High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Joining eduroam Wireless Roaming for Education and Research.
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.
Why eduroam sucks, and how to fix it.
TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
Copyright JNT Association 2006 The JANET Roaming Service.
EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.
WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Lecture 12: WLAN Roaming Communities EDUROAM TM. eduroam TM eduroam (education roaming) is the secure, world-wide roaming access service developed for.
What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.
Windows 2003 and 802.1x Secure Wireless Deployments.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Wireless ambitions Frans Panken I2 Spring meeting 24 april 2012.
EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.
AARNet Copyright 2010 Network Operations The eduroam project group
Mobile and Wireless Communication Security By Jason Gratto.
WIRELESS LAN SECURITY Using
Wireless and Security CSCI 5857: Encoding and Encryption.
Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.
Education roaming Secure Wireless Service for Research and Education.
BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.
Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.
Michal Procházka, Jan Oppolzer CESNET.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.
SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS.
802.1X in SURFnet 22 May 2003.
Eduroam.us Operational Experiment Kevin Miller Duke University Andy Rosenzweig Merit Network ESCC/Internet2 Joint.
Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.
Security for (Wireless) LANs 802.1X workshop 30 & 31 March 2004 Amsterdam.
Workshop roaming services: eduroam / govroam
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.
19 May 2003 © The JNT Association Terena Technical Advisory Council Terena Mobility Task Force
KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.
Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
10 Years of eduroam (from an idea to a product)
TF-Mobility update TF-EMC2, Barcelona 9 September 2005.
Presentation transcript:

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey

High-quality Internet for higher education and research Contents From 802.1x to eduroam Freshing up Background Considerations Solutions: 802.1x eduroam

High-quality Internet for higher education and research Freshing up… WLAN Every wireless network has a name: an (in)visible SSID (Service Set Identity) Access / encryption with “keys” – WEP, Wired Equivalent Privacy – WPA (with pre-shared key) (“wireless Ethernet”, MAC) b, g, a (radio-layer, channels)

High-quality Internet for higher education and research Background Traditional WLAN not safe – Who uses the network? (abuse, limiting usergroup) – Are people eavesdropping? (no physical boundries) How do we provide access to guests? – Distribution of “secrets” (WEP-key)?

High-quality Internet for higher education and research Traditional WLANs are unsafe Even with: Non broadcasted SSID MAC-address restrictions WEP, Wired- Equivalent- Privacy

High-quality Internet for higher education and research Users are mobile Student Dormitory Access University A WLAN University B WLAN Access Provider ADSL International connectivity Access Provider WLAN Access Provider GPRS/ UMTS Internet backbone

High-quality Internet for higher education and research Requirements Identify users uniquely at the edge of the network –No session hijacking Enable guest usage Scalable –Local user administration and authentication Easy to install and use –At the most one-time installation by the user Open Secure

High-quality Internet for higher education and research Solutions … for guest usage: WEB based captive portal scalable, not safe (no encryption, hijacking) VPN/PPPoE not scalable, safe path 802.1x scalable, safe – security at the edge of the network 802.1x is the basis for the next generation standards (WPA-Enterprise, i)

High-quality Internet for higher education and research Secure access to the network with 802.1X data signaling RADIUS server University A Internet Authenticator (AP or switch) User DB Student VLAN Commercial VLAN Employee VLAN Supplicant 802.1X (VLAN assigment)

High-quality Internet for higher education and research 802.1x and EAP Different EAP-types The (home-)organization decides what type EAP-types with SSL/TLS –“Mutual authentication” –Encryption keys are derived from SSL session EAP is transported and proxied in RADIUS Extensible Authentication Protocol

High-quality Internet for higher education and research Common EAP types EAP-TLS Strong authentication with client certificate EAP-TTLS DIAMETER/RADIUS (e.g. u/p in PAP) in TLS tunnel usable with all u/p backends EAP-PEAP Microsoft implementation with u/p via MSCHAPv2 easy deployable with AD EAP-FAST username/password authentication the Cisco way roll out more complex, uses no SSL/TLS EAP-SIM Strong authentication using the SIM of your phone... LEAP, EAP-MD5 are old and weak

High-quality Internet for higher education and research 802.1x RADIUS server institution B RADIUS server institution A Internet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest regular VLAN guest VLAN Secured tunnel Guest usage: eduroam! Trust based on RADIUS plus policy documents

High-quality Internet for higher education and research eduroam: (inter)national roaming

High-quality Internet for higher education and research eduroam architecture Security based on 802.1X –Protection of credentials: EAP –New technologies (WPA, i) based on 802.1x –Different authentication mechanisms possible by using EAP (Extensible Authentication prototcol) Username/password X.509 certificates SIM-cards –Dynamic VLAN assignment Roaming based on RADIUS proxying –Remote Authentication Dial In User Service –Transport-protocol for authentication information Trust fabric based on: –Technical: RADIUS hierarchy –Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the eduroam federation

High-quality Internet for higher education and research The eduroam policy

High-quality Internet for higher education and research National policy (federation) Mutual access Members are connected institutions Home institution is/remains responsible for its users behaviour. Home institution is responsible for proper user management Home and visited institution must keep sufficient logdata Appropriate security levels

High-quality Internet for higher education and research The European eduroam policy (confederation) Mutual access Home institutions are/remain responsible for their users abroad Members are NRENs (National federations) Members guarantee required security levels by their participants Members promote eduroam in their countries European eduroam may peer with other regions

High-quality Internet for higher education and research The status of eduroam

High-quality Internet for higher education and research Status of eduroam Over 500 institutions in Europe, Australia and Taiwan New members: Lithuania Romania Hungary China Hong Kong Cyprus USA, Japan, Korea will follow shortly

High-quality Internet for higher education and research eduroam Provides global network roaming Strong technical foundation: –RADIUS –802.1X –Lingua Franca: EAP Needs ubiquity

High-quality Internet for higher education and research Joining eduroam

High-quality Internet for higher education and research Joining eduroam for an NREN Set up a server that proxies that: –Accept requests for *.cc-tld and forward to the right institution –Accept requests for non *.cc-tld and forward it to the European servers Send an (encrypted) to with: –FQDN of toplevel RADIUS-server(s) –IP-addresses of toplevel RADIUS-servers –Shared secret to use between European servers and national server(s). –URL of national eduroam website –Information about test-account –Contact details admin Sign the policy agreement

High-quality Internet for higher education and research Joining eduroam for an institution Set-up your local 802.1X infrastructure –Accept requests for your-domain.cc-tld and process them –Proxy requests for non-local users to the national server Send an (encrypted) to your NREN with: –FQDN of toplevel RADIUS-server(s) –IP-addresses of toplevel RADIUS-servers –Shared secret to use between your and their server(s). –URL of your eduroam website –Information about test-account –Contact details admin Sign the policy document

High-quality Internet for higher education and research Conclusions

High-quality Internet for higher education and research Conclusions 802.1X provides secure, future ready, scalable access to the campus network Enabling eduroam is a easy once 802.1X is in place Handbook, (other) easy configuration examples available Many have already joined, so

High-quality Internet for higher education and research Join….

High-quality Internet for higher education and research More information eduroam in SURFnet – eduroam in Europe – TERENA TF-Mobility – The unofficial IEEE security page –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.