Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Published byJulie Lane Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007."— Presentation transcript:

1 Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007

2 Contents -Intro eduroam -AA requirements -AA implementation -Authorisation -Summary

3 eduroam

4 The goal of eduroam “open your laptop and be online” or To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources

5 eduroam University BUniversity A SURFnet Trusted 3d party Access Point User DB Guest piet@university_b.nl eduroam enables (federated) network access A trusted 3d party exists that guarantees that both peers are ‘trustworthy’ and allowing for scalability

6 AA requirements

7 AA Requirements -“Reasonable security” -Not trying to solve every problem of the universe -Uniquely identifying users at edge of network -Local choice of authentication method -Data integrity -Good identity management -No tampering with data -Compliancy with privacy regulations -No data “leakage” -Verifiability -Monitoring -Logging Source: JRA5 and TF-Mobility roaming requirements

8 AA implementation

9 Secure network access with 802.1X data signalling RADIUS server University A Internet Authenticator (AP or switch) User DB jan@university_a.nl Student VLAN Guest VLAN Employee VLAN Supplicant 802.1X (VLAN assigment)

10 eduroam RADIUS server University B RADIUS server University A SURFnet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest piet@university_b.nl Student VLAN Guest VLAN Employee VLAN data signalling Trust based on RADIUS plus policy documents 802.1X (VLAN assigment)

11 Tunneled authentication (PEAP/TTLS) -Uses TLS/SSL tunnel to protect data -The TLS tunnel is set up using the server certificate, thus authenticating the server and preventing man-in-the-middle attacks -The user sends his credentials through the secure tunnel to the server, thus authenticating the user -Can use dynamic session keys for ‘in the air’ encryption © Alfa&Ariss

12 eduroam architecture -Security based on 802.1X (WEP/WPA/WPA2) -Identity-based networking -Using the Extensible Authentication Protocol (EAP) to allow for multiple authentication mechanisms -Mutual authentication (PEAP, TTLS, TLS) -Protection of credentials (tunneled authentication) -Layer 2 -Roaming based on RADIUS proxying -Remote Authentication Dial In User Service -Transport-protocol for authentication information -Using shared secrets between peers -Trust fabric based on: -RADIUS hierarchy -Policy -Authentication ≈ Authorisation -RADIUS-attribute filtering -VLAN assignment

13 RadSec/DNSROAM -Radius packet format -Transport: TCP (or SCTP) -Encryption: TLS (optional) -TLS => PKI -DNSROAM combines RadSec with DNS for dynamically locating the peer -RadSec RFC is being worked on

14 Fully hierarchical First mixed mode Later DNSROAM?

15 ‘Real’ Authorisation?

16 DAMe -Deploying Authorization Mechanisms for Federated Services in eduroam -DAME is a project that builds upon: -eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, -Shibboleth and eduGAIN -NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards.

17 Gast piet@university_b.nl RADIUS server University B RADIUS server University A eduroam Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant data User mobility controlled by assertions and policies expressed in SAML and XACML XACML Policy Decision Point SAML Source Attribute Authority Signaling 1st: Extension of eduroam with authR

18 2nd: eduGAIN AuthN+AuthR backend -Link between the AAA servers (now acting as Service Providers) and eduGAIN

19 3d: Universal Single Sign On -Users will be authenticated once, during the network access control phase -The eduGAIN authentication would be bootstrapped from the NAS-SAML -New method for delivering authentication credentials and new security middleware -4th goal: integrating applications, focusing on grids.

20 Summary

21 -Eduroam provides reasonable security -AuthZ is reasonable and is slowly being improved -AuthR is relatively weak but being worked upon (that is we hope that the eduGAIN guys and girls with give it to us) -Currently the main inhibitor is politics

22 Thank you! More info: Klaas.Wierenga@surfnet.nl

Download ppt "Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007."

Similar presentations

Authentication.

Authentication.
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Eduroam-ng TF-Mobility, Barcelona, 6 September 2005.

Eduroam-ng TF-Mobility, Barcelona, 6 September 2005.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Why eduroam sucks, and how to fix it.

Why eduroam sucks, and how to fix it.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
EduRoam ESA workshop 17 December 2004 Utrecht.

EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

Similar presentations

Ads by Google