Presentation is loading. Please wait.

Presentation is loading. Please wait.

WLAN Roaming for the European Scientific Community: Lessons Learned , June 9 th, 2004 Carsten Bormann Niels Pollem reporting on the work of TERENA.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "WLAN Roaming for the European Scientific Community: Lessons Learned , June 9 th, 2004 Carsten Bormann Niels Pollem reporting on the work of TERENA."— Presentation transcript:

1 WLAN Roaming for the European Scientific Community: Lessons Learned , June 9 th, 2004 Carsten Bormann Niels Pollem reporting on the work of TERENA TF Mobility http://www.terena.nl/mobility/

2 2 Outline  WLAN access control and security  How does inter-domain roaming work  Roaming on a European scale  How to integrate solutions at the site level  Conclusion

3 3 WLAN Security: Requirements  Confidentiality (Privacy): Nobody can understand foreign traffic Insider attacks as likely as outsiders'  Accountability: We can find out who did something Prerequisite: Authentication

4 4 (2003:) Security is rarely easy

5 5 (2004:) solved 

6 6 (2004:) or maybe not? 

7 7 WLAN Security: Approaches  AP-based Security: AP is network boundary WEP (broken), WEP fixes, WPA, … 802.1X (EAP variants + RADIUS) + 802.11i  Network based Security: deep security VPNs needed by mobile people anyway  SSH, PPTP, IPsec Alternative: Web-diverter (temporary MAC/IP address filtering)  No confidentiality at all, though

8 8 Intranet X Access network Campus network world Routers RADIUS Server(s).1X

9 9 WLAN Access Control: Why 802.1X is better  802.1X is taking over the world anyway  The EAP/XYZ people are finally getting it right Only 5 more revisions before XYZ wins wide vendor support  Available for more and more systems (Windows 2000 up)  Distribute hard crypto work to zillions of access points  Block them as early as possible More control to visited site admin, too!  Most of all: It just works™

10 10 Intranet X Docking network Campus network world VPN-Gateways DHCP, DNS, free Web VPN

11 11 WLAN Access Control: Why VPN is better  Historically, more reason to trust L3 security than L2 IPSec has lots of security analysis behind it  Can use cheap/dumb APs  Available for just about everything (Windows 98, PDA etc.)  Easy to accommodate multiple security contexts Even with pre-2003 infrastructure Data is secure in the air and up to VPN gateway  Most of all: It just works™

12 12 Intranet X Docking network Campus network world Access Control Device DHCP, DNS, free Web Web redirect Web

13 13 WLAN Access Control: Why Web-based filtering is better  No client software needed (everybody has a browser)  Ties right into existing user/password schemes  Can be made to work easily for guest users It’s what the hotspots use, so guest users will know it already May be able to tie in with Greenspot etc.  Privacy isn’t that important anyway (use TLS and SSH)  Accountability isn’t that important anyway  Most of all: It just works™

14 From Access Control to Roaming

15 15 Roaming: High-level requirements Objective: Enable NREN users to use Internet (WLAN and wired) everywhere in Europe  with minimal administrative overhead (per roaming)  with good usability  maintaining required security for all partners

16 16 Inter-domain 802.1X RADIUS server Institution B RADIUS server Institution A Internet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest piet@institution_b.nl Student VLAN Guest VLAN Employee VLAN HomeVisited e.g., @NREN

17 17 Web-based with RADIUS

18 18 Intranet X Docking network Campus Network G-WiN VPN-Gateways DHCP, DNS, free Web Intranet X Docking network Campus Network G-WiN VPN-Gateways DHCP, DNS, free Web VPN SWITCHmobile – VPN solution deployed at 14+ universities and other sites across Switzerland. Wbone – VPN roaming solution to 4 universities / colleges in state of Bremen. Clients enter the Internet through home network/gateway.

19 19 Wbone interconnecting docking networks R Briteline Uni Bremen 172.21/16 HS Bremen 172.25/16 HfK HS Brhv. 10.28.64/18 IPSec Cisco IPSec/PPTP/SSH Linux IPSec Cisco PPTP Linux IPSec Cisco PPTP Linux PPTP Linux PPTP Linux AWI extend to other sites...

20 Making roaming work on a European scale

21 21 FCCN RADIUS Proxy servers connecting to a European level RADIUS proxy server UKERNA SURFnet FUNET DFN CARnet European RADIUS hierarchy CESnet RedIRIS UNI-C GRnet

22 22 The CASG  Separate docking networks from controlled address space for gateways (CASG)  Hosts on docking networks can freely interchange packets with hosts in the CASG Easy to accomplish with a couple of ACLs  All VPN gateways get an additional CASG address Hmm, problem with some Cisco concentrators inetnum: 193.174.167.0 - 193.174.167.255 netname: CASG-DFN descr: DFN-Verein descr: Stresemannstrasse 78 descr: 10963 Berlin country: DE admin-c: MW238 tech-c: JR433 tech-c: KL565 status: ASSIGNED PA mnt-by: DFN-LIR-MNT changed: poldi@dfn.de 20040603 source: RIPE

23 23 Intranet X Docking network Campus Network G-WiN VPN-Gateways DHCP, DNS, free Web Access controller Intranet X Docking network Campus Network G-WiN VPN-Gateways DHCP, DNS, free Web Access controller Intranet X Docking network Campus Network G-WiN VPN-Gateways DHCP, DNS, free Web Access controller The big bad Internet CASG

24 24 CASG allocation  Back-of-the-Envelope: 1 address per 10000 population E.g.,.CH gets ~600, Bremen gets ~60  Allocate to minimize routing fragmentation May have to use some tunneling/forwarding  VPN gateway can have both local and CASG address

25 25 The CASG Pledge  I will gladly accept any packet There is no such thing as a security incident on the CASG  I will not put useful things in the CASG People should not be motivated to go there except to authenticate or use authenticated services  I will help manage the prefix space to remain stable

26 How to integrate all these at the site level?

27 27 Commonalities  802.1X Secure SSID RADIUS  Web-based captive portal Open SSID RADIUS  VPN-based Open SSID No RADIUS } Docking net (open SSID) RADIUS backend }

28 28 How can I help... as a home institution Implement the other backend:  As a RADIUS-based site Implement a CASG VPN gateway (or subscribe to an NREN one) Provide the right RADIUS for all frontends  As a VPN site Run a RADIUS server  Help the users try and debug their roaming setup while at home (play visited site)

29 29 How can I help... as a visited institution Implement the other frontend:  As a docking network site Implement the other docking appraoch:  CASG access or Web-diverter Implement a 802.1X SSID (“eduroam”) in addition to open SSID  As an 802.1X site Implement an open SSID with CASG access and Web-diverter  Your local users will like it, too Maybe too much…

30 30 Network layout with multiple SSID’s and VLAN assignment

31 31 Network layout without multiple SSID’s and VLAN assignment

32 Doing the plumbing

33 33 Default router in docking net  Default route points to access control device: ip route 0.0.0.0 0.0.0.0 172.21.3.11  CASG routes point to CASG router ip route 193.174.167.0 255.255.255.0 172.21.3.250

34 34 CASG router ip access-list extended casg-out permit ip 193.174.167.0 0.0.0.255 any deny ip any any ip access-list extended casg-in permit ip any 193.174.167.0 0.0.0.255 deny ip any any interface Vlan86 ip address 172.21.3.250 255.255.0.0 ip access-group casg-in in ip access-group casg-out out ip nat inside

35 35 What if docking net is RFC1918?  Maximum compatibility with an address-based NAT: ip access-list standard docking-addr permit 172.21.0.0 0.0.255.255 ! ip nat translation timeout 1800 ip nat pool dn 134.102.216.1 134.102.216.250 netmask 255.255.255.0 ip nat inside source list docking-addr pool dn

36 So where are we?

37 37 Fun little issues  1/3 of Bremen‘s 432 Cisco 340 APs can't do VLANs Ethernet interface hardware MTU issue  Some client WLAN drivers are erratic in the presence of multi-SSID APs  Can't give university IP addresses to roamers Too many university-only services are “authenticated” on IP address Address pool must be big enough for flash crowds  CASG space is currently allocated on a national level So there will be a dozen updates before CASG is stable

38 38 Conclusions  It is possible to create a fully interoperable solution  It’s not that hard: especially when you use TF mobility’s deliverable H to guide you  Re-evaluate solutions in a couple of years TF mobility is going for a second term to help  Integration approach also provides an easy upgrade path E.g., add 802.1X to docking-only site

39 39 Conclusions  It is possible to create a fully interoperable solution  It’s not that hard especially when you use TF mobility’s deliverable H to guide you  Re-evaluate solutions in a couple of years TF mobility is going for a second term to help  Integration approach also provides an easy upgrade path E.g., add 802.1X to docking-only site Go for it http://www.terena.nl/mobility/

Download ppt "WLAN Roaming for the European Scientific Community: Lessons Learned , June 9 th, 2004 Carsten Bormann Niels Pollem reporting on the work of TERENA."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.

10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.

5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.
EduRoam ESA workshop 17 December 2004 Utrecht.

EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.

Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.

Similar presentations

Ads by Google