Presentation is loading. Please wait.

Presentation is loading. Please wait.

Workshop roaming services: eduroam / govroam

Published byAmelia Atkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Workshop roaming services: eduroam / govroam"— Presentation transcript:

1 Workshop roaming services: eduroam / govroam
Belnet – Nicolas Loriau Brussels – November 2015

2 Belnet - Workshop govroam
Agenda General Technical framework Demo 25/04/2017 Belnet - Workshop govroam

3 Belnet - Workshop govroam
Roundtable Name and organization? Experiences with Belnet? Expectations for today’s workshop? 25/04/2017 Belnet - Workshop govroam

4 Overview of Belnet Services

5 Overview of Belnet Services
Standard Services « Plus » Services On demand « Plus » Services Associated cost Belnet Connectivity Internet Connectivity IPv4 and IPv6 DNS Services NTP Monitoring Service desk 24/7 Workshops Back-up Internet connectivity RRN Connectivity eduroam Belnet R&E Federation Multipoint Belnet Leased Lines Multimedia Transport Service govroam Domain Name Registration Digital Certificates Antispam Pro Belnet Cloud Storage Belnet Cloud computing Network Services

6

7 Belnet - Workshop govroam
What is it? EDUcation ROAMing Simple and secure access to wifi network Terena project to provide students access to internet For research and education institutions GOVernment ROAMing Simple and secure access to wifi network Belnet initiative based on eduroam technologies For governmental institutions, administrations, … 25/04/2017 Belnet - Workshop govroam

8 Belnet - Workshop govroam
Why ? Increased Mobility: users can make use of Wifi infrastructure at other members Easy: users only need their home organization account to login Secure: centralized accounts, no local copies Cost effective: reduce 3G/4G cost when moving between offices 25/04/2017 Belnet - Workshop govroam

9 Technical framework

10 Technical infrastructure
Technical Framework Principles Components Authentication flow Hands-on Objectives Test environment Installation Linux (Radiator, Freeradius) Windows (W2K8R2 NPS) 25/04/2017 Belnet - Workshop govroam

11 Technical infrastructure
Technical Framework Principles Components Authentication flow Demo Objectives Test with Windows server 2012 and NPS 25/04/2017 Belnet - Workshop govroam

12 Belnet - Workshop govroam
Principles To install roaming services, you need: Wi-Fi access points and controllers and/or 802.1x switches RADIUS server User database / LDAP / AD Based on a hierarchy of RADIUS servers Your only point of contact is Belnet 25/04/2017 Belnet - Workshop govroam

13 Belnet - Workshop govroam
Principles It is: A trust-based relationship between members An agreement on roaming technologies Chain of trust: All direct peers must be known beforehand A shared secrets must be enabled “out-of-band” Agreement on authentication protocols & methods 25/04/2017 Belnet - Workshop govroam

14 Principles Hierarchy of authentication servers
AS Institution-A.be Institution-B.be Belgian Top-Level AS “Federation” “Institution” 25/04/2017 Belnet - Workshop govroam

15 Principles Hierarchy of authentication servers eduroam
25/04/2017 Belnet - Workshop govroam

16 Belnet - Workshop govroam
Components Client / Supplicant Network Access Server / Authenticator / Service Provider Authentication Server / Identity Provider / Radius User identity source 25/04/2017 Belnet - Workshop govroam

17 Belnet - Workshop govroam
Components Client / Supplicant SW on end user's device which handles network authentication Minimum requirements: WPA, EAP-TTLS, PEAP enabled 25/04/2017 Belnet - Workshop govroam

18 Belnet - Workshop govroam
Components Network Access Server / Authenticator / Service Provider IEEE 802.1X enabled switch or wireless access point which provides Clients access to the (W)LAN Seperate VLAN for home and visiting end users 25/04/2017 Belnet - Workshop govroam

19 Belnet - Workshop govroam
Components Authentication Server / Identity Provider Remote Authentication Dial In User Service compliant (RFC 2865/2866) NOT a user database Authenticates home end users against local user database Forwards requests of visiting end users Softwares: Radiator FreeRADIUS Windows server with NPS (from 2008R2) Others 25/04/2017 Belnet - Workshop govroam

20 Belnet - Workshop govroam
Components User identity source LDAP/AD Local database / SQL 25/04/2017 Belnet - Workshop govroam

21 Belnet - Workshop govroam
Protocols and Methods EAP Framework Extensible Authentication Protocol (RFC 5247) NOT a wire protocol nor an authentication mechanism Defines authentication data formats Negotiates which authentication method/type should be used 25/04/2017 Belnet - Workshop govroam

22 Belnet - Workshop govroam
Protocols & Methods EAP Methods/Types "How does EAP authenticate" Uses EAP framework to remotely authenticate end user's credentials to his home institute's Identity Provider 40+ different methods exit > use common secure ones! Outer Authentication: EAP-TTLS (RFC 5281), PEAP Inner Authentication: MSCHAPv2 (RFC 2759) 25/04/2017 Belnet - Workshop govroam

23 Belnet - Workshop govroam
Protocols & Methods EAP Encapsulation "How EAP can be transported" In order to transport EAP messages, they must be encapsulated Between client and SP (802.1x) EAP over LAN = “EAPOL” Between Sp & IdP, IdP & IdP RADIUS 25/04/2017 Belnet - Workshop govroam

24 Belnet - Workshop govroam
Security Outer authentication Goal : securely transport the EAP messages between peers Authenticate the server (to avoid MitM attacks) PEAP, EAP-TTLS Inner authentication Transmit unique user attributes (credentials) via MSCHAPv2 25/04/2017 Belnet - Workshop govroam

25 Security EAP, 802.1X and RADIUS must be secured
Service Provider Institution-A.be Identity Provider Client 802.1X “EAPOL” EAP RADIUS 25/04/2017 Belnet - Workshop govroam

26 Security EAP, 802.1X and RADIUS must be secured
Choice of security mechanisms is important Service Provider Institution-A.be Identity Provider Client 802.1X “EAPOL” EAP RADIUS (WPA2-AES) (EAP-TTLS) (PEAP) 25/04/2017 Belnet - Workshop govroam

27 Authentication Flow National Level (1/11) 1
Authentication Flow National Level (1/11) 1 The User contacts the Service Provider (SP) (Wireless Access Point) of institution A (SSID = govroam) 1 Service Provider Identity Provider Institution-A.be Institution-B.be Belgian Top-Level Radius 25/04/2017 Belnet - Workshop govroam Belnet

28 Belnet - Workshop govroam
Authentication Flow National Level (2/11) Belgian Top-Level Radius Identity Provider Identity Provider Institution-A.be Institution-B.be Service Provider 2 SP of institution A asks the user's identity. Not yet the credentials! 1 Institution-A.be 2 25/04/2017 Belnet - Workshop govroam Belnet

29 Authentication Flow National Level (3/11) 3 1 2
Authentication Flow National Level (3/11) Belgian Top-Level Radius Identity Provider Identity Provider 3 Institution-A.be Institution-B.be Service Provider 3 User identity is transmitted to Identity Provider (IdP) (RADIUS server) of institution A using EAP Access-Request message 1 Institution-A.be 2 25/04/2017 Belnet - Workshop govroam Belnet

30 Belnet - Workshop govroam
Authentication Flow National Level (4/11) Belgian Top-Level Radius 4 Identity Provider Identity Provider 3 Institution-A.be Institution-B.be Service Provider 4 Based on the identity the IdP of the institution A knows that user doesn't belong to its own user database and will transmit the Access-Request to the Belgian RADIUS server. 1 Institution-A.be 2 25/04/2017 Belnet - Workshop govroam Belnet

31 Authentication Flow National Level (5/11) 4 5 3 1 2
Authentication Flow National Level (5/11) Belgian Top-Level Radius 4 5 Identity Provider Identity Provider 3 Institution-A.be Institution-B.be Service Provider 5 Based on the realm part of the identity the Belgian RADIUS server transmits the Access-Request to the RADIUS server of institution B 1 Institution-A.be 2 25/04/2017 Belnet - Workshop govroam Belnet

32 Authentication Flow National Level (6a/11) 4 5 6 3 1 2 6a
Authentication Flow National Level (6a/11) Belgian Top-Level Radius 4 5 6 Identity Provider Identity Provider 3 Institution-A.be Institution-B.be Service Provider 6a Now the IdP of institution B knows the User and a TLS tunnel is established between User and RADIUS server using EAP encapsulation mechanism (outer authentication) 1 Institution-A.be 2 25/04/2017 Belnet - Workshop govroam Belnet

33 Authentication Flow National Level (6b/11) 4 5 6 3 1 2 6b
Authentication Flow National Level (6b/11) Belgian Top-Level Radius 4 5 6 Identity Provider Identity Provider 3 Institution-A.be Institution-B.be Service Provider 6b The User checks during TLS establishment the RADIUS server certificate of his institution. 1 Institution-A.be 2 25/04/2017 Belnet - Workshop govroam Belnet

34 Authentication Flow National Level (7/11) 4 7 5 6 3 1 2 7
Authentication Flow National Level (7/11) Belgian Top-Level Radius 4 5 7 6 Identity Provider Identity Provider 3 Institution-A.be Institution-B.be Service Provider 7 Now the User is authenticated against its own institute's IdP, using traditional mechanisms (challenges, certificates, token...) (Inner authentication) 1 Institution-A.be 2 25/04/2017 Belnet - Workshop govroam Belnet

35 Authentication Flow National Level (8/11) 4 7 5 6 8 3 1 2 8
Authentication Flow National Level (8/11) Belgian Top-Level Radius 4 5 7 6 8 Identity Provider Identity Provider 3 Institution-A.be Institution-B.be Service Provider 8 If the User is correctly authenticated, the RADIUS server of institution B sends an Access-Accept to the Belgian RADIUS server, otherwise it sends an Access-Reject 1 Institution-A.be 2 25/04/2017 Belnet - Workshop govroam Belnet

36 Authentication Flow National Level (9/11) 4 7 5 6 8 3 1 9 2 9
Authentication Flow National Level (9/11) Belgian Top-Level Radius 4 5 7 6 8 Identity Provider Identity Provider 9 3 Institution-A.be Institution-B.be Service Provider 9 Belgian RADIUS server sends the Access-Accept to institution A 1 Institution-A.be 2 25/04/2017 Belnet - Workshop govroam Belnet

37 Belnet - Workshop govroam
Authentication Flow National Level (10/11) Belgian Top-Level Radius 4 5 7 6 8 Identity Provider Identity Provider 9 3 Institution-A.be Institution-B.be Service Provider 10 The IdP of institution A tells his SP to grant access to the User and provide all information related to the local access policy ( vlan, IP address, ...) 10 1 Institution-A.be 2 25/04/2017 Belnet - Workshop govroam Belnet

38 Belnet - Workshop govroam
Authentication Flow National Level (11/11) Belgian Top-Level Radius 4 5 7 6 8 Identity Provider Identity Provider 9 3 Institution-A.be Institution-B.be Service Provider 11 User can now access LAN and Internet 10 1 Institution-A.be 11 2 25/04/2017 Belnet - Workshop govroam Belnet

39 How to implement

40 Belnet - Workshop govroam
How to implement Objectives: Configuration of RADIUS server Using radiator Using freeradius Using W2K8 Authenticate users against test domain ta.belnet.be Discuss other options Best practices 25/04/2017 Belnet - Workshop govroam 40 Belnet

41 Prerequisites (out of scope)
Prerequisites (out of scope) Wi-Fi access point that must: be IEEE 802.1X compliant broadcast the SSID "eduroam" or “govroam” (govroamtest for this session) offer IEEE b or better implement WPA/TKIP or better (Belnet strongly recommends WPA2-AES!) Allow traffic on defined ports (please refer to govroam) User database: LDAP Active Directory 25/04/2017 Belnet - Workshop govroam 41 Belnet

42 Prerequisites (out of scope)
Prerequisites (out of scope) Server certificates Don't use a self-signed server certificate Successfully import server & chain certificate into Windows Use dcs.belnet.be to get a signed server certificate Correct server time Important for the setup of TLS-tunnels Use Belnet's NTP server time.belnet.be to get the correct time Firewalls & Ports UDP 1812 UDP 1813 25/04/2017 Belnet - Workshop govroam 42 Belnet

43 Radiator Installation
Radiator Installation Why “Radiator”? Belnet uses this product Easy & straightforward to deploy on Linux, Windows, ... Broad support for Identity & Access Management backends One of the first solutions which supported RadSec 25/04/2017 Belnet - Workshop govroam Belnet

44 Radiator Installation
Server set-up: Ubuntu Server LTS “out-of-the-box” Radiator 4.9 for a virtual home organization “ta.belnet.be” in a Linux environment Valid server certificate 25/04/2017 Belnet - Workshop govroam

45 Freeradius Installation
Freeradius Installation Why “Freeradius”? Free Easy to deploy on Linux, Windows, ... Broad support for Identity & Access Management backends Now supports RadSec 25/04/2017 Belnet - Workshop govroam Belnet

46 Freeradius Installation
Server set-up: Ubuntu Server LTS “out-of-the-box” Latest freeradius version for virtual home organization “ta.belnet.be” Valid server certificate 25/04/2017 Belnet - Workshop govroam

47 Belnet - Workshop govroam
W2012 R2 with NPS Why “NPS”? Best option in windows environment Easy to deploy on Windows, ... Easy link to AD 25/04/2017 Belnet - Workshop govroam Belnet

48 Belnet - Workshop govroam
W2012 R2 with NPS Server set-up: Windows 2012 server R2 with NPS Valid server certificate 25/04/2017 Belnet - Workshop govroam

49 Belnet - Workshop govroam
Hierarchy AS belnet.be ta.belnet.be Belgian Top-Level AS “Federation” “Institution” 25/04/2017 Belnet - Workshop govroam Belnet

50 Demo environement: Components overview
Demo environement: Components overview Belnet Radius WAP + CTRL RADIUS (Windows NPS) Identity server (AD) 25/04/2017 Belnet - Workshop govroam 50 Belnet

51 Radius server installation
Radius server installation Belnet Radius WAP + CTRL RADIUS (Windows NPS) Identity server (AD) 25/04/2017 Belnet - Workshop govroam Belnet

52 Belnet - Workshop govroam
Radius server installation: Configuring RADIUS client (wlan controller) Belnet Radius WAP + CTRL RADIUS LDAP/AD 25/04/2017 Belnet - Workshop govroam Belnet

53 Radius server installation: Configuring the remote RADIUS
Radius server installation: Configuring the remote RADIUS Belnet Radius WAP + CTRL RADIUS LDAP/AD 25/04/2017 Belnet - Workshop govroam Belnet

54 Belnet - Workshop govroam
W2012 R2 with NPS Server set-up: 25/04/2017 Belnet - Workshop govroam

55 Radius server installation: Configuring proxy RADIUS
Radius server installation: Configuring proxy RADIUS Belnet Radius WAP + CTRL RADIUS LDAP/AD 25/04/2017 Belnet - Workshop govroam Belnet

56 Belnet - Workshop govroam
W2012 R2 with NPS Server set-up: 25/04/2017 Belnet - Workshop govroam

57 Radius server installation: Link with LDAP
Radius server installation: Link with LDAP Belnet Radius WAP + CTRL RADIUS LDAP/AD 25/04/2017 Belnet - Workshop govroam Belnet

58 Belnet - Workshop govroam
W2012 R2 with NPS Server set-up: 25/04/2017 Belnet - Workshop govroam

59 Belnet - Workshop govroam
W2012 R2 with NPS Server set-up: 25/04/2017 Belnet - Workshop govroam

60 Radius server installation: Configuring top level RADIUS
Radius server installation: Configuring top level RADIUS Belnet Radius WAP + CTRL RADIUS LDAP/AD 25/04/2017 Belnet - Workshop govroam 60 Belnet

61 Belnet - Workshop govroam
Belnet govroam web-interface Facilitate the configuration of your govroam parameters RADIUS servers Shared secrets Test accounts 25/04/2017 Belnet - Workshop govroam 61 Belnet

62 Belnet - Workshop govroam
Hands-on Windows 25/04/2017 Belnet - Workshop govroam

63 Belnet - Workshop govroam
Hands-on Linux 25/04/2017 Belnet - Workshop govroam

64 Authentication Flow 1 local - local
Authentication Flow 1 local - local Belgian Top-Level Radius roaming1.belnet.be roaming2.belnet.be Ta.belnet.be NPS + AD SSID = “govroamtest” Demo user on Belnet infra wlan-ctrl A user from local institution ta.belnet.be will send access request to local “govroamtest” WLAN VLAN access depends on USER login 25/04/2017 Belnet - Workshop govroam 64 Belnet

65 Authentication Flow 2 remote - local
Authentication Flow 2 remote - local Belgian Top-Level Radius roaming1.belnet.be roaming2.belnet.be ta.belnet.be Radius radius.belnet.be ldap.belnet.be SSID = “govroamtest” Belnet user on demo infra wlan-ctrl A remote user from Belnet will send access request to local “govroamtest” WLAN 25/04/2017 Belnet - Workshop govroam 65 Belnet

66 Authentication Flow 3 local - remote
Authentication Flow 3 local - remote Belgian Top-Level Radius roaming1.belnet.be roaming2.belnet.be Ldap belnet.be Ta.belnet.be RADIUS + LDAP SSID = “govroam” Demo user on Belnet infra wlan-ctrl A local user from institution ta.belnet.be will send access request to remote Belnet's “govroam” WLAN 25/04/2017 Belnet - Workshop govroam 66 Belnet

67 Belnet - Workshop govroam
Belnet PI Raspberry PI with: Openldap Freeradius Hostapd Bridge-utils …and other To test eduroam 25/04/2017 Belnet - Workshop govroam

68 Belnet - Workshop govroam
Belnet PI 25/04/2017 Belnet - Workshop govroam

69 Conclusion

70 Belnet - Workshop govroam
Conclusion Technical Framework Demo Belnet is there to help you Q&A 25/04/2017 Belnet - Workshop govroam

71 What do you think?

72 Belnet - Workshop govroam
Final roundtable Are you ready to join? What would you need more to start? 25/04/2017 Belnet - Workshop govroam

73 Thank you

74 Use case

75 Use case To be added

Download ppt "Workshop roaming services: eduroam / govroam"

Similar presentations

Authentication.

Authentication.
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
Philippe Hanset ANYROAM LLC

Philippe Hanset ANYROAM LLC
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Implementing Security for Wireless Networks Presenter Name Job Title Company.

Implementing Security for Wireless Networks Presenter Name Job Title Company.
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.

Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Protected Extensible Authentication Protocol

Protected Extensible Authentication Protocol
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Similar presentations

Ads by Google