Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.

Slides:

Advertisements

Similar presentations

Brief-out: Isolation Working Group Topic discussion leader: Ken Birman.

Advertisements

Joining eduroam Wireless Roaming for Education and Research.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

SALSA-NetAuth SALSA-FWNA BoF Kevin Miller Duke University Internet2 Member Meeting May 2005.

Copyright JNT Association 2006 The JANET Roaming Service.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

Wireless networking Roger Treweek Oxford University Computing Services.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—3-1 Wireless LANs Understanding WLAN Security.

Network Architecture for Automatic Security and Policy Enforcement Internet2 Members Meeting Fall 2005 Eric Gauthier ~ Boston University Kevin Amorin ~

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.

Lecture 12: WLAN Roaming Communities EDUROAM TM. eduroam TM eduroam (education roaming) is the secure, world-wide roaming access service developed for.

Windows 2003 and 802.1x Secure Wireless Deployments.

EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.

Remedies Use of encrypted tunneling protocols (e.g. IPSec, Secure Shell) for secure data transmission over an insecure networktunneling protocolsIPSecSecure.

Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.

Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

SALSA-FWNA Activity Update Kevin Miller Duke University Internet2 Member Meeting May 2005.

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

ITU Workshop on "Future Trust and Knowledge Infrastructure", Phase 1 Geneva, Switzerland, 24 April 2015 The Open and Trustworthy ICT Platform Prof. Dr.

Michal Procházka, Jan Oppolzer CESNET.

A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

2003/12/291 Security Aspects of 3G-WLAN Interworking 組別： 2 組員：陳俊文 , 李奇勇 , 黃弘光 , 林柏均

Wireless Hotspots: Current Challenges and Future Directions CNLAB at KAIST Presented by An Dong-hyeok Mobile Networks and Applications 2005.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.

Shibboleth: An Introduction

EDUROAM Michael Helm ESnet/LBL 26 Mar EduroamTAGPMA 27 Mar What Is Eduroam? The Roaming Scholar vs the Restricted Wireless Network –I am in.

20 November 2015 RE Meyers, Ms.Ed., CCAI CCNA Discovery Curriculum Review Networking for Home and Small Businesses Chapter 7: Wireless Technologies.

Eduroam.us Operational Experiment Kevin Miller Duke University Andy Rosenzweig Merit Network ESCC/Internet2 Joint.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Doc.: IEEE /209r0 Submission 1 March GPP SA2Slide 1 3GPP System – WLAN Interworking Principles and Status From 3GPP SA2 Presented.

The problem Statement of Broadband Wireless Access Technologies Richard, Tom Taylor, Eva Chang, Tina Tsou.

May 17, 2006TNC 2006, Catania1 eduroam.us: past, present, future Philippe Hanset University of Tennessee, Knoxville.

Workshop roaming services: eduroam / govroam

Interoperable Trust Networks Chris Rogers California Dept of Justice February 16, 2005.

Internet2 Joint Techs Workshop, Feb 15, 2005, Salt Lake City, Utah ESnet On-Demand Secure Circuits and Advance Reservation System (OSCARS) Chin Guok

Concerns with Network Research Funding S.Floyd & R. Atkinson, Editors Internet Architecture Board draft-iab-research-funding-02.txt.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Wireless security Wi–Fi (802.11) Security

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Advanced research and education networking in the United States: the Internet2 experience Heather Boyles Director, Member and Partner Relations Internet2.

DICE: Authorizing Dynamic Networks for VOs Jeff W. Boote Senior Network Software Engineer, Internet2 Cándido Rodríguez Montes RedIRIS TNC2009 Malaga, Spain.

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

DHCP – Wireless Auth Standards stuff January CSG – Duke

1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)

ORNL Site Report ESCC July 15, 2013 Susan Hicks David Wantland.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Project Moonshot Daniel Kouřil EGI Technical Forum

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.

Law Enforcement Information Sharing Program (LEISP) Federated Identity Management Pilot February 27, 2006.

Wireless Protocols WEP, WPA & WPA2.

European AFS & Kerberos Conference 2010

The DAMe’s First Steps: eduroam and NAS-SAML

Presentation transcript:

Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005

Vision Enable members of one institution to authenticate to the wireless network at another institution using their home credentials. Often called the “roaming scholar” problem in HiEd. Wired networks handled as well.

Framing the Solution 802.1x –Often used with WPA or WPA2 (802.11i) –Or middlebox access controller EAP authentication –Exact EAP type selected by home institution, deployed on client machines Phase 1: “Simple” RADIUS peering –Integration with existing authn backend

Topics Federations Wireless Security 802.1x Working Group Activities –Project Plan: Phase 1, 2 –Timeline –Deliverables –Administrivia

Federations Goals of federations –Establish trust between entities –Make assertions about identities (authenticate) and release attributes –Protect user privacy through opaque user handles and controlled attribute release

Federations All are relevant to FWNA –Want to leverage federation trust mechanisms instead of sharing RADIUS keys –Visited sites may want attributes about visiting users (e.g. type of user, mobile number) –Control release of identifiable information

Potential Federations Decentralized School School Systems –State schools, local school districts, etc. Regional consortia: GigaPoP / *REN National consortia: Internet2 International: EduRoam Government: ESNet, NSF, NASA Industry

(Brief) History of Wireless Security No RF security WEP: RC4 –easily broken WPA: TKIP/RC4 –many client, AP implementations WPA2 / i: CCMP/AES –lacking client implementations If deploying RF security, WPA as minimum

Focused on 802.1x only? Concentrate group resources on single strategy Focus on standards-based solution that would provide a single interface for users Enables authn, encryption at edge If necessary, infrastructure could likely be used for non-802.1x

What about Wired? 802.1x on wired is easier than wireless, so it all just works (no active roaming). We’ve just been saying wireless because it gets attention..

FWNA Project Plan Work divided in two phases Phase 1: RADIUS Hierarchy –Initial solution to the problem –Develop knowledge of relevant technology –Understand interoperability issues Relatively straightforward –Exchange RADIUS keys –Interface to existing authn systems using basic RADIUS mechanism

FWNA Phase 2 Phase 2: RADIUS Federation –Leverage existing federations to enable single-hop RADIUS authentications –Enable attribute release through federations Requires development –Interface with Shibboleth for authn, inter-site signing –Single-hop server identifications

Beyond authentication… In many cases today, once authenticated all users obtain same level of service FWNA is about identity discovery We must be able to separately provision services from authn and attributes: –Technical setup (IP address, QoS, ACL, etc..) –Access policy –Billing

Other Areas of Investigation Real Time Diagnostics –Determining cause of authn failure –Requires additional inter-domain data exchange Access Point Roaming –Will cause re-authentication back to home server (additional delay) –Mitigated by i pre-authentication

FWNA Project Targets Phase 1 –Toplevel RADIUS server in operation: 1Q05 Phase 2 –Early experiments: 3Q05 –Operational system: 4Q05

Deliverables Documents –Architecture: 1Q05 –Phase 1 Engineering: 2/05 –Phase 1 System Documentation: Ongoing –Phase 2 Plan: 2Q05 Phase 1 System

Join the FWNA Group Biweekly Conference Calls – Thursday 11am-12pm: Feb 24, Mar 10 – , internet2 list –“subscribe salsa-fwna” to internet2