Chargeable-User-Identity in eduroam. The problem Current eduroam setup provides per-realm granularity The consequences – if a guest misbehaves the SP.

Slides:

Advertisements

Similar presentations

Joining eduroam Wireless Roaming for Education and Research.

Advertisements

RadSec – A better RADIUS protocol

Technology ICT Virtual PC. Network Resources Microsoft Virtual PC Allows multiple Guest Operating Systems (Virtual Machines) run using the resources of.

Eduroam-ng TF-Mobility, Barcelona, 6 September 2005.

Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,

Why eduroam sucks, and how to fix it.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

What is MySQL? MySQL is a relational database management system (A relational database stores data in separate tables rather than putting all the data.

Wireless and Switch Security NETS David Mitchell.

EduRoam ESA workshop 17 December 2004 Utrecht.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

Usability Test by Knowing User’s Every Move - Bharat chaitanya.

Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.

Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.

AAI with simpleSAMLphp

Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.

Education roaming Secure Wireless Service for Research and Education.

Ing. Peter Feciľak , KPI, FEI, TUKE.

Michal Procházka, Jan Oppolzer CESNET.

1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Using Internet Explorer 7.0 to Access Cisco Unity 5.0(1) Web Interfaces Unity 5.0(1)

WWW Forms and Search. Forms URL - always fetch a particular page What if the information we want varies from time to time and from user to user?

Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.

Eduroam JP and development of UPKI roaming Yoshikazu Watanabe*, Satoru Yamano* Hideaki Goto**, Hideaki Sone** * NEC Corporation, Japan ** Tohoku University,

OracleAS 10G SSO: A “Fan-Out” Configuration Overview for Decentralized Implementation Presented By: Tony Macedo "This work was performed under the auspices.

W2K and Kerberos at FNAL Jack Mark

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

All Rights Reserved © Alcatel-Lucent 2006, ##### NZNOG 2007 Control Planes and RADIUS Bitses Alastair Johnson Senior IP Technologist, Alcatel-Lucent

W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.

802.1X in SURFnet 22 May 2003.

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Proxy Design Pattern By:Diksha Agarwal.

7 February 2008Dietrich Beck A LabVIEW Interface to ELOG ELOG Possible solution paths Status Integration into – CS ? – Domain Management System?

May 17, 2006TNC 2006, Catania1 eduroam.us: past, present, future Philippe Hanset University of Tennessee, Knoxville.

HTTP evolution - TCP/IP issues Lecture 4 CM David De Roure

Lawrence Snyder University of Washington, Seattle © Lawrence Snyder 2004 Relating the “logical” with the “physical”

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

BRIAN ROSEN NEUSTAR draft-rosen-ecrit-completed-data.

Workshop roaming services: eduroam / govroam

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Arcs of Retrieval, SEO and Basic Research Johann Lohrmann Director of R&D.

TE002 Coming to grips with management with Sage CRM Robert Tan.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

Diameter NAT Control Application (draft-brockners-diameter-nat-control-00.txt) IETF 74, March 2009 Presenter: Wojciech Dec

Patient Portal Website Patient Training Powered by the.

Distributed Systems Ryan Chris Van Kevin. Kinds of Systems Distributed Operating System –Offers Transparent View of Network –Controls multiprocessors.

Shibboleth for Middle Schools James Burger -

RadSec Proxy Stig Venaas RadSec Proxy Generic proxy, any number of UDP and/or TLS clients and/or servers Can run on same host as a.

IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.

Setting-Up and Securing a Server

Capability Exchange Requirements

draft-ietf-simple-message-sessions-00 Ben Campbell

Fix Windows Live Mail Error ID 0X

Session Initiation Protocol (SIP)

Microsoft Questions Answers - Microsoft Exam Dumps PDF Dumps4download.us

Chapter 2. Malware Analysis in VMs

Web Systems Development (CSC-215)

The New Virtual Organization Membership Service (VOMS)

Norwegian airports NTW2013.

Björn Erik Abt :: Paul Scherrer Institut

for motivating , encouraging and monitoring reading

Mark Spencer - James Dickerson

Presentation transcript:

Chargeable-User-Identity in eduroam

The problem Current eduroam setup provides per-realm granularity The consequences – if a guest misbehaves the SP can only black-list the entire realm – if someone uses the guest access to set up a full-time Internet link the SP may become suspicious about the eduroam idea and may want to turn on some quota system to defend against that kind of overuse (this may be a local-level problem but we might provide a universal solution) – in case of incidents locating the correct entries in the logs may be complicated by the fact that the SP logs will just show anonymous user

Possible solution: Chargeable-User-Identity (CUI) attribute defined in RFC 4372 (pointed out by Jochem van Dieten) meant to carry a value which is unique to a user (perhaps only for some period of time) CUI in action – request – send the CUI attribute with a NUL value – reply – send the user identifier in the CUI – the NAS accounting should be based on CUI rather the User-Name (probably currently not implemented by anybody)

Tests and implementation CUI request implemented in FreeRadius v. 2 CUI response implemented in FreeRadius v. 1 and 2 (runs in production service in Toruń) – currently a fixed value per user is returned CUI proxying tested for FreeRadius v. 1 and 2, Radiator, RadSec proxy testing tool – a patch to eapol_test from wpa_supplicant capable of sending goth NUL and non-NUL CUI and displaying the response

So now what.... We are happy to provide all information on server setup, eapol_test patch etc. Questions, issues – Test pilot (volunteers)? – How permanent should the CUI be? – Recommendation for SA5 participants? – Add a subchapter to Roaming CookBook?