Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet
2 Web-based with RADIUS Internet Docking Network Access Control Device AAA Server WWW-browser RADIUS based Web interface authentication at the University of Tampere The Finnish are scaling their solution by using a hierarchy of RADIUS proxy servers for their national infrastructure
3 Intranet X Docking network Campus Network G-WiN VPN-Gateways DHCP, DNS, free Web Intranet X Docking network Campus Network G-WiN VPN-Gateways DHCP, DNS, free Web VPN SWITCHmobile – VPN solution deployed at 7 universities across Switzerland. Wbone – VPN roaming solution to 4 universities / colleges in state of Bremen. A "virtual campus" initiative in Lisbon, and been testing and developing a VPN & PKI infrastructure. PPPoE – University of Bristol
4 Cross-domain 802.1X with VLAN assignment RADIUS server Institution B RADIUS server Institution A Internet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest Student VLAN Guest VLAN Employee VLAN Authentication at home institution, 802.1X, TTLS (SecureW2), (proxy) RADIUS. One time passwords are also transmitted via SMS to guest users. A RADIUS Hierarchy is proposed to scale this to a European wide solution.
5 Current status Characteristics identified as –802.1X - “The future”, easy to scale, secure but cutting edge, thus expensive. –VPN - Widely available, expensive, secure & hard to scale. –Web based – cheap, widely available, easy to scale, but not secure. Preliminary selection for inter-NREN roaming – in draft, conclusions are –No national solution meets all the requirements. –The group has chosen not to consider the following –Local VPN access. –PKI –An architecture that supports the various national solutions is needed, a three stream approach is recommended…
6 Controlled Address Space for VPN Gateways Design and work plan documentation underway. Interoperability tests of VPN to RADIUS proxy hierarchy agreed. Further work to follow.
7 FCCN RADIUS Proxy servers connecting to a European level RADIUS proxy server UKERNA SURFnet FUNET DFN CARnet Radius proxy hierarchie CESnet RedIRIS UNI-C GRnet
8 Integration? 802.1X –Secure SSID –RADIUS Web-based captive portal –Open SSID –RADIUS PKI-based –Open SSID –No RADIUS
9 Network layout with multiple SSID’s and VLAN assignment
10 Network layout without multiple SSID’s and VLAN assignment
11 Layer 2 design of the interoperability testbed
12 Conclusions It is possible to create an interoperable solution It’s not that hard – especially when you use delievrable H to guide you Future will show if and how these solutions will continue to be in existence Del. H provides also a easy upgrade path