Presentation is loading. Please wait.

Presentation is loading. Please wait.

802.1X in SURFnet 22 May 2003.

Published byBarnard Kelley Modified over 9 years ago

Similar presentations

Presentation on theme: "802.1X in SURFnet 22 May 2003."— Presentation transcript:

1 802.1X in SURFnet Klaas.Wierenga@SURFnet.nl 22 May 2003

2 2 TOC Background Requirements Various solutions investigated 802.1X in SURFnet, the Netherlands and Europe Lessons learned The future Conclusion

3 3 Background Access Provider POTS Institution A LAN Institution B WLAN Access Provider ADSL International connectivity Access Provider WLAN Access Provider GPRS SURFnet backbone

4 4 Requirements Identify users uniquely at the edge of the network –No session hijacking Allow for guest usage Scalable –Local user administration and authN! –Using existing RADIUS infrastructure Easy to install and use Open –Support for all common OSes –Vendor independent After proper AuthN open connectivity

5 5 Various solutions WEP (unsafe) MAC-address (unsafe) LEAP (proprietary) Web-gateway (hard to make safe) VPN-gateway (hard to make scalable) 802.1X –Pilot with University of Twente and Alfa&Ariss

6 6 6. IEEE 802.1X True port based access solution (Layer 2) between client and AP/switch Several available authentication-mechanisms (EAP-MD5, MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS, PEAP) Standardised Also encrypts all data, using dynamic keys RADIUS back end: –Scaleable –Re-use existing Trust relationships Easy integration with dynamic VLAN assignment Client software necessary (OS-built in or third-party)

7 7 802.1X in action data signalling EAPOL EAP over RADIUS f.i. LDAP RADIUS server Institution A Internet Authenticator (AP or switch) User DB jan@student.institution_a.nl Student VLAN Guest VLAN Employee VLAN Supplicant

8 8 Cross-domain 802.1X with VLAN assignment RADIUS server Institution B RADIUS server Institution A Internet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest piet@institution_b.nl Student VLAN Guest VLAN Employee VLAN data signalling

9 9 Current status Wireless –University of Twente, University of Amsterdam, Hogeschool van Amsterdam currently use 1X, most others are considering this. Fixed –Delft University, University of Tilburg currently use 1X, most others are considering this Software –Freeware tool SecureW2

10 10 …in the rest of the Netherlands (Freeband) Hotspots at public places near SURFnet locations WLAN connectivity on the move, i.e. trains, automobiles (planes yet to come) 802.1X connecting to SURFnet RADIUS infrastructure Open for whole SURFnet community Hotspots will be made available in Amsterdam, Utrecht, Groningen, Enschede, Eindhoven, Delft, Rotterdam, Leiden

11 11 … and beyond (TF-Mobility) European scale WLAN roaming Currently comparing –Web-based –VPN-based –802.1X based In summer testbed definition

12 12 Lessons learned It’s all about scalability EAP types are either unsafe (MD5, MS-CHAPv2), hard to deploy (TLS) or not ready (PEAP) so the choice is easy: TTLS 2-way RADIUS infrastructure introduces possible problems –Prevent loops AUP needed for guest usage Logging is needed The more you see about 1X the more you like it

13 13 Future New standards 802.11* WPA (pre standard 802.11i, TKIP) 802.11i: 802.1x + first TKIP, later AES Application integration A-select (TNC session 8c) –OTP via SMS is available

14 14 Conclusion 802.1X is available 802.1X works 802.1X scales 802.1X is secure 802.1X is extensible 802.1X allows for guest usage 802.1X is the future So what are you waiting for....

15 15 More information http://www.surfnet.nl/innovatie/wlan http://a-select.surfnet.nl http://www.freeband.nl

Download ppt "802.1X in SURFnet 22 May 2003."

Similar presentations

Authentication.

Authentication.
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.

High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.

10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.
EduRoam ESA workshop 17 December 2004 Utrecht.

EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
Implementing Wireless LAN Security

Implementing Wireless LAN Security
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

Similar presentations

Ads by Google