Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.

Slides:

Advertisements

Similar presentations

Inter WISP WLAN roaming

Advertisements

Authentication.

Joining eduroam Wireless Roaming for Education and Research.

RadSec – A better RADIUS protocol

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,

Why eduroam sucks, and how to fix it.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia,

DESIGNING A PUBLIC KEY INFRASTRUCTURE

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

802.1x EAP Authentication Protocols

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.

Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Infrastructure Monitoring and Supplicants Workshop on Wireless Belgrade -

Lecture 12: WLAN Roaming Communities EDUROAM TM. eduroam TM eduroam (education roaming) is the secure, world-wide roaming access service developed for.

What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

Windows 2003 and 802.1x Secure Wireless Deployments.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Configuring Routing and Remote Access(RRAS) and Wireless Networking

1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.

Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

WIRELESS LAN SECURITY Using

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

Education roaming Secure Wireless Service for Research and Education.

70-411: Administering Windows Server 2012

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

Michal Procházka, Jan Oppolzer CESNET.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

1 © 2004 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Identity Based Networking Terena Rhodes, June 04 Eric Marin EMEA Consulting Engineer.

Configuring Network Access Protection

Federation as a Service Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

Workshop roaming services: eduroam / govroam

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Training Michal Procházka, Jan Oppolzer CESNET

RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.

Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.

Port Based Network Access Control

10 Years of eduroam (from an idea to a product)

Module 9: Configuring Network Access

Module Overview Installing and Configuring a Network Policy Server

Configuring and Troubleshooting Routing and Remote Access

Presentation transcript:

Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014

2 Connect | Communicate | Collaborate Introduction to eduroam eduroam is a secure international roaming service for members of the European eduroam Confederation (eduroam Service Definition, July 2012) provides consistent and secure wireless access across research and education institutions based on a hierarchy of RADIUS servers username is in format

3 Connect | Communicate | Collaborate eduroam infrastructure elements European Top-level RADIUS servers (ETLRS) operated by the eduroam Operations Team (OT) located in Denmark and Netherlands hub for the European Confederation provide inter-federation roaming Federation-level RADIUS servers (FLRS) operated by the National Roaming Operators (NROs) provide intra-federation roaming in case of inter-federation roaming, forward the request to an ETLR

4 Connect | Communicate | Collaborate eduroam infrastructure elements #2 Service providers (SPs) provide network access to local or visiting users receive RADIUS requests from NAS devices (wireless APs, switches) forward the request to user’s IdP grant or reject access Identity providers (IdPs) responsible for authenticating the users in a specific domain(realm) receive RADIUS access request from SPs consult a user database grant or reject access Access points / switches Supplicants

5 Connect | Communicate | Collaborate eduroam infrastructure – static routing

6 Connect | Communicate | Collaborate eduroam infrastructure – dynamic routing

7 Connect | Communicate | Collaborate eduroam infrastructure – dynamic routing

8 Connect | Communicate | Collaborate Protocols RADIUS provides AAA (authentication, authorization and accounting) – accounting is generally not used in eduroam relies on shared secrets for mutual authentication gradually superseded by RADSEC (RADIUS over TCP/TLS) 802.1x EAP EAP-TLS (authentication with TLS certificate) PEAP (EAP-MSCHAPv2) EAP-TTLS (PAP, CHAP, MS-CHAP) Outer and inner tunnel – Allows usage of anonymous identity – Outer tunnel: – Inner tunnel:

9 Connect | Communicate | Collaborate RADIUS server software FreeRADIUS open source license most popular RADIUS server version 3 includes RADSEC support and other improvements Radiator commercial license targeting telco and other high-end market segments Radsecproxy open source license only supports proxying, not usable for an IdP Microsoft IAS/NPS

10 Connect | Communicate | Collaborate NRO requirements/recommendations Sign the eduroam policy Maintain a web-site at Provide user support form Allow requests from the eduroam monitoring service Configure logging with F-Ticks Maintain the eduroam database Keep logs for at least 6 month

11 Connect | Communicate | Collaborate eduroam database Aggregated automatically from predefined locations institution.xml is populated in a federation-specific method, usually manually Used for contact data and coverage map

12 Connect | Communicate | Collaborate F-ticks Collects statistics for roaming authentication requests within the confederation to a central location FreeRADIUS configuration linelog f_ticks { filename = syslog format = "" reference = "f_ticks.%{%{reply:Packet-Type}:-format}" f_ticks { Access-Accept = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BG#CSI=%{Calling- Station-Id}#RESULT=OK#" Access-Reject = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BG#CSI=%{Calling- Station-Id}#RESULT=FAIL#" } rsyslog configutation msg, contains,

13 Connect | Communicate | Collaborate Setting up an IdP Choosing EAP method PEAP (EAP-MSCHAPv2) EAP-TTLS (PAP, CHAP, MS-CHAP) Authentication backend support – PEAP: plaintext password or NT hash available – TTLS: any (with PAP) OS support – PEAP: Windows Vista/7/8, iOS, Android – TTLS: Windows 8, iOS, Android

14 Connect | Communicate | Collaborate Setting up an IdP Generate EAP certificates Current recommendation is to set up a private CA specifically for eduroam Use a long enough validity period (20 years?) Commercial CA doesn’t provide additional security for EAP

15 Connect | Communicate | Collaborate Setting up an IdP Provide assistance to users eduroam CAT – web-site with instructions Promo materials at

16 Connect | Communicate | Collaborate Setting up an IdP Enabling dynamic discovery DNS records for dynamic discovery example.com IN NAPTR "s" "x-eduroam:radius.tls" "" _radsec._tcp.example.com. _radsec._tcp.example.com IN SRV radius.example.com. _radsec._tcp.example.com IN SRV radius.example.com. Additionally, a PKI layer will verify the realm/domain is owned by a research/education institution. Currently in pilot state in 10 NRENs greatidp.aq IN NAPTR "s" "x-eduroam:radius.tls" "" _radsec._tcp.eduroam.aq.

17 Connect | Communicate | Collaborate Setting up a SP Wireless equipment choice and setup Controller-based or standalone APs Controller-based solutions provide centralized management and other benefits such as better roaming experience Standalone APs require smaller initial investment Client isolation General wireless networking best practices (coverage, channel selection, etc.) Extra SSID for initial setup (eduroam-help)

18 Connect | Communicate | Collaborate Setting up a SP Dynamic VLAN assignment # VLAN for staff if ( Realm == "uni-ruse.bg" ) { update reply { Tunnel-type := VLAN Tunnel-Medium-Type := 802 Tunnel-Private-Group-ID := 29 } # VLAN for students if ( Realm == "stud.uni-ruse.bg" ) { update reply { Tunnel-type := VLAN Tunnel-Medium-Type := 802 Tunnel-Private-Group-ID := 31 }

19 Connect | Communicate | Collaborate Setting up a SP Establish and publish policy Keep authentication logs for at least 6 months Set the Operator-Name attribute authorize { update request { Operator-Name := "1yourdomain.tld" } What NOT to do: don’t use web logins not recommended to do port restrictions – port 25 can still be blocked (465 and 587 are on the minimum list) not recommended to use transparent proxies or force users to configure their systems to use a proxy not recommended to use NAT

20 Connect | Communicate | Collaborate Further references

21 Connect | Communicate | Collaborate Question time Questions?

22 Connect | Communicate | Collaborate | | Connect | Communicate | Collaborate Thank you!