Presentation is loading. Please wait.

Presentation is loading. Please wait.

Inter WISP WLAN roaming A service concept by Wirlab © Wirlab Research Center.

Similar presentations


Presentation on theme: "Inter WISP WLAN roaming A service concept by Wirlab © Wirlab Research Center."— Presentation transcript:

1 Inter WISP WLAN roaming A service concept by Wirlab © Wirlab Research Center

2 Inter-WISP roaming most of RADIUS servers support domain-based AAA proxying capabilities most of RADIUS servers support domain-based AAA proxying capabilities increasing number of RADIUS servers support 802.1X via different authentication methods (EAP-MD5, EAP-TLS, EAP-TTLS...) increasing number of RADIUS servers support 802.1X via different authentication methods (EAP-MD5, EAP-TLS, EAP-TTLS...) Access Controllers and wireless access points are hardware that support RADIUS protocol for AAA purposes Access Controllers and wireless access points are hardware that support RADIUS protocol for AAA purposes Standard based equipment should be used in order to achieve vendor independency and easier management Standard based equipment should be used in order to achieve vendor independency and easier management © Wirlab Research Center

3 RADIUS How does the RADIUS server work in inter-WISP roaming? How does the RADIUS server work in inter-WISP roaming? –it checks the domain part of the authenticating username (mtm@wirlab.net) visiting a foreign domain (operator.fi) –based on the domain name it decides whether to authenticate the user locally or proxy the request to an external server –a specific Clearing House Proxy handles all the AAA-messages between WISPs –after the username has been authenticated from its home server, reply messages are delivered back to the originating server via the Clearing House –each RADIUS server along the path keeps track of its own messages, but the Clearing House processes all inter-WISP messages, too

4 © Wirlab Research Center AAA Beside the authentication for roaming users, the Clearing House Proxy stores accounting information Beside the authentication for roaming users, the Clearing House Proxy stores accounting information –timestamps, amount of transferred data, start-alive- stop messages and authenticator IP-addresses are stored into a database from which all roaming reports are generated –the organization taking care of the Clearing provides all participants with the roaming statistics for billing RADIUS servers can also be used for authorization of services RADIUS servers can also be used for authorization of services

5 © Wirlab Research Center 802.1X Fairly new, port-based authentication scheme Fairly new, port-based authentication scheme –a user logs on to the network with a separate authentication client on his/her PC –client comes bundled with Windows XP, other OSs have third party clients available –multiple methods are underway and implemented: MD5, EAP-TLS, TTLS, LEAP, PEAP...

6 © Wirlab Research Center Access Controllers Multiple WLAN vendors have integrated 802.1X / RADIUS support in their hardware Multiple WLAN vendors have integrated 802.1X / RADIUS support in their hardware –Cisco, Nokia, Avaya, 3Com... Separate Access Controllers are available also from multiple vendors Separate Access Controllers are available also from multiple vendors –Nokia, USG, Vernier, Cisco... –these ACs use HTTP-authentication via web browser to authenticate the users to the network. No separate clients needed for the user! Separate Access Controllers can also be used in traditional wired environments where existing network can easily be turned to inter ISP roaming service Separate Access Controllers can also be used in traditional wired environments where existing network can easily be turned to inter ISP roaming service

7 © Wirlab Research Center From theory to practise Although there are a lot of white papers about inter-WISP roaming, no standard based service has been announced Although there are a lot of white papers about inter-WISP roaming, no standard based service has been announced Wirlab has built a working environment with 802.1X WLAN access-points and separate Access Controllers combined with an efficient RADIUS server Wirlab has built a working environment with 802.1X WLAN access-points and separate Access Controllers combined with an efficient RADIUS server The solution has been in testing for the last six months and no major problems have occured The solution has been in testing for the last six months and no major problems have occured

8 © Wirlab Research Center Example Client: mtm@wirlab.net wirlab.net RADIUS operator.fi RADIUS Internet CLEARING HOUSE RADIUS Access Controller User DB ISP DB Client: mtm@wirlab.net

9 © Wirlab Research Center Example – RADIUS messages operator.fi RADIUS wirlab.net RADIUS CLEARING HOUSE RADIUS 1. Access-Request 2. Access-Challenge 3. Access-Request 4. Access-Accept 5. Accounting-Request 6. Accounting-Response

10 © Wirlab Research Center Users view / 802.1X On a 802.1X enabled OS On a 802.1X enabled OS As soon as the wireless client is associated to the access point, the AP prompts the user for username and password

11 © Wirlab Research Center Users view / 802.1X A new window opens for the required information A new window opens for the required information

12 © Wirlab Research Center Users view / 802.1X After the information is sent and the user is authenticated by the RADIUS-servers, the view in the Network Connections changes as follows. The user is authenticated and the network session can begin After the information is sent and the user is authenticated by the RADIUS-servers, the view in the Network Connections changes as follows. The user is authenticated and the network session can begin

13 © Wirlab Research Center Users view / HTTP When authenticating via HTTP, the user has to open his/her browser and then be redirected to the authentication page. After entering the username and password the user is granted access to the network When authenticating via HTTP, the user has to open his/her browser and then be redirected to the authentication page. After entering the username and password the user is granted access to the network Example: Cisco BBSM

14 © Wirlab Research Center Users view / HTTP A pop-up window containing a Logoff or Disconnect button is usually initialized after login. Until the user logs off, all traffic is passed through the Access Controller. This enables accounting for the session A pop-up window containing a Logoff or Disconnect button is usually initialized after login. Until the user logs off, all traffic is passed through the Access Controller. This enables accounting for the session

15 © Wirlab Research Center Clearing House Inter WISP traffic logs per given timeframe Inter WISP traffic logs per given timeframe Displays information of usernames, visited and visiting domains, timestamps, in/out bytes and number of accounting messages

16 © Wirlab Research Center Clearing House (contd.) Collect balance information from current time Collect balance information from current time Balance figures per operator reflected against others

17 © Wirlab Research Center CH Management (contd.) Administrate WISP RADIUS-servers via browser Administrate WISP RADIUS-servers via browser

18 © Wirlab Research Center http://www.wirlab.net/


Download ppt "Inter WISP WLAN roaming A service concept by Wirlab © Wirlab Research Center."

Similar presentations


Ads by Google