Deliverable H the interoperability testbed design Klaas Wierenga
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet <Klaas. Wierenga@SURFnet. nl>
Web-based with RADIUS based Web interface authentication at the University of Tampere AAA Server Access 4. Control Device Internet 3. 5. 1. Docking Network The Finnish are scaling their solution by using a hierarchy of RADIUS proxy servers for their national infrastructure 2. WWW-browser 2
VPN Wbone – VPN roaming solution to 4 universities / colleges in state of Bremen. VPN-Gateways Docking network G-Wi. N Campus Network SWITCHmobile – VPN solution deployed at 7 universities across Switzerland. Intranet X DHCP, DNS, free Web VPN-Gateways Docking network A "virtual campus" initiative in Lisbon, and been testing and developing a VPN & PKI infrastructure. G-Wi. N Campus Network Intranet X DHCP, DNS, free Web PPPo. E – University of Bristol 3
Cross-domain 802. 1 X with VLAN assignment Supplicant Authenticator (AP or switch) RADIUS server Institution A Guest Institution B User DB Internet piet@institution_b. nl Employee VLAN RADIUS server User DB Guest VLAN Student VLAN Central RADIUS Proxy server Authentication at home institution, 802. 1 X , TTLS (Secure. W 2), (proxy) RADIUS. One time passwords are also transmitted via SMS to guest users. A RADIUS Hierarchy is proposed to scale this to a European wide solution. 4
Current status • Characteristics identified as – 802. 1 X - “The future”, easy to scale, secure but cutting edge, thus expensive. – VPN - Widely available, expensive, secure & hard to scale. – Web based – cheap, widely available, easy to scale, but not secure. • Preliminary selection for inter-NREN roaming – in draft, conclusions are – No national solution meets all the requirements. – The group has chosen not to consider the following – Local VPN access. – PKI – An architecture that supports the various national solutions is needed, a three stream approach is recommended… 5
Controlled Address Space for VPN Gateways • • • Design and work plan documentation underway. Interoperability tests of VPN to RADIUS proxy hierarchy agreed. Further work to follow. 6
Radius proxy hierarchie UNI-C FUNET SURFnet UKERNA CESnet FCCN RADIUS Proxy servers connecting to a European level RADIUS proxy server DFN CARnet Red. IRIS GRnet 7
Integration? • 802. 1 X – Secure SSID – RADIUS • Web-based captive portal – Open SSID – RADIUS • PKI-based – Open SSID – No RADIUS 8
Network layout with multiple SSID’s and VLAN assignment 9
Network layout without multiple SSID’s and VLAN assignment 10
Layer 2 design of the interoperability testbed 11
Conclusions • It is possible to create an interoperable solution • It’s not that hard – especially when you use delievrable H to guide you • Future will show if and how these solutions will continue to be in existence • Del. H provides also a easy upgrade path 12
- Slides: 12