Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorised Global Roaming Offering Accessible Authorization Services to EduRoam David Chadwick, George Beitis, Gareth Owen University of Kent.

Published byPaulina Taylor Modified over 8 years ago

Similar presentations

Presentation on theme: "Authorised Global Roaming Offering Accessible Authorization Services to EduRoam David Chadwick, George Beitis, Gareth Owen University of Kent."— Presentation transcript:

1 Authorised Global Roaming Offering Accessible Authorization Services to EduRoam David Chadwick, George Beitis, Gareth Owen University of Kent

2 Introduction Aim of project was to provide a solution for adding authorization to EduRoam Solution must build on top of existing authentication service provided by the EduRoam federation in a non destructive and backwards compatible way Solution must be built on standards and open source code Solution should work for both remote and local users, be flexible and fine grained

3 EduRoam World Wide Academic Roaming Network Result of the TERENA Mobility Task Force Defines a roaming architecture between National Research and Education Networks Uses AAA (RADIUS) servers and the 802.1X standard. Provides Authentication Services Members sign a Service level agreement

4 Example Assume that the University of Kent and the University of Athens are both members of Eduroam Bob from the University of Kent visits the University of Athens to attend a convention He can log in to the wireless service using his Kent credentials and can use the wireless service there to access the internet

5 Eduroam – How Does It Work? Bob enters his username and password –Username: bob123@kent.ac.ukbob123@kent.ac.uk Credentials are passed to the local RADIUS server RADIUS server proxies credentials to the Kent University RADIUS server using EduRoam federation proxy servers –Sees the realm of the user: kent.ac.uk Kent University returns reply (either Access Accept or Access Reject) after authenticating the user

6 Eduroam Local Authentication Network Access Server (with Radius client) Compare PW Attribute True/False Local RADIUS Server Access Request Access Decision abc@kent.ac.uk password Actions Performed Receive request and credentials (un+pw) If authentication succeeds Authorize User, else reject user Return Access-Accept or Access-Reject Decision Authenticate User by comparing PW stored in LDAP

7 Eduroam Remote Authentication NAS Local RADIUS Server Access Request +U.A. Access Decision Access Request + user attributes Access Decision Compare PW Attribute True/ False Access Request + user attributes Access Decision Access Request +U.A. Access Decision Remote Radius Server U.A. = User Attributes => Username@realm + password e.g. username: abc@kent.ac.uk, password pass123

8 RADIUS (RFC 2865) Remote Authentication Dial In Service –Protocol for carrying Authentication, Authorization and Configuration information between a Network Access Server (NAS) and an Authentication Server Designed for centralized authentication and authorization RADIUS protocol does not distinguish between Authorization and Authentication –One request is made for combined authentication/authorisation –Authentication is equal to authorization, Radius server is expected to make the decision “can this user access the network” –One combined Authn/Authz reply which is Access-Accept or Access-Reject

9 What EduRoam is Missing Only offers Authentication Does not provide method for universal authorization Knowing that Bob is really Bob is not enough Which services should Bob be allowed to access whilst he is in Athens? We need Authorization

10 Why Authorization? Authentication simply tells us that you are who you claim to be, nothing else Most Academic Institutions offer different levels of service to different classes of user –E.g. Academics have more available resources than students who have more than guests –Most achieve this by adding different users to different Virtual LANS –The 802.1Q protocol defines Virtual LANS (VLANS). Traffic is tagged between switches and access points allowing LANS to be created that are not restricted by physical location –E.g. One VLAN for academic staff, one VLAN for students, one for guests et cetera We want to allow universities to be able to use this mechanism for Eduroam services for both local and visiting users by providing authorization services to EduRoam

11 Existing Authorization Solutions Some universities add all Eduroam users to the same LAN or VLAN –No distinction between users –Authentication is equal to authorization Simple Authorization solutions include: –Separate local and remote users –Custom made scripts to filter between local users using local databases hardcoded logic, not extensible CISCO Secure Access Control Server (ACS) or similar proprietary solutions –Only works for organisations own users and not those of other organisations –Licences cost a lot, training costs a lot, needs CISCO compatible hardware –Difficult to extend it or customize it to specific needs No ability to offer different levels of access and services to all users regardless of their origin

12 The Initial Idea Allow the RADIUS Servers to Authenticate users as now Then extend the RADIUS servers to perform authorization after a user is successfully authenticated Put users onto different Virtual LANs (VLANs) according to their authorisation But many issues to resolve first, such as: –What to use for authorisation? ACLs or PDPs? ACLs not scalable. PDPs are, but need user attributes –How to locate the user’s authz attributes? –What protocols to use to get the attributes

13 Conceptual Model Find the location of the user’s home institution’s Attribute Authority servers or repositories; Query them for the user's roles/attributes i.e. authorisation credentials; Validate the authorisation credentials using a locally specified policy; Determine which VLAN the user is permitted to access using a locally specified policy and the user’s valid attributes/roles; Supply an attribute in the response to the RADIUS server indicating the VLAN that the user should be placed on.

14 Implementation Use DNS SRV records to locate the user’s attribute authority/repository Use Freeradius as the RADIUS server –Most Popular open source RADIUS server –Supports plug in modules for callouts at workflow points (pre-auth, auth, post-auth) Use JRadius as a plug in module –Written in Java, so can easily add Java authorisation infrastructure Use PERMIS as the Authorization Engine –Is open source Java, flexible and customisable –Supports both credential validation and access control –Has a Policy Editor GUI that makes it easy to write XML policies Use EduPerson schema for authorisation attributes Use Apache WebDAV server in initial pilot to hold user roles as signed attribute certificates Use IEEE 802.1Q VLANs and PERMIS policies for fine grained authorisation

15 IEEE 802.1Q (VLAN Tagging) Defines a Virtual LAN or VLAN Allows multiple bridged networks (VLANs) to transparently share the same physical network link without the information carried by them leaking between the virtual networks. Switches on the network are configured to insert a VLAN tag into all data frames arriving from equipment used by a specific user. After the frames are switched through the corporate network, the VLAN tag is stripped off before the frame is delivered to the destination (which must be in the same VLAN). In this way, traffic between different user groups, e.g. lecturers and students, cannot be leaked to or snooped from one to another

16 DNS SRV Records SRV Records have the format _Service._Proto.Name TTL Class SRV Priority Weight Port Target Where Service is the name of the service e.g. FTP, LDAP Proto is the protocol either tcp or udp Name is the domain name TTL is the DNS time to live for the record Class is the DNS class i.e. IN for Internet SRV is the RR record type Priority is the priority of the host, used when there are several SRVs Weight is a weighting to be used for hosts of equal priority Port is the port number of the Service on the host Target is the domain name of the host running the Service

17 PERMIS Policy driven, Role Based Access Control (RBAC) Privilege Management Infrastructure (PMI) Built on standards, Open source code in Java PERMIS uses policies written in XML –Policies allow for centralised control of what we authorize –Policies come from management, easily written using PERMIS Policy Editor –Policy can be stored inside an X.509 Attribute Certificate to stop them being tampered with Flexible, supports multiple credential formats (SAML attribute assertions and X.509 ACs) and storage locations, and can be easily extended to additional ones User credentials can be stored inside X.509 Attribute Certificates or signed SAML attribute assertions to stop them being tampered with Implements ISO 10181-3 Access Control Framework and has an XACML PDP interface

18 PERMIS Authorisation System

19 LDAP Lightweight Directory Access Protocol LDAP Databases used for storing information (as attributes) about university employees, organizational units etc. Used for holding authentication and authorisation attributes But one problem - LDAP Servers are rarely accessible from outside an organization to avoid spamming and protect privacy of people and organization –we should use a HTTP based protocol with security properties e.g. SAML or WebDAV

20 SAML OASIS Security Assertions Markup Language Used to carry authentication, authorisation and attribute assertions about users between web services As part of Shibboleth protocol, universities are now starting to release LDAP attributes of users to outside web services, encoded as SAML attribute assertions We can use SAML to carry user attribute assertions for EduRoam authorisation

21 WebDAV A set of extensions to the HTTP protocol for managing web based resources Allows us to define directory structures on which we can read and write files, and define access rights to them As it uses port 80 it is not affected by firewalls Ideal for storing user attributes as digitally signed Attribute Certificate files

22 EduPERSON EduPERSON is an LDAP schema which contains standardised information (attributes) that can describe people who are part of the Academic world –Defines attributes that can describe person’s role in the University and other information –eduPersonAffiliation attribute specifies the affiliation a person has with an institution. Permissible values are: faculty, student, staff, alum, member, affiliate, employee and library-walk-in

23 What is needed Each site needs to implement either a WebDav Repository to store their User Attribute Certificates or a SAML AA (with backend LDAP) to return SAML attribute assertions DNS SRV records to point to their WebDav/SAML server address and port Freeradius + Jradius + PERMIS

24 E.g. Use of SRV Records, WebDAV repository, X.509 ACs and EduPerson schema DNS tree dc=uk dc=ac dc=myuni uid=abc12 WebDAV server running on port 80 at sysx.myuni.ac.uk holding signed eduPersonAffiliation attribute of abc12@myuni.ac.uk _webdavcerts _tcp ac uk root sysx IN SRV 86400 0 0 80 sysx.myuni.ac.uk eduPersonAffiliation=student +SN=123456.ace myuni

25 E.g. Use of SRV Records, SAML AA with backend LDAP using EduPerson schema DNS tree SAML AA running on port 80 at sysx.myuni.ac.uk _samlaa _tcp ac uk root sysx IN SRV 86400 0 0 80 sysx.myuni.ac.uk myuni dc=uk dc=ac dc=myuni uid=abc12 eduPersonAffiliation=student LDAP Server sysx Backend LDAP server holding eduPersonAffiliation attribute of abc12@myuni.ac.uk

26 RADIUS SERVER Information Sent Freeradius session Attributes, RADIUS packets Updated Information Updated Freeradius attributes and RADIUS packets, including updated Access Decision PERMIS

27 Integrating JRadius and PERMIS Build a PERMIS Context Handler which is called by JRadius, then it calls the standard PERMIS Java API At initialisation, the Context Handler loads the local PERMIS authorisation policy into the PERMIS CVS/PDP Take the username of incoming request (user12@someuni.edu) Extract the user’s realm (someuni.edu) and convert to DNS name Query DNS SRV records of the realm to determine where the WebDav or SAML server is that stores the credentials Pass the location of repository and user’s DN to PERMIS CVS and it will pull user’s attributes Make repeated calls to PERMIS PDP to ask whether the user is authorized to access known VLANs, in order of priority When access is granted add the chosen VLAN to Radius packet, otherwise add nothing

28 Authz System Locate Local and Remote WebDav Server using DNS SRV records and/or configuration info JRADIUS Server Handler A Handler B PERMIS Context Handler PERMIS Context Handler config file PERMIS Decision Information: User Attributes, Action (Access), Target (VLAN) GetCreds Request Decision Request Load config file Local WebDav Server Remote WebDav Server Pull Role AC Config File: Local WebDav, Local Realm, PERMIS Config Info, DNS SRV Info, VLAN IDs Freeradius attributes and packets Updated Freeradius attributes and packets Authorization Decision

29 JRADIUS Server Freeradius Server Updated Freeradius attributes and packets If we are using VLANS, we include VLAN information inside the updated RADIUS packets Access Point Student VLAN Staff VLAN Guest VLAN Access Accept + VLAN ID

30 Testing Testing so far included a local user scenario, 5 VLANS including VLANS for guests, staff, students Performance results are encouraging. Total time for Radius Client to receive authn and authz response was <3 seconds for local user and <4 seconds for remote user –using LAN configuration for all components, so this excludes network delays for large distances

31 Conclusion Using this solution is non destructive –It can complement the current network setup and can be used at desired access points only It can be slowly migrated in. If a remote site does not implement this solution, it reverts to current authn only solution Solution can be as flexible as needed –Offer minimal authorization services only to local users –Offer sophisticated authorization services for both local and remote users –Can use SAML AAs, WebDAV repositories, LDAP servers Easily deployable at other institutions (lack of) Global PKI problem –Root Certification Authority for all Academic institutions does not exist so checking signatures on all signed attribute assertions from all institutions is an issue –Terena is hopefully solving this problem through TACAR?

32 Questions?

Download ppt "Authorised Global Roaming Offering Accessible Authorization Services to EduRoam David Chadwick, George Beitis, Gareth Owen University of Kent."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.

Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.

21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Similar presentations

Ads by Google