.
Cisco Real Exam Dumps IT-Dumps
Hybrid Search Technical Guidance.
The French federation Eurocamp 2007 Helsinki
Management of users at UNIL
جايگاه گواهی ديجيتالی در ايران
Mechanisms for Distributed Global Authentication David R Newman.
AD FS Integration Active Directory Federation Services (AD FS) 7.4
5 Way to Improve User Access
Setting up eduroam for an IdP means …
Presentation transcript:

EAP-TLS in eduroam using TCS Personal Certificates José Manuel Macías Luna, RedIRIS Juan C. Sánchez-DelBarrio, BSC TF-MnM Lyon, 16 Feb 2011

1. what... ? Use of TCS Personal Certificates in eduroam Id P SIR attributes CSR

2. how... ? FreeRADIUS added extended validation of client certificates see verify { client } in eap.conf we made a proof-of-concept validation script: validates client certificate and attributes CN,O,UID against our LDAP directory Radiator also supports this kind of validation EAPTLS_CertificateVerifyHook additional checks possible too... CRL checking, expiration,...

2. how... ? FreeRADIUS added extended validation of client certificates See verify { client } in eap.conf We made a proof-of-concept validation script: Validates client certificate attributes CN,O,UID against our LDAP directory Radiator also supports this kind of validation EAPTLS_CertificateVerifyHook Additional checks possible... CRL checking, expiration,... common name home organization My OpenID, yes... ;-) user identifier Attributes that can be validated Ho me IdP SIR 2 X.509 X LDAP LDAP 2 SIR

3. what for...? ok, it's not rocket science, but... remember EAP-TLS is included in Windows by default an alternative (or complement) to EAP-GTC too easy recipe for the server side it would promote other services: TCS, SIR drawbacks... a fail-over authentication method? it seems easy to deploy but... easier than others? (EAP-EKE is not yet there...) how well does it scale?

...any questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.