Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networks ∙ Services ∙ People www.geant.org Tomasz Wolniewicz TNC15, Porto Supporting user privacy, security and ease of use in eduroam June 2015 PSNC &

Published byLucas McDonald Modified over 8 years ago

Similar presentations

Presentation on theme: "Networks ∙ Services ∙ People www.geant.org Tomasz Wolniewicz TNC15, Porto Supporting user privacy, security and ease of use in eduroam June 2015 PSNC &"— Presentation transcript:

1 Networks ∙ Services ∙ People www.geant.org Tomasz Wolniewicz TNC15, Porto Supporting user privacy, security and ease of use in eduroam June 2015 PSNC & Nicolaus Copernicus University, Poland Maja Górecka-Wolniewicz Stefan Winter RESTENA Fondation, Luxemburg

2 Networks ∙ Services ∙ People www.geant.org Our focus tools for making eduroam even safer and reliable Privacy aspects of eduroam Support tools for admins EAPlab – supplicant testing eduroam CAT RADIUS tests 2 Agenda

3 Networks ∙ Services ∙ People www.geant.org eduroam is very safe by design but requires that the user device is properly configured Anyone can set up a network called eduroam And if so, why should I care? Authentication credentials (typically username and password, possibly used also for application access) could be intercepted Internet traffic could be monitored by an untrusted network What are the safeguards? Device must be properly configured to ensure that it is talking to the user’s home server, therefore -WPA2-enterprise supplicant must capable of proper configuration -All security-related settings must be entered Device should behave properly when unexpected happens -No authentication attempts to unknown servers -Understandable warnings 3 Privacy aspects of eduroam – How can I be in danger?

4 Networks ∙ Services ∙ People www.geant.org Home server not responding possibly the network connection or the server is down, keep trying but do not: -ask the user for credentials -clear stored user's credentials Home server responding but access is denied perhaps the account was closed/suspended or the user's password has been changed or something wrong with the home server or the visited site is denying access for some reason -do ask for credentials Server name as delivered in the server certificate does not match the stored one or the certificate authority is not the one marked as trusted most likely a rouge eduroam network -do not attempt authentication -on manual connect – warn the user 4 Some typical issues users could encounter

5 Networks ∙ Services ∙ People www.geant.org Server certificate expired most likely an administrator error but never trust an expired certificate, so -do not attempt authentication -give a clear warning to the user Server certificate revoked good chance of a man-in-the-middle attack but requires network connection to spot can be detected before eduroam authentication if the device has an alternative connection -behave as in the case of a certificate missmatch can be detected after authentication when potential credentials leek has already happened -warn the user about a possible credentials compromise -mark this certificate as untrusted and do not connect again 5 Some less typical issues users could encounter

6 Networks ∙ Services ∙ People www.geant.org EAPlab – https://eaplab.supplicants.net Produced as one of the results of the GEANT3+ SENSE OpenCall subproject An EAP playground ideal for device testing eduroam CAT RADIUS tests Part of eduroam CAT administrator's interface Capable of spotting server misconfiguration and problems which can manifest themselves in the future 6 Available tools

7 Networks ∙ Services ∙ People www.geant.org 7 EAPlab – how does it work? one proxy server at the front server routes packets to back-end servers routing is realm-based and is directed by the UI and the EAPlab database

8 Networks ∙ Services ∙ People www.geant.org 8 EAPlab – how does it work? one proxy server at the front server routes packets to back-end servers routing is realm-based and is directed by the UI and the EAPlab database

9 Networks ∙ Services ∙ People www.geant.org RADIUS servers run in debug mode Output is filtered per realm Output can be presented as packet listing and saved to the disk Full debug output can be downloaded 9 EAPlab – how does it work?

10 Networks ∙ Services ∙ People www.geant.org Device testing Check if a device can be configured for 802.1X authentication Check device resilience against credential theft attacks Check if the device can handle expired and revoked certificates Device has problems connecting to your local network? Try if it connects at EAPlab. Supplicant development and testing Did you implement everything correctly? Test against more then one RADIUS implementation Did you consider all threats and made your supplicant safe? 10 EAPlab – usage scenarios

11 Networks ∙ Services ∙ People www.geant.org Fixed configs Three configurations differing by server certificates One username for authentication (password and certificate based) No scenario switching No server output Useful for bug reporting 11 EAPlab – a glance through pages

12 Networks ∙ Services ∙ People www.geant.org User account configuration EAPlab is registered in eduGAIN so for login you can use a federate account You can also use a Google account EAPlabs provides use certificates for EAP-TLS testing EAPlab provides a utility for taking notes of your tests and making the results available to others EAPlab provides it's own eduroam CAT instance so you can configure devices automatically and also use CAT RADIUS tests to cross-check the EAPlab environment 12 EAPlab – a glance through pages

13 Networks ∙ Services ∙ People www.geant.org User-specific configurations an individual realm two server implementations single CA and CA chain signing the server certificate support for PEAP, TTLS (PAP and MSCHAPv2), FAST, PWD and TLS access to 72 RADIUS server configurations a username of choice user certificates (three types) CAT installers available directly from EAPlab a database for storing test results 13 EAPlab – the testing fun – console

14 Networks ∙ Services ∙ People www.geant.org 18 test scenarios 14 EAPlab – the testing fun – console

15 Networks ∙ Services ∙ People www.geant.org RADIUS result available directly from the notes interface Go to the next test without leaving the notes 15 EAPlab – taking notes

16 Networks ∙ Services ∙ People www.geant.org One work package of SENSE: define quality measurement metrics for supplicants Assess supplicants against those metrics Metrics: 32 weighted criteria in categories UI, feature-completeness and security EAPlab was the reference platform to test against Seven supplicant implementations tested; some mainstream, some more exotic PrivatOS 1.0 (BlackPhone) Blackberry OS Android 5.0 Mac OS X 10.10 Windows 7 Windows 8.1 Windows Phone 8.1 16 In the field – evaluation of existing supplicants

17 Networks ∙ Services ∙ People www.geant.org Original plan: award a quality label to the upper end of evaluated set However: Only two supplicants passed all important security checks ( OS X, Win 8.1) Only one supplicant achieved score of more than 50% of possible (OS X) Lesson learned: the air is thin up there – no single supplicant is at a level where we’d want it to be War story: iOS does not support certificate validation by fingerprint MacOS X does Pop-up display looks almost identical except for the two lines about FPs It looks like “someone forgot” to add display of the SHA-1 fingerprint in UI We have filed new bug reports and/or voted for existing ones Vendors either do not react at all, or only very slowly Open Question: how can we get the industry to actually do something? 17 Supplicant assessment results

18 Networks ∙ Services ∙ People www.geant.org Incorrect configuration of eduroam servers may lead to problems for users Typical configuration issues Dynamic peer discovery improperly configured Server incorrectly configured for dynamic discovery Server certificate with problems which can demonstrate themselves with certain clients eduroam CAT provides testing tools capable of Checking if dynamic peer discovery has been configured and if so has it been done correctly Checking if servers configured for dynamic peer discovery properly respond to threats/misconfiguration coming form the peer Checking all details of server certificate and the whole trust chain Checking full authentication process with all authentication methods configured in CAT 18 Testing production eduroam servers

19 Networks ∙ Services ∙ People www.geant.org 19 CAT RADIUS tests – test through the eduroam infrastructure connection tests are run from the eduroam root servers fake user credentials are used server-provided information, mainly certificate information is studied and compared against the CAT profile settings many certificate imperfections can be spotted

20 Networks ∙ Services ∙ People www.geant.org 20 Server certificate details

21 Networks ∙ Services ∙ People www.geant.org 21 Some test results all good not so perfect certificates root CA cert in the chain incorrect server signature

22 Networks ∙ Services ∙ People www.geant.org 22 Tests using dynamic peer discovery Connection tests are run directly to the realm servers No authentication is performed, only TLS connection details are studied

23 Networks ∙ Services ∙ People www.geant.org 23 Full authentication / all EAPs tests Tests performed with a working account – please use a temporary test account! All configured EAP methods tested in parallel

24 Networks ∙ Services ∙ People www.geant.org 24 Message to eduroam admins Correct server certificate setup is very important for users' safety so be well informed and test your server The message you pass to your users is very important for their safety so test devices and stay informed

25 Networks ∙ Services ∙ People www.geant.org Thank you Networks ∙ Services ∙ People www.geant.org 25 https://eaplab.supplicants.net https://cat.eduroam.org HAVE FUN

Download ppt "Networks ∙ Services ∙ People www.geant.org Tomasz Wolniewicz TNC15, Porto Supporting user privacy, security and ease of use in eduroam June 2015 PSNC &"

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
TRIRIGA Anywhere 10.4 Beta Registration Steps

TRIRIGA Anywhere 10.4 Beta Registration Steps
RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis.

RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Technical Training: DIR-615

Technical Training: DIR-615

Similar presentations

Ads by Google