Embed Size (px)
Citation preview
Michal Procházka
• Senior researcher at Masaryk University• Member of AAI department at CESNET• Member of AAI TF: ELIXIR, EGI• Participating in GEANT GN4p1 projects• More than 8 years experiences in IT security
and AAI
Jan Oppolzer
• Head of eduID.cz federation operator • Deputy of AAI department at CESNET• eduGAIN steering group delegate• Shibbolethv3 expert
Goal of the training
At the end of the dayUnderstand how eduroam worksWhat are the benefitsHow to setup eduroam in your country
and institutions
Ask questions
Outline
SurveyWhat is it?How it works?eudoram and NRENeduroam and organizationRequirementsProduction
Survey
How many NRENs?How many organizations?How many linux administrators?
What is it?
Global identity federationProvides network access
Mainly over the WiFi
Benefits
Easy roamingEvery user is idenfied
Useful for auditing and loggingHelps in case of security incident
Communication is encryptededuroam requires encrypted communication between
client and AP
Video
https://www.youtube.com/watch?v=0VYp8wZG43k
How it works?
RADIUS server
University ABC
RADIUS server
University 123
RoamingOperator
Central RADIUS
Proxy server
WiFi
Access Point User DB
User DB
VisitorVLAN
StudentVLAN
EmployeeVLAN
data
signaling
From eduroam: The Value of WLAN measurements for the R&E Community presentation
Terms
RO – Roaming OperatorETLRS – European Top-level RADIUS ServersFLRS – Federation Level RADIUS ServerIdP – eduroam Identity ProviderSP – eduroam Service ProviderNAS – Network Access ElementF-Ticks – Federated Ticker System
Infrastructure
Top level RADIUS server (ETLRS)National RADIUS Proxy (FLRS)Institutional RADIUS (IdP and/or SP)Identity management system (IdM)Access Points, switches (NAS)Clients (Supplicant)Monitoring (F-Ticks)
Protocols and security
802.1xSupplicant to AP communication
RADIUS protocolNAS to IdP communication
EAP protocolSupplicant to IdP communicationPAP, CHAP, TLS, TTLS, MS-CHAPv2, …
TLS protocolSecuring FLRS to ETLRS as well as IdP to FLRS communication
Diagram from http://mrncciew.com
Authentication Protocols
PAP – Password Authentication ProtocolCHAP – Challenge-response Authentication ProtocolTLS – Transport Layer Security – X.509 authNTTLS – Tunneled TLS with e.g. PAP
eduroam and NREN
National point to the global eduroamRunning FLRSProxying requests from SPs to IdPs and ETLRSMonitoring infrastructure for IdPs
Requirements
Digital certificate accepted by eduroam PMAHost with public IP address
Ideally two for HA or failover configurationWeb serverOptionally mailing list system
Software for FLRS
radsecproxyProxying RADIUS requestsSupports TLS
(r)syslogLoggingMonitoringeduroam monitoring
Process
Incoming request is routed toNational IdPRouted up to the ETLRS
FLRS does not modify RADIUS packetsOnly filtering is applied (e.g. remove
VLANs)
F-ticks
Federated Ticker SystemUsed to monitor FLRS RADIUS serversLeverage syslog
Example of the message:F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=LU# CSI=%{Calling-Station-Id}#RESULT=OK#
Solves also privacy issuesREALM can be exchanged with undisclosedSecond part of the MAC can be hashed
Communication channels
Web pagesProvide information for users and SPsMust be on eduroam.TLD domain
Mailing listGlobal eduroam mailing listMailing list for national SPs
eduroam and institution
Processing user authenticationConnection to the local IdMUser supportUsually operates as a SP
Technical Terms
IdP – eduroam identity providerSupplicantNAS – Network Access Service
AP – Access Pointswitch
Identity provider
Providing user authenticationIdP selects authentication methodProper user registration
Ideally connected to the organization IdMIdP must be able to identify the user in
person
Supplicant
Software initiating user authentication (EAP)Creating secured tunnel to the IdPTransferring user credentials to the IdP via selected authN methodSecuring data transfer from machine to AP
Included in Windows, Mac OS, Linux, Android, IOS, …
NAS
WiFi Access Point/switchMust support 802.1xCommunicating with home IdP using RADIUS protocolShares secret with home IdPWiFi security: WPA2/AESOpen ports
see 6.3.3 in eduroam Service Definition
Requirements
Digital certificate accepted by FLRSAccess to the IdM system (user authN)Host with public IP address
Ideally two hosts for HA or failoverOptionally have the access points
Communication channels
Web pages and contact mail for usersLinked from eduroam.TLDContaining information how to join to
eduroamProvides information about local
restrictionsFiltered portsNAT/IP ranges
