Download presentation
Presentation is loading. Please wait.
Published byLucas McDonald Modified over 8 years ago
1
Networks ∙ Services ∙ People www.geant.org Tomasz Wolniewicz TNC15, Porto Supporting user privacy, security and ease of use in eduroam June 2015 PSNC & Nicolaus Copernicus University, Poland Maja Górecka-Wolniewicz Stefan Winter RESTENA Fondation, Luxemburg
2
Networks ∙ Services ∙ People www.geant.org Our focus tools for making eduroam even safer and reliable Privacy aspects of eduroam Support tools for admins EAPlab – supplicant testing eduroam CAT RADIUS tests 2 Agenda
3
Networks ∙ Services ∙ People www.geant.org eduroam is very safe by design but requires that the user device is properly configured Anyone can set up a network called eduroam And if so, why should I care? Authentication credentials (typically username and password, possibly used also for application access) could be intercepted Internet traffic could be monitored by an untrusted network What are the safeguards? Device must be properly configured to ensure that it is talking to the user’s home server, therefore -WPA2-enterprise supplicant must capable of proper configuration -All security-related settings must be entered Device should behave properly when unexpected happens -No authentication attempts to unknown servers -Understandable warnings 3 Privacy aspects of eduroam – How can I be in danger?
4
Networks ∙ Services ∙ People www.geant.org Home server not responding possibly the network connection or the server is down, keep trying but do not: -ask the user for credentials -clear stored user's credentials Home server responding but access is denied perhaps the account was closed/suspended or the user's password has been changed or something wrong with the home server or the visited site is denying access for some reason -do ask for credentials Server name as delivered in the server certificate does not match the stored one or the certificate authority is not the one marked as trusted most likely a rouge eduroam network -do not attempt authentication -on manual connect – warn the user 4 Some typical issues users could encounter
5
Networks ∙ Services ∙ People www.geant.org Server certificate expired most likely an administrator error but never trust an expired certificate, so -do not attempt authentication -give a clear warning to the user Server certificate revoked good chance of a man-in-the-middle attack but requires network connection to spot can be detected before eduroam authentication if the device has an alternative connection -behave as in the case of a certificate missmatch can be detected after authentication when potential credentials leek has already happened -warn the user about a possible credentials compromise -mark this certificate as untrusted and do not connect again 5 Some less typical issues users could encounter
6
Networks ∙ Services ∙ People www.geant.org EAPlab – https://eaplab.supplicants.net Produced as one of the results of the GEANT3+ SENSE OpenCall subproject An EAP playground ideal for device testing eduroam CAT RADIUS tests Part of eduroam CAT administrator's interface Capable of spotting server misconfiguration and problems which can manifest themselves in the future 6 Available tools
7
Networks ∙ Services ∙ People www.geant.org 7 EAPlab – how does it work? one proxy server at the front server routes packets to back-end servers routing is realm-based and is directed by the UI and the EAPlab database
8
Networks ∙ Services ∙ People www.geant.org 8 EAPlab – how does it work? one proxy server at the front server routes packets to back-end servers routing is realm-based and is directed by the UI and the EAPlab database
9
Networks ∙ Services ∙ People www.geant.org RADIUS servers run in debug mode Output is filtered per realm Output can be presented as packet listing and saved to the disk Full debug output can be downloaded 9 EAPlab – how does it work?
10
Networks ∙ Services ∙ People www.geant.org Device testing Check if a device can be configured for 802.1X authentication Check device resilience against credential theft attacks Check if the device can handle expired and revoked certificates Device has problems connecting to your local network? Try if it connects at EAPlab. Supplicant development and testing Did you implement everything correctly? Test against more then one RADIUS implementation Did you consider all threats and made your supplicant safe? 10 EAPlab – usage scenarios
11
Networks ∙ Services ∙ People www.geant.org Fixed configs Three configurations differing by server certificates One username for authentication (password and certificate based) No scenario switching No server output Useful for bug reporting 11 EAPlab – a glance through pages
12
Networks ∙ Services ∙ People www.geant.org User account configuration EAPlab is registered in eduGAIN so for login you can use a federate account You can also use a Google account EAPlabs provides use certificates for EAP-TLS testing EAPlab provides a utility for taking notes of your tests and making the results available to others EAPlab provides it's own eduroam CAT instance so you can configure devices automatically and also use CAT RADIUS tests to cross-check the EAPlab environment 12 EAPlab – a glance through pages
13
Networks ∙ Services ∙ People www.geant.org User-specific configurations an individual realm two server implementations single CA and CA chain signing the server certificate support for PEAP, TTLS (PAP and MSCHAPv2), FAST, PWD and TLS access to 72 RADIUS server configurations a username of choice user certificates (three types) CAT installers available directly from EAPlab a database for storing test results 13 EAPlab – the testing fun – console
14
Networks ∙ Services ∙ People www.geant.org 18 test scenarios 14 EAPlab – the testing fun – console
15
Networks ∙ Services ∙ People www.geant.org RADIUS result available directly from the notes interface Go to the next test without leaving the notes 15 EAPlab – taking notes
16
Networks ∙ Services ∙ People www.geant.org One work package of SENSE: define quality measurement metrics for supplicants Assess supplicants against those metrics Metrics: 32 weighted criteria in categories UI, feature-completeness and security EAPlab was the reference platform to test against Seven supplicant implementations tested; some mainstream, some more exotic PrivatOS 1.0 (BlackPhone) Blackberry OS Android 5.0 Mac OS X 10.10 Windows 7 Windows 8.1 Windows Phone 8.1 16 In the field – evaluation of existing supplicants
17
Networks ∙ Services ∙ People www.geant.org Original plan: award a quality label to the upper end of evaluated set However: Only two supplicants passed all important security checks ( OS X, Win 8.1) Only one supplicant achieved score of more than 50% of possible (OS X) Lesson learned: the air is thin up there – no single supplicant is at a level where we’d want it to be War story: iOS does not support certificate validation by fingerprint MacOS X does Pop-up display looks almost identical except for the two lines about FPs It looks like “someone forgot” to add display of the SHA-1 fingerprint in UI We have filed new bug reports and/or voted for existing ones Vendors either do not react at all, or only very slowly Open Question: how can we get the industry to actually do something? 17 Supplicant assessment results
18
Networks ∙ Services ∙ People www.geant.org Incorrect configuration of eduroam servers may lead to problems for users Typical configuration issues Dynamic peer discovery improperly configured Server incorrectly configured for dynamic discovery Server certificate with problems which can demonstrate themselves with certain clients eduroam CAT provides testing tools capable of Checking if dynamic peer discovery has been configured and if so has it been done correctly Checking if servers configured for dynamic peer discovery properly respond to threats/misconfiguration coming form the peer Checking all details of server certificate and the whole trust chain Checking full authentication process with all authentication methods configured in CAT 18 Testing production eduroam servers
19
Networks ∙ Services ∙ People www.geant.org 19 CAT RADIUS tests – test through the eduroam infrastructure connection tests are run from the eduroam root servers fake user credentials are used server-provided information, mainly certificate information is studied and compared against the CAT profile settings many certificate imperfections can be spotted
20
Networks ∙ Services ∙ People www.geant.org 20 Server certificate details
21
Networks ∙ Services ∙ People www.geant.org 21 Some test results all good not so perfect certificates root CA cert in the chain incorrect server signature
22
Networks ∙ Services ∙ People www.geant.org 22 Tests using dynamic peer discovery Connection tests are run directly to the realm servers No authentication is performed, only TLS connection details are studied
23
Networks ∙ Services ∙ People www.geant.org 23 Full authentication / all EAPs tests Tests performed with a working account – please use a temporary test account! All configured EAP methods tested in parallel
24
Networks ∙ Services ∙ People www.geant.org 24 Message to eduroam admins Correct server certificate setup is very important for users' safety so be well informed and test your server The message you pass to your users is very important for their safety so test devices and stay informed
25
Networks ∙ Services ∙ People www.geant.org Thank you Networks ∙ Services ∙ People www.geant.org 25 https://eaplab.supplicants.net https://cat.eduroam.org HAVE FUN
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.