INFN Trip Project Mirko Corosu for TRIP WORKGROUP

  • Slides: 17
Download presentation
INFN Trip Project Mirko Corosu for TRIP WORKGROUP HEPi. X 2004 - Brookheaven

INFN Trip Project Mirko Corosu for TRIP WORKGROUP HEPi. X 2004 - Brookheaven

Aim of the project Authentication and authorization of roaming users without any previous registration.

Aim of the project Authentication and authorization of roaming users without any previous registration. The system should provide: u u • IP access : u u • • • To users LAN To local LAN Security Compatibility to local infrastructure Independence to user OS and hardware

Authentication/authorization methods u We started to analyze two kind of methods: • Mac address

Authentication/authorization methods u We started to analyze two kind of methods: • Mac address authentication (layer 2) • Web captive portal (layer 3)

Software components u Server side: • Red Hat 9 operating system • Free. Radius-1.

Software components u Server side: • Red Hat 9 operating system • Free. Radius-1. 0. 1: open source radius authentication server • No. Cat-0. 82: web captive portal for wireless and wired network • Apache-1. 3. 27 + mod-SSL u Client side tested: • Red. Hat 9 and Fedora Core, Windows 2 k/XP • Mozilla and Internet Explorer browser for web authentication

Wireless access points u Cisco Aironet 1100 supports: • • • 802. 1 q

Wireless access points u Cisco Aironet 1100 supports: • • • 802. 1 q protocol (VLAN tagging) Multiple SSID Mac address authentication 802. 1 x authentication (EAP/TLS) WEP encryption

No. Cat captive portal Captive portal application written in PERL u Two elements: u

No. Cat captive portal Captive portal application written in PERL u Two elements: u • Gateway: changes iptables rules on a Linux based gateway/firewall. • Authentication server: collection of PERL cgi’s which perform the web authentication of the user and tell the gateway to open or close firewall TCP ports. u There can be multiple gateway that interact with a single authentication server

Web authentication Association allowed request Association Private network NIS/K 5/AFS/My. SQL DHCP t s

Web authentication Association allowed request Association Private network NIS/K 5/AFS/My. SQL DHCP t s d e e u q oew r n l l s a o s i e s derss d s r a d e P I d s r IP a e s NOCAT ow gw r B NAT/FW (iptable) Applycertificate iptables or Browser is redirect to NI My. S rule to open S/K authentication QL ( username NOCAT authentication NOC 5/AConnection firewall AT)to /password confirmed FS page AFS/CA auth requested page AFS (WAN) NOCAT auth WAN HTTP radius RADIUS (NOCAT) X. 509 certificate (Modradius vs PAM SSL) Local db

Web authorization/authentication infrastructure u Features: • Supports different authentication mechanism (Linux PAM, X. 509

Web authorization/authentication infrastructure u Features: • Supports different authentication mechanism (Linux PAM, X. 509 Certificates, Radius, My. Sql, ldap) • Independence to client OS and hardware u Problems: • No encryption • Difficult to grant different privileges based on users credentials

Mac address authentication u Features: • Useful to discriminate local users (registered mac address)

Mac address authentication u Features: • Useful to discriminate local users (registered mac address) from others • Possibility to use different VLAN u Problems: • No encryption • Doesn’t support other authentication/authorization method

Solution u Try to integrate different authentication methods

Solution u Try to integrate different authentication methods

First step: use one machine Private network NOCAT gateway NAT/FW (iptable) NIS/K 5/AFS/My. SQL

First step: use one machine Private network NOCAT gateway NAT/FW (iptable) NIS/K 5/AFS/My. SQL auth DHCP AFS/CA auth NOCAT auth HTTP WAN RADIUS

Second step: MAC/Web authentication Association request MAC authentication MAC is present MAC not via

Second step: MAC/Web authentication Association request MAC authentication MAC is present MAC not via radius in database present server in db; user is put in the NOCAT lan LAN 1 Local users NOCAT + httpd iptables (NAT/FW) Full access to radiusd local network dhcpd radius check dhcpd database LAN 2 NOCAT Filtered access to local network

Feature of web/mac authentication Supports different authentication methods u Indipendence to user OS/HW u

Feature of web/mac authentication Supports different authentication methods u Indipendence to user OS/HW u Different access levels u One problem: u • Connection not encrypted u Solution: 802. 1 x protocol

802. 1 x protocol u Features: • Encrypted connection • Supports different authentication method

802. 1 x protocol u Features: • Encrypted connection • Supports different authentication method u Problems: • Problem on some OS’s and hardware

Current project goals Web + MAC address authentication infrastructure u Automatic installation of the

Current project goals Web + MAC address authentication infrastructure u Automatic installation of the authentication server u

Future development 802. 1 x integration u Creation of a Radius server infrastructure to

Future development 802. 1 x integration u Creation of a Radius server infrastructure to extend authentication mechanism to all INFN sections or u Put TRIP infrastructure in Kerberos 5 INFN framework u Test of other web captive portal (TINO) u

Documentation u Documentation and software can be found at http: //trip. ge. infn. it/

Documentation u Documentation and software can be found at http: //trip. ge. infn. it/