Presentation is loading. Please wait.

Presentation is loading. Please wait.

TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

Published byDwain Cannon Modified over 9 years ago

Similar presentations

Presentation on theme: "TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed."— Presentation transcript:

1 TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed 802.1x based authentication solution. VPN based authentication solution. Variation to VPN based authentication solution with client certificates. Web-based redirect authentication solution. Roamnode (PPPoE) authentication solution. Deliverable G

2 TF Mobility Group 22nd September 20032 802.1x based authentication solution –Layer 2 solution, standard is still maturing, some cheaper AP that support 802.1x are appearing on the market. –Uses EAP or EAPOL. –Uses RADIUS for authentication, authorisation and accounting. –Can be scaled using a RADIUS Proxy Hierarchy to enable the visitor to authenticate at their home institution. –Admin overhead involves loading 802.1x client on mobile devices, RADIUS configurations and VLAN assignment. –Non 802.1x client support offered via website support and may look into general web-redirect authentication system. –EAP-TLS and TTLS security support with WPA, TKIP, 802.11i extensions). –Accountability via RADIUS logging and user reports to helpdesk (e.g. stolen mobile device). Deliverable G

3 TF Mobility Group 22nd September 20033 VPN based authentication solution –Layer 3 solution, mature standard. –Can be scaled using an overlay network of assigned address space for VPN Gateways or control lists of VPN Gateways. –Admin overhead in loading VPN client on mobile devices, configuration of VPN gateways, access lists & VLANs. –Strong security via encrypted tunnels for each connection. –Accountability via the user’s home institution as the user authenticates and gets their IP address from there, also reports to the helpdesk e.g. stolen mobile device. VPN based authentication solution with client certificates –Admin overhead required to install client certificates on mobile devices and maintain / manage a PKI. Deliverable G

4 TF Mobility Group 22nd September 20034 Web based redirect authentication solution –Requires a http or https supported web browser, no additional client software is likely to be required –Uses RADIUS for authentication, authorisation and accounting. –Can be scaled using a RADIUS Proxy Hierarchy with authentication at visitor user home institution. –Minimum admin overhead as unknown authentication requests are forwarded back across a RADIUS proxy hierarchy. –Less secure than other authentication solutions due to web based login page for authentication and no provision to protect authentication of authorised users in a VLAN from seeing each others traffic –Accountability via RADIUS logging and user reports to helpdesk (e.g. stolen mobile device). Deliverable G

5 TF Mobility Group 22nd September 20035 Roamnode (PPPoE) authentication solution –Uses PPPoE. –Decouples process of establishing a physical network from establishing a logical network connection. –Uses RADIUS back end for AAA service. –Uses an overlay network for visitor users. –Uses a VPN gateway via an IP-in-IP tunnel. –Requires proprietary equipment at the home and visited institution and client operating systems with PPPoE support. –Accountability via RADIUS logging and user reports to helpdesk (e.g. stolen mobile device). Deliverable G

6 TF Mobility Group 22nd September 20036 Conclusion –A European AAA based on one solution is not practical. –A solution that supports the various national solutions is needed. Recommendations: A phased development / testing approach Resolve scaling and interoperability issues for all AAA (802.1x, VPN, VPN +PKI, web- based redirect, PPPoE) Consolidate findings into a trial report Build and scale a RADIUS proxy hierarchy for non-VPN AAA Conduct feasibility tests on creating an scalable VPN solution Subject to feasibility, build the proposed VPN solution Extend solution to agree mechanisms for exchange of credentials (e.g. PKI) Could extend to VPN if possible?

7 TF Mobility Group 22nd September 20037 Revised Recommendations (as a result of discussions in Berlin) - A phased development / testing approach Resolve scaling and interoperability issues for 802.1x, VPN, web- based redirect, PPPoE) Consolidate findings into a trial report Build and scale a RADIUS proxy hierarchy for non-VPN AAA Conduct feasibility tests on creating an scalable VPN solution Subject to feasibility, build the proposed CASG solution Extend to VPN in parallel Work on software changes to PPPoE to facilitate roaming

8 TF Mobility Group 22nd September 20038 Update on inter NREN tests Organizational RADIUS Server C Organizational RADIUS Server C Top-level RADIUS Proxy Server Top-level RADIUS Proxy Server Organizational RADIUS Server E Organizational RADIUS Server E Organizational RADIUS Server D Organizational RADIUS Server D Organizational RADIUS Server G Organizational RADIUS Server G Organizational RADIUS Server F Organizational RADIUS Server F National RADIUS Proxy Server National RADIUS Proxy Server National RADIUS Proxy Server National RADIUS Proxy Server Currently directly linked to the University of Southampton Currently hosted at SURFnet Currently linked to FCCN, Portugal Currently linked to CARNET, Croatia Backup Top-level RADIUS Proxy Server Backup Top-level RADIUS Proxy Server etlr1.radius.terena.nl (192.87.36.6) etlr2.radius.terena.nl (195.169.131.2) Organizational RADIUS Server A Organizational RADIUS Server A National RADIUS Proxy Server National RADIUS Proxy Server Organizational RADIUS Server B Organizational RADIUS Server B Currently linked to SURFnet, Netherlands

Download ppt "TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.

Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.
Joining eduroam Wireless Roaming for Education and Research.

Joining eduroam Wireless Roaming for Education and Research.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
Omniran-13-0040-00-0000 1 3GPP Trusted WLAN Access to EPC Use Case Analysis Date: 2013-05-15 Authors: NameAffiliationPhoneEmail Max RiegelNSN+49 173 293.

Omniran GPP Trusted WLAN Access to EPC Use Case Analysis Date: Authors: NameAffiliationPhone Max RiegelNSN
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.

10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett & Nick Skelton Information Services,

The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett & Nick Skelton Information Services,
5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.

5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
WLAN Roaming for the European Scientific Community: Lessons Learned , June 9 th, 2004 Carsten Bormann Niels Pollem reporting on the work of TERENA.

WLAN Roaming for the European Scientific Community: Lessons Learned , June 9 th, 2004 Carsten Bormann Niels Pollem reporting on the work of TERENA.

Similar presentations

Ads by Google