Presentation is loading. Please wait.

Presentation is loading. Please wait.

Michal Procházka, Jan Oppolzer CESNET.

Published bySandra McDowell Modified over 9 years ago

Similar presentations

Presentation on theme: "Michal Procházka, Jan Oppolzer CESNET."— Presentation transcript:

1 Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET

2 Michal Procházka Senior researcher at Masaryk University Member of AAI department at CESNET Member of AAI TF: ELIXIR, EGI Participating in GEANT GN4p1 projects More than 8 years experiences in IT security and AAI

3 Jan Oppolzer Head of eduID.cz federation operator Deputy of AAI department at CESNET eduGAIN steering group delegate Shibbolethv3 expert

4 Goal of the training At the end of the day Understand how eduroam works What are the benefits How to setup eduroam in your country and institutions Ask questions

5 Outline Survey What is it? How it works? eudoram and NREN eduroam and organization Requirements Production

6 Survey How many NRENs? How many organizations? How many linux administrators?

7 What is it? Global identity federation Provides network access Mainly over the WiFi

8 Benefits Easy roaming Every user is idenfied Useful for auditing and logging Helps in case of security incident Communication is encrypted eduroam requires encrypted communication between client and AP

9 Video https://www.youtube.com/watch?v=0VYp8wZG 43k

10 How it works?

11 RADIUS server University ABC RADIUS server University 123 Roaming Operator Central RADIUS Proxy server WiFi Access Point User DB Visitor VLAN Student VLAN Employee VLAN user@uniabc.aq data signaling From eduroam: The Value of WLAN measurements for the R&E Community presentation

12 Terms RO – Roaming Operator ETLRS – European Top-level RADIUS Servers FLRS – Federation Level RADIUS Server IdP – eduroam Identity Provider SP – eduroam Service Provider NAS – Network Access Element F-Ticks – Federated Ticker System

13 Infrastructure Top level RADIUS server (ETLRS) National RADIUS Proxy (FLRS) Institutional RADIUS (IdP and/or SP) Identity management system (IdM) Access Points, switches (NAS) Clients (Supplicant) Monitoring (F-Ticks)

14 Protocols and security 802.1x Supplicant to AP communication RADIUS protocol NAS to IdP communication EAP protocol Supplicant to IdP communication PAP, CHAP, TLS, TTLS, MS-CHAPv2, … TLS protocol Securing FLRS to ETLRS as well as IdP to FLRS communication

15 Diagram from http://mrncciew.com

16 Authentication Protocols PAP – Password Authentication Protocol CHAP – Challenge-response Authentication Protocol TLS – Transport Layer Security – X.509 authN TTLS – Tunneled TLS with e.g. PAP

17 eduroam and NREN National point to the global eduroam Running FLRS Proxying requests from SPs to IdPs and ETLRS Monitoring infrastructure for IdPs

18 Requirements Digital certificate accepted by eduroam PMA Host with public IP address Ideally two for HA or failover configuration Web server Optionally mailing list system

19 Software for FLRS radsecproxy Proxying RADIUS requests Supports TLS (r)syslog Logging Monitoring eduroam monitoring

20 Process Incoming request is routed to National IdP Routed up to the ETLRS FLRS does not modify RADIUS packets Only filtering is applied (e.g. remove VLANs)

21 F-ticks Federated Ticker System Used to monitor FLRS RADIUS servers Leverage syslog Example of the message: F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=LU# CSI=%{Calling-Station- Id}#RESULT=OK# Solves also privacy issues REALM can be exchanged with undisclosed Second part of the MAC can be hashed

22 Communication channels Web pages Provide information for users and SPs Must be on eduroam.TLD domain Mailing list Global eduroam mailing list Mailing list for national SPs

23 eduroam and institution Processing user authentication Connection to the local IdM User support Usually operates as a SP

24 Technical Terms IdP – eduroam identity provider Supplicant NAS – Network Access Service AP – Access Point switch

25 Identity provider Providing user authentication IdP selects authentication method Proper user registration Ideally connected to the organization IdM IdP must be able to identify the user in person

26 Supplicant Software initiating user authentication (EAP) Creating secured tunnel to the IdP Transferring user credentials to the IdP via selected authN method Securing data transfer from machine to AP Included in Windows, Mac OS, Linux, Android, IOS, …

27 NAS WiFi Access Point/switch Must support 802.1x Communicating with home IdP using RADIUS protocol Shares secret with home IdP WiFi security: WPA2/AES Open ports see 6.3.3 in eduroam Service Definition

28 Requirements Digital certificate accepted by FLRS Access to the IdM system (user authN) Host with public IP address Ideally two hosts for HA or failover Optionally have the access points

29 Communication channels Web pages and contact mail for users Linked from eduroam.TLD Containing information how to join to eduroam Provides information about local restrictions Filtered ports NAT/IP ranges

30 Sources https://www.eduroam.org

Download ppt "Michal Procházka, Jan Oppolzer CESNET."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Authentication.

Authentication.
eduroam Delegate Authentication System with Shibboleth SSO

eduroam Delegate Authentication System with Shibboleth SSO
Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
Philippe Hanset ANYROAM LLC

Philippe Hanset ANYROAM LLC
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
EduRoam ESA workshop 17 December 2004 Utrecht.

EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia, 19.06.2014.

Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia,
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Similar presentations

Ads by Google