eduroam Euro CAMP Porto November 9 2005 Klaas

eduroam • Euro. CAMP, Porto, November 9, 2005 • Klaas. Wierenga@surfnet. nl High-quality Internet for higher education and research

Contents • Why 802. 1 X and eduroam? • Implementation – Requirements – Technology – Policy • Status eduroam • Future of eduroam • Conclusions High-quality Internet for higher education and research

But first… • • What is a federation? Is eduroam a federation? Is it a service? Is it a brand? • Or… High-quality Internet for higher education and research

Why 802. 1 X and eduroam? High-quality Internet for higher education and research

Wireless LAN is unsafe root@ibook: ~# tcpdump -n -i eth 1 19: 52: 08. 995104 10. 0. 1. 2 > 10. 0. 1. 1: icmp: echo request 19: 52: 08. 996412 10. 0. 1. 1 > 10. 0. 1. 2: icmp: echo reply 19: 52: 08. 997961 10. 0. 1. 2 > 10. 0. 1. 1: icmp: echo request 19: 52: 08. 999220 10. 0. 1. 1 > 10. 0. 1. 2: icmp: echo reply 19: 52: 09. 000581 10. 0. 1. 2 > 10. 0. 1. 1: icmp: echo request 19: 52: 09. 003162 10. 0. 1. 1 > 10. 0. 1. 2: icmp: echo reply ^C High-quality Internet for higher education and research

Users are mobile International connectivity University A WLAN Access Provider WLAN SURFnet backbone University B WLAN Access Provider GPRS/ UMTS Access Provider Cable High-quality Internet for higher education and research Access Provider ADSL

Requirements • Identify users uniquely at the edge of the network – No session hijacking • Enable guest usage • Scalable – Local user administration and authentication – No exponential administrative load • Easy to install and use – At the most one-time installation by the user • Open – Support for all common operating systems – Non-proprietary • Secure High-quality Internet for higher education and research

Possible solutions • Open access: scalable, unsafe • MAC-addres: not scalable, unsafe • WEP: not scalable, unsafe European research networks: • Web-gateway+RADIUS: scalable, unsafe • VPN-gateway: not scalable, safe • 802. 1 X+RADIUS: scalable, safe, the future (WPA, WPA 2) High-quality Internet for higher education and research

Implementation High-quality Internet for higher education and research

eduroam architecture • Security based on 802. 1 X (or web-based redirect) – Different authentication mechanisms possible – Identity-based networking – Mutual authentication possible (by using the right EAP-types: PEAP, TTLS, TLS) – Protection of credentials – Integration with VLAN assignment – Provides basis for new wireless security standards WPA and 802. 11 i • Roaming based on RADIUS proxying – Remote Authentication Dial In User Service – Transport-protocol for authentication information • Trust fabric based on: – Technical: RADIUS hierarchy – Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the Edu. Roam federation High-quality Internet for higher education and research

Secure access to the network with 802. 1 X Supplicant Authenticator RADIUS server (AP or switch) University A User DB jan@student. university_a. nl Internet Employee VLAN Commercial VLAN Student VLAN • 802. 1 X signaling data High-quality Internet for higher education and research • (VLAN assigment)

eduroam Supplicant Authenticator (AP or switch) RADIUS server User DB University A Gast University B User DB SURFnet piet@university_b. nl Employee VLAN Commercial VLAN Central RADIUS Student VLAN signalerling data High-quality Internet for higher education and research Proxy server • Trust based on RADIUS plus policy docume • 802. 1 X • (VLAN assigment)

Tunneled authentication (PEAP/TTLS) • Uses TLS/SSL tunnel to protect data – The TLS tunnel is set up using the server certificate, thus authenticating the server and preventing man-in-themiddle attacks – The user sends his credentials through the secure tunnel to the server, thus authenticating the user • Can use dynamic session keys for ‘in the air’ encryption © Alfa&Ariss High-quality Internet for higher education and research

Status High-quality Internet for higher education and research

Status of eduroam • USA, Belgium, Sweden will follow shortly • Over 400 institutions in Europe, Australia and Taiwan High-quality Internet for higher education and research

Members FCCN was among the first eduroam participants High-quality Internet for higher education and research

Future High-quality Internet for higher education and research

Monitoring: usertracking & weathermap But what to do with the info? High-quality Internet for higher education and research

Technology: bypassing the hierarchy overhead? European Server . nl . ac. uk … uva. nl Uni. torun. pl Access Point . pl User database tomasz@uni. torun. pl • AA traffic goes through all intermediate entries • All links are peer-to-peer agreements / static routes / p 2 p secure • DIAMETER? DNSsec? Radsec High-quality Internet for higher education and research

Roaming policy • • • Minimal security level Levels of assertion Who can SLA’s Incident response Policy board High-quality Internet for higher education and research

Usability: standardisation, localisation, expansion • Standardisation – Limited set of encryption and SSID choices • Encryption: 802. 1 X+WEP, WPA+TKIP, WPA 2 • SSID: eduroam • Localisation – Eduroam-around-the-corner – Maps – Local pages • Expansion – Integration with commercial roaming services High-quality Internet for higher education and research

AAI Integration: offload Auth. Z? European Server . nl . ac. uk … SURFnet. nl Access Point . pt FCCN. pt A-Select luis@FCCN. pt • How do all these applications communicate? (SAML!) High-quality Internet for higher education and research Shibboleth FCCN user database

Conclusions High-quality Internet for higher education and research

Conclusions • 802. 1 X plus RADIUS provide a secure and future proof solution for access to the network for local users • Joining eduroam gives the benefit of instant access for (academic) guest users • Infra stucture not perfect but… – It works ™ – It is ready for the future • Joining eduroam is a small step for administrator-kind but a giant leap for the users, so…. . High-quality Internet for higher education and research

Time to join…. . High-quality Internet for higher education and research

Coming back… • • What is a federation? Is eduroam a federation? Is it a service? Is it a brand? High-quality Internet for higher education and research

Federations • Federations enable the sharing of resources • A federation is constituted by a set of agreements between peers • In a federation agreement there should be a common language • Federations can be part of bigger federations • Federations can cooperate with other federations: confederations eduroam currently IS a (single-resource) federation, but may in the near future become a service OF the federation High-quality Internet for higher education and research

Slightly less authorative source • Merriam-Webster: an association of persons, parties, or states for mutual assistance and protection High-quality Internet for higher education and research

More information • eduroam in SURFnet – http: //www. eduroam. nl • eduroam in Europe – http: //www. eduroam. org • TERENA TF-Mobility – http: //www. terena. nl/mobility • Géant 2 Joint Research Activity 5 (authorisation and roaming) – http: //www. geant 2. net/server/show/nav. 758 • The unofficial IEEE 802. 11 security page – http: //www. drizzle. com/~aboba/IEEE High-quality Internet for higher education and research