Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

RadSec – A better RADIUS protocol

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Internet Protocol Security (IP Sec)

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

Eduroam-ng TF-Mobility, Barcelona, 6 September 2005.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Why eduroam sucks, and how to fix it.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

EduRoam ESA workshop 17 December 2004 Utrecht.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Access and 802.1X Klaas Wierenga SURFnet

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

802.1x EAP Authentication Protocols

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.

Windows 2003 and 802.1x Secure Wireless Deployments.

WIRELESS LAN SECURITY Using

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

Michal Procházka, Jan Oppolzer CESNET.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

Shibboleth: An Introduction

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

802.1X in SURFnet 22 May 2003.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

High-quality Internet for higher education and research TF-Mobility, Zagreb, 2 February 2006 eduroam-ng architecture Test results and way forward

Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)

Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Security for (Wireless) LANs 802.1X workshop 30 & 31 March 2004 Amsterdam.

Workshop roaming services: eduroam / govroam

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Wireless security Wi–Fi (802.11) Security

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

19 May 2003 © The JNT Association Terena Technical Advisory Council Terena Mobility Task Force

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

Project Moonshot Daniel Kouřil EGI Technical Forum

RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.

CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López

Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.

10 Years of eduroam (from an idea to a product)

Firewall Issues Research Group GGF-15 Oct Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.

University of Stuttgart University of Murcia

First steps in federation peering: eduGAIN and eduroam

TF-Mobility update TF-EMC2, Barcelona 9 September 2005.

The DAMe’s First Steps: eduroam and NAS-SAML

Presentation transcript:

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007

Contents -Intro eduroam -AA requirements -AA implementation -Authorisation -Summary

eduroam

The goal of eduroam “open your laptop and be online” or To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources

eduroam University BUniversity A SURFnet Trusted 3d party Access Point User DB Guest eduroam enables (federated) network access A trusted 3d party exists that guarantees that both peers are ‘trustworthy’ and allowing for scalability

AA requirements

AA Requirements -“Reasonable security” -Not trying to solve every problem of the universe -Uniquely identifying users at edge of network -Local choice of authentication method -Data integrity -Good identity management -No tampering with data -Compliancy with privacy regulations -No data “leakage” -Verifiability -Monitoring -Logging Source: JRA5 and TF-Mobility roaming requirements

AA implementation

Secure network access with 802.1X data signalling RADIUS server University A Internet Authenticator (AP or switch) User DB Student VLAN Guest VLAN Employee VLAN Supplicant 802.1X (VLAN assigment)

eduroam RADIUS server University B RADIUS server University A SURFnet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest Student VLAN Guest VLAN Employee VLAN data signalling Trust based on RADIUS plus policy documents 802.1X (VLAN assigment)

Tunneled authentication (PEAP/TTLS) -Uses TLS/SSL tunnel to protect data -The TLS tunnel is set up using the server certificate, thus authenticating the server and preventing man-in-the-middle attacks -The user sends his credentials through the secure tunnel to the server, thus authenticating the user -Can use dynamic session keys for ‘in the air’ encryption © Alfa&Ariss

eduroam architecture -Security based on 802.1X (WEP/WPA/WPA2) -Identity-based networking -Using the Extensible Authentication Protocol (EAP) to allow for multiple authentication mechanisms -Mutual authentication (PEAP, TTLS, TLS) -Protection of credentials (tunneled authentication) -Layer 2 -Roaming based on RADIUS proxying -Remote Authentication Dial In User Service -Transport-protocol for authentication information -Using shared secrets between peers -Trust fabric based on: -RADIUS hierarchy -Policy -Authentication ≈ Authorisation -RADIUS-attribute filtering -VLAN assignment

RadSec/DNSROAM -Radius packet format -Transport: TCP (or SCTP) -Encryption: TLS (optional) -TLS => PKI -DNSROAM combines RadSec with DNS for dynamically locating the peer -RadSec RFC is being worked on

Fully hierarchical First mixed mode Later DNSROAM?

‘Real’ Authorisation?

DAMe -Deploying Authorization Mechanisms for Federated Services in eduroam -DAME is a project that builds upon: -eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, -Shibboleth and eduGAIN -NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards.

Gast RADIUS server University B RADIUS server University A eduroam Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant data User mobility controlled by assertions and policies expressed in SAML and XACML XACML Policy Decision Point SAML Source Attribute Authority Signaling 1st: Extension of eduroam with authR

2nd: eduGAIN AuthN+AuthR backend -Link between the AAA servers (now acting as Service Providers) and eduGAIN

3d: Universal Single Sign On -Users will be authenticated once, during the network access control phase -The eduGAIN authentication would be bootstrapped from the NAS-SAML -New method for delivering authentication credentials and new security middleware -4th goal: integrating applications, focusing on grids.

Summary

-Eduroam provides reasonable security -AuthZ is reasonable and is slowly being improved -AuthR is relatively weak but being worked upon (that is we hope that the eduGAIN guys and girls with give it to us) -Currently the main inhibitor is politics

Thank you! More info: