Presentation is loading. Please wait.

Presentation is loading. Please wait.

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

Published byJody Malone Modified over 9 years ago

Similar presentations

Presentation on theme: "High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey."— Presentation transcript:

1 High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey

2 High-quality Internet for higher education and research Contents From 802.1x to eduroam Freshing up Background Considerations Solutions: 802.1x eduroam

3 High-quality Internet for higher education and research Freshing up… WLAN Every wireless network has a name: an (in)visible SSID (Service Set Identity) Access / encryption with “keys” – WEP, Wired Equivalent Privacy – WPA (with pre-shared key) 802.11 (“wireless Ethernet”, MAC) 802.11b, 802.11g, 802.11a (radio-layer, channels)

4 High-quality Internet for higher education and research Background Traditional WLAN not safe – Who uses the network? (abuse, limiting usergroup) – Are people eavesdropping? (no physical boundries) How do we provide access to guests? – Distribution of “secrets” (WEP-key)?

5 High-quality Internet for higher education and research Traditional WLANs are unsafe Even with: Non broadcasted SSID MAC-address restrictions WEP, Wired- Equivalent- Privacy

6 High-quality Internet for higher education and research Users are mobile Student Dormitory Access University A WLAN University B WLAN Access Provider ADSL International connectivity Access Provider WLAN Access Provider GPRS/ UMTS Internet backbone

7 High-quality Internet for higher education and research Requirements Identify users uniquely at the edge of the network –No session hijacking Enable guest usage Scalable –Local user administration and authentication Easy to install and use –At the most one-time installation by the user Open Secure

8 High-quality Internet for higher education and research Solutions … for guest usage: WEB based captive portal scalable, not safe (no encryption, hijacking) VPN/PPPoE not scalable, safe path 802.1x scalable, safe – security at the edge of the network 802.1x is the basis for the next generation standards (WPA-Enterprise, 802.11i)

9 High-quality Internet for higher education and research Secure access to the network with 802.1X data signaling RADIUS server University A Internet Authenticator (AP or switch) User DB jan@student.university_a.nl Student VLAN Commercial VLAN Employee VLAN Supplicant 802.1X (VLAN assigment)

10 High-quality Internet for higher education and research 802.1x and EAP Different EAP-types The (home-)organization decides what type EAP-types with SSL/TLS –“Mutual authentication” –Encryption keys are derived from SSL session EAP is transported and proxied in RADIUS Extensible Authentication Protocol

11 High-quality Internet for higher education and research Common EAP types EAP-TLS Strong authentication with client certificate EAP-TTLS DIAMETER/RADIUS (e.g. u/p in PAP) in TLS tunnel usable with all u/p backends EAP-PEAP Microsoft implementation with u/p via MSCHAPv2 easy deployable with AD EAP-FAST username/password authentication the Cisco way roll out more complex, uses no SSL/TLS EAP-SIM Strong authentication using the SIM of your phone... LEAP, EAP-MD5 are old and weak

12 High-quality Internet for higher education and research 802.1x RADIUS server institution B RADIUS server institution A Internet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest user@institution-B.nl regular VLAN guest VLAN Secured tunnel Guest usage: eduroam! Trust based on RADIUS plus policy documents

13 High-quality Internet for higher education and research eduroam: (inter)national roaming

14 High-quality Internet for higher education and research eduroam architecture Security based on 802.1X –Protection of credentials: EAP –New technologies (WPA, 802.11i) based on 802.1x –Different authentication mechanisms possible by using EAP (Extensible Authentication prototcol) Username/password X.509 certificates SIM-cards –Dynamic VLAN assignment Roaming based on RADIUS proxying –Remote Authentication Dial In User Service –Transport-protocol for authentication information Trust fabric based on: –Technical: RADIUS hierarchy –Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the eduroam federation

15 High-quality Internet for higher education and research The eduroam policy

16 High-quality Internet for higher education and research National policy (federation) Mutual access Members are connected institutions Home institution is/remains responsible for its users behaviour. Home institution is responsible for proper user management Home and visited institution must keep sufficient logdata Appropriate security levels

17 High-quality Internet for higher education and research The European eduroam policy (confederation) Mutual access Home institutions are/remain responsible for their users abroad Members are NRENs (National federations) Members guarantee required security levels by their participants Members promote eduroam in their countries European eduroam may peer with other regions

18 High-quality Internet for higher education and research The status of eduroam

19 High-quality Internet for higher education and research Status of eduroam Over 500 institutions in Europe, Australia and Taiwan New members: Lithuania Romania Hungary China Hong Kong Cyprus USA, Japan, Korea will follow shortly

20 High-quality Internet for higher education and research eduroam Provides global network roaming Strong technical foundation: –RADIUS –802.1X –Lingua Franca: EAP Needs ubiquity

21 High-quality Internet for higher education and research Joining eduroam

22 High-quality Internet for higher education and research Joining eduroam for an NREN Set up a server that proxies that: –Accept requests for *.cc-tld and forward to the right institution –Accept requests for non *.cc-tld and forward it to the European servers Send an (encrypted) e-mail to join@eduroam.org with: –FQDN of toplevel RADIUS-server(s) –IP-addresses of toplevel RADIUS-servers –Shared secret to use between European servers and national server(s). –URL of national eduroam website –Information about test-account –Contact details admin Sign the policy agreement

23 High-quality Internet for higher education and research Joining eduroam for an institution Set-up your local 802.1X infrastructure –Accept requests for your-domain.cc-tld and process them –Proxy requests for non-local users to the national server Send an (encrypted) e-mail to your NREN with: –FQDN of toplevel RADIUS-server(s) –IP-addresses of toplevel RADIUS-servers –Shared secret to use between your and their server(s). –URL of your eduroam website –Information about test-account –Contact details admin Sign the policy document

24 High-quality Internet for higher education and research Conclusions

25 High-quality Internet for higher education and research Conclusions 802.1X provides secure, future ready, scalable access to the campus network Enabling eduroam is a easy once 802.1X is in place Handbook, (other) easy configuration examples available Many have already joined, so

26 High-quality Internet for higher education and research Join….

27 High-quality Internet for higher education and research More information eduroam in SURFnet –http://www.eduroam.nl eduroam in Europe –http://www.eduroam.org TERENA TF-Mobility –http://www.terena.nl/mobility The unofficial IEEE802.11 security page –http://www.drizzle.com/~aboba/IEEE

Download ppt "High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey."

Similar presentations

Authentication.

Authentication.
Joining eduroam Wireless Roaming for Education and Research.

Joining eduroam Wireless Roaming for Education and Research.
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.

High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.
Why eduroam sucks, and how to fix it.

Why eduroam sucks, and how to fix it.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
Www.ja.net/roaming Copyright JNT Association 2006 The JANET Roaming Service.

Copyright JNT Association 2006 The JANET Roaming Service.
EduRoam ESA workshop 17 December 2004 Utrecht.

EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

Similar presentations

Ads by Google