2007 © SWITCH TNC2007 Extending SWITCH Public Wireless LAN with EAP-SIM Kurt Baumann SWITCHmobile Project Leader

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Encrypting Wireless Data with VPN Techniques
Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Implementing Inter-VLAN Routing
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Omniran GPP Trusted WLAN Access to EPC Use Case Analysis Date: Authors: NameAffiliationPhone Max RiegelNSN
Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Communications and Networks Chapter 8.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
1 An overview Always Best Connected Networks Dênio Mariz Igor Chaves Thiago Souto Aug, 2004.
Peer WLAN Consortium: A P2P Case Study Mobile Multimedia Laboratory Department of Informatics Athens University of Economics & Business Athens MMAPPS Meeting,
WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
WLAN, part 1 S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents IEEE WLAN architecture Basic routing example IAPP.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Chapter 5 outline 5.1 Introduction and services
Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
Wi-Fi Wireless LANs Dr. Adil Yousif. What is a Wireless LAN  A wireless local area network(LAN) is a flexible data communications system implemented.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Wireless and Security CSCI 5857: Encoding and Encryption.
The world is going to wireless …
Altai Certification Training Backend Network Planning
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.
1.1 What is the Internet What is the Internet? The Internet is a shared media (coaxial cable, copper wire, fiber optics, and radio spectrum) communication.
Networks QUME 185 Introduction to Computer Applications.
High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.
Michal Procházka, Jan Oppolzer CESNET.
Othman Othman M.M., Koji Okamura Kyushu University 1.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
PRESENTATION ON WI-FI TECHNOLOGY
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Cellular Access Control and Charging for Mobile Operator Wireless Local Area Networks H. Haverinen, J. Mikkonen and T. Takamaki, Nokia Wei-Jen, Lin Advanced.
Wireless Hotspots: Current Challenges and Future Directions CNLAB at KAIST Presented by An Dong-hyeok Mobile Networks and Applications 2005.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.
Final Review Focus- Chapter 4: Network layer Chapter 5: Data link layer Notes: Physical layer Understand previous chapters covered in class. Final exam.
輔大資工所 在職研一 報告人:林煥銘 學號: Public Access Mobility LAN: Extending The Wireless Internet into The LAN Environment Jun Li, Stephen B. Weinstein, Junbiao.
1 ECE453 - Introduction to Computer Networks Lecture 1: Introduction.
Workshop roaming services: eduroam / govroam
Wireless security Wi–Fi (802.11) Security
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
1 VLANs Relates to Lab 6. Short module on basics of VLAN switching.
Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
Port Based Network Access Control
Ethernet Packet Filtering - Part1 Øyvind Holmeide Jean-Frédéric Gauvin 05/06/2014 by.
Virtual Private Networks
Mobile Networking (I) CS 395T - Mobile Computing and Wireless Networks
Chapter 4: Wireless LANs
Wireless Mesh Networks
– Chapter 5 (B) – Using IEEE 802.1x
Presentation transcript:

2007 © SWITCH TNC2007 Extending SWITCH Public Wireless LAN with EAP-SIM Kurt Baumann SWITCHmobile Project Leader

2007 © SWITCH 2 TNC2007 Agenda Introduction  SWITCH Public Wireless LAN - a brief history  Current Architecture - Symmetric Approach EAP(-SIM)  Introduction EAP / EAP-SIM  Extension Current Architecture with EAP-SIM  Pilot ETHZ - Architecture-Layout  Implementation EAP-SIM at ETHZ  Rollout-plan Progression of PWLAN  Statistics  Outlook - Multi Provider Capable Infrastructure Conclusions

2007 © SWITCH 3 TNC2007 PWLAN Motivation

2007 © SWITCH 4 TNC2007 PWLAN History, Goals and Requirements Project goals Extend footprint Increase mobility for students, staff and researchers Create a platform that offers more flexibility for other future SWITCH services Project requirements Traditional SWITCHmobile concept must be obtained (VPN Solution) Costs for Universities shall be minimized as much as possible - symmetrical approach Solution should be combinable with eduroam Solution should support other SWITCH activities that depend on roaming access (triple play services) Solution must be flexible, modular and state of the art History 2004 Concept SWITCH PWLAN: Universities: ETHZ, UNINE, ZHW and SWITCH WISPs: tpn, Monzoon, TheNet 2005 Trial Phases and institutional extension (EPFL, UniBE, BFH, HSR) inclusive a new WISP, Swisscom. 06/2006: Productive Phase and technical extension with EAP-SIM

2007 © SWITCH 5 TNC2007 PWLAN Symmetric Approach Docking Network University A Campus Network University A VPN GW Internet SWITCHmobile ACL Docking Network University B Campus Network University B VPN GW SWITCHmobile ACL Legend: VPN TunnelUser Traffic Commercial User Legend: 1: User opens browser and lands on landing page 2: User clicks PWLAN provider logo 3: All corresponding user traffic is forwarded to landing page of PWLAN provider 4: Customer is redirected to landing page of PWLAN provider 5: Customer gets internet access after authentication (NAT) 5 Student A MPP Student A WISP SWITCHmobile ACL Landing Page MPP = Multi Provider PortalWISP = Wireless Internet SP

2007 © SWITCH 6 TNC2007 Introduction EAP/EAP-SIM EAP: Definition, Model, How it works EAP-SIM: Definition, How it works

2007 © SWITCH 7 TNC2007 EAP Definition EAP RFC 3748 EAP stands for Extending Authentication Protocol. It defines an authentication framework, which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE802, without requiring IP.

2007 © SWITCH 8 TNC2007 EAP Method How it works Supplicant Client Authenticator AP Authentication Server (RADIUS/AAA) [ 0 ] EAP starts [ 0 ] Establish data link EAP over IEEE 802 ()()()()()()())()(() [ 1 ] Identity exchange Request- response paradigm [ 1 ] A message is sent and the sender waits for a response before sending an other message - a “lock step” protocol Multiple Message Sequences depending on the authentication process Systems for authentication, RADIUS, Corporate Identity Servers, etc. using various protocols and methods. [ 2 ] Authentication, process-specific message exchange [ 2 ] All exchanges between Client, Authenticator and Authentication-systems are defined in a variety of specific RFC’s Success? EAP-Success EAP-Failure Yes No [ 3 ] Authentication messages: Success or Failure [ 3 ] The Authenticator determines whether the authentication is a success or failure

2007 © SWITCH 9 TNC2007 Introduction EAP/EAP-SIM Definition / Model EAP Definition: EAP stands for Extending Authentication Protocol. It is primarily developed as a PPP (RFC 3748) EAP-Model: Lower layer: The lower layer is responsible for transmitting and receiving EAP frames between the peer and authenticator. EAP layer: The EAP layer receives and transmits EAP packets via the lower layer, implements duplicate detection and retransmission, and delivers and receives EAP messages to and from the EAP peer and authenticator layers. EAP peer and authenticator layers: Based on the Code field, the EAP layer demultiplexes incoming EAP packets to the EAP peer and authenticator layers. EAP method layers: EAP methods implement the authentication algorithms and receive and transmit EAP messages via the EAP peer and authenticator layers.

2007 © SWITCH 10 TNC2007 EAP-SIM Definition EAP-SIM RFC 4186 EAP-SIM is a mechanism for mutual authentication and Session-Key- agreement using the Global System for Mobile Communications (GSM) and Subscriber Identity Module (SIM).

2007 © SWITCH 11 TNC2007 Success? EAP-Success EAP-Failure EAP Method How it works Supplicant Client Authenticator AP Authentication Server (RADIUS/AAA) Yes [ 0 ] EAP starts [ 0 ] Establish data link No EAP over IEEE 802 ()()()()()()())()(() [ 1 ] Identity exchange Request- response paradigm [ 1 ] A message is sent and the sender waits for a response before sending an other message - a “lock step” protocol [ 2 ] Authentication, process-specific message exchange [ 2 ] All exchanges between Client, Authenticator and Authentication-systems are defined in a variety of specific RFC’s Multiple Message Sequences depending on the authentication process Systems for authentication, RADIUS, Corporate Identity Servers, etc. using various protocols and methods. [ 3 ] Authentication messages: Success or Failure [ 3 ] The Authenticator determines whether the authentication is a success or failure

2007 © SWITCH 12 TNC2007 EAP-SIM Method How it works GSM-Authentication flow: Client/SIM-cardAPAAA/RADIUS(GSM)AuC ITPMAP-Proxy SS7 Network EAP-Resp/SIM/Start (RAND) RADIUS/EAP-Resp/ SIM/Start (RAND) GSM-Triplet-Request (GetAuthInfo ) GSM-Triplet (RAND,SRES,Kc) GSM-Triplet(s): (RAND,SRES,Kc) 1.Triplet-request 2.GSM-Triplet(s) RADIUS/EAP-Req/ SIM/Challenge (RAND,MAC_RAND ) EAP-Req/SIM/Challenge (RAND,MAC_RAND) Server Authentication: MAC_RAND(AAA)=MAC_RAND(SIM) EAP-Resp/SIM/Challenge (MAC_SRES) RADIUS/EAP-Resp /SIM/Challenge (MAC_SRES) Client Authentication: MAC_SRES(SIM)=MAC_SRES(AAA) RADIUS/EAP-Req SIM/Start EAP-Req/SIM/Start SIM calculates RAND

2007 © SWITCH 13 TNC2007 EAP-SIM Architecture Extension Current PWLAN- Architecture with EAP-SIM: - Project-Organization - Architecture - Proof of Concept: - Roll-out Concept

2007 © SWITCH 14 TNC2007 EAP-SIM Architecture Project Organization Pilot: Organization Educational Association: ETHZ and SWITCH WISP: Swisscom Pilot: Implementation ETHZ - Reconfiguration WLAN - Implementation Swisscom Components Roll-out: SWITCH leads the Roll-out - Definition of Roll-out plan - Repository: FAQ: Implementation EAP-SIM

2007 © SWITCH 15 TNC2007 EAP-SIM Architecture Ideas SCM Router = Swisscom Mobile Router

2007 © SWITCH 16 TNC2007 EAP-SIM Architecture High-level concept EAP-SIM: Requirements - Implementation top of 802.1X-enabled network - Separate VLAN, SSID: MOBILE-EAPSIM - Swisscom-like-Implementation: VLAN is a half C-class IP-Addr.-Range Source-, Destination-NAT (SCM-router) DHCP-request handled by SCM-router

2007 © SWITCH 17 TNC2007 EAP-SIM Architecture with Swisscom Swisscom EAP-SIM Mobile setup - New SSID “MOBILE-EAPSIM” - Authentication 802.1X with WEP - ETHZ reserved official IP for their radius - Swisscom-router makes source-destination nat. - Clients are in a separate VLAN (VRF) - Swisscom provides the Subnets and DHCP. Problems - System does not scale (more WISPs) - The implementation solves most problems on the Swisscom router - Channel 13 support of the Swisscom cards? - Swapping between Wireless Domains?

2007 © SWITCH 18 TNC2007 EAP-SIM Architecture Roll-out Service Deployment - PWLAN Q2Q3Q4Q1Q2Q3Q4 Brainstorming, Info PWLAN-members Definition Architecture, technical solution “Proof of concept” - Build up a test bed SWITCH/ETHZ/Swisscom Service: Tests, Test-results and Documentation Rollout: step by step to further PWLAN- members, Marketing Pilot und Roll-out EAP-SIM Up and Running: ETHZ, BFH, EPFL, HSR and SWITCH

2007 © SWITCH 19 TNC2007 Statistics PWLAN Participants Statistics

2007 © SWITCH 20 TNC2007 Statistics Overview Members Internet ~330 Hotspots ~175 Hotspots ~265 Hotspots ~1600 Hotspots PWLAN Academic Association represented by ~ 97’700 People

2007 © SWITCH 21 TNC2007 Statistics Monitoring Monzoon TheNet TPN Academic Association GRE VPN GRE VPN GRE VPN Swisscom Starting April 2007 GRE VPN

2007 © SWITCH 22 TNC2007 Statistics Monitoring

2007 © SWITCH 23 TNC2007 Commercial WISP market in Switzerland

2007 © SWITCH 24 TNC2007 EAP-SIM Outlook Outlook: Implementation EAP-SIM - Multi Provider Capable Infrastructure

2007 © SWITCH 25 TNC2007 EAP(-SIM) Multi Provider Capable Infrastructure

2007 © SWITCH 26 TNC2007 Conclusions  SWITCH PWLAN extends the footprint for the Academic Association and for the WISP’s.  SWITCH PWLAN corresponds technologically to the most current standards; IEEE802.1x, EAP/EAP-SIM.  SWITCH PWLAN makes a further enlargement of the user population possible by a “Multi Provider Capable Infrastructure”.

2007 © SWITCH 27 Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.