Michal Procházka, Jan Oppolzer CESNET.

Slides:



Advertisements
Similar presentations
Inter WISP WLAN roaming
Advertisements

Authentication.
eduroam Delegate Authentication System with Shibboleth SSO
Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
RadSec – A better RADIUS protocol
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
Philippe Hanset ANYROAM LLC
Module 5: Configuring Access for Remote Clients and Networks.
EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia,
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols
Protected Extensible Authentication Protocol
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Remote Networking Architectures
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Infrastructure Monitoring and Supplicants Workshop on Wireless Belgrade -
 An electrical device that sends or receives radio or television signals through electromagnetic waves.
Lecture 12: WLAN Roaming Communities EDUROAM TM. eduroam TM eduroam (education roaming) is the secure, world-wide roaming access service developed for.
Windows 2003 and 802.1x Secure Wireless Deployments.
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
SWITCHaai Team Federated Identity Management.
Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
The Operator Neutral Access At KistaIP. KistaIP ? Is a student dorm with 144 apartments.
WIRELESS LAN SECURITY Using
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.
Education roaming Secure Wireless Service for Research and Education.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
70-411: Administering Windows Server 2012
High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.
A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.
Abdullah Alshalan Garrett Drown Team 3 CSE591: Virtualization and Cloud Computing.
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Intro to Switching Lecture # 3 Hassan Shuja 03/14/2006.
802.1X in SURFnet 22 May 2003.
Test your IdP
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Workshop roaming services: eduroam / govroam
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Training Michal Procházka, Jan Oppolzer CESNET
Project Moonshot Daniel Kouřil EGI Technical Forum
Port Based Network Access Control
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
10 Years of eduroam (from an idea to a product)
Configuring and Troubleshooting Routing and Remote Access
Welcome To : Group 1 VC Presentation
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Michal Procházka, Jan Oppolzer CESNET

Michal Procházka Senior researcher at Masaryk University Member of AAI department at CESNET Member of AAI TF: ELIXIR, EGI Participating in GEANT GN4p1 projects More than 8 years experiences in IT security and AAI

Jan Oppolzer Head of eduID.cz federation operator Deputy of AAI department at CESNET eduGAIN steering group delegate Shibbolethv3 expert

Goal of the training At the end of the day Understand how eduroam works What are the benefits How to setup eduroam in your country and institutions Ask questions

Outline Survey What is it? How it works? eudoram and NREN eduroam and organization Requirements Production

Survey How many NRENs? How many organizations? How many linux administrators?

What is it? Global identity federation Provides network access Mainly over the WiFi

Benefits Easy roaming Every user is idenfied Useful for auditing and logging Helps in case of security incident Communication is encrypted eduroam requires encrypted communication between client and AP

Video 43k

How it works?

RADIUS server University ABC RADIUS server University 123 Roaming Operator Central RADIUS Proxy server WiFi Access Point User DB Visitor VLAN Student VLAN Employee VLAN data signaling From eduroam: The Value of WLAN measurements for the R&E Community presentation

Terms RO – Roaming Operator ETLRS – European Top-level RADIUS Servers FLRS – Federation Level RADIUS Server IdP – eduroam Identity Provider SP – eduroam Service Provider NAS – Network Access Element F-Ticks – Federated Ticker System

Infrastructure Top level RADIUS server (ETLRS) National RADIUS Proxy (FLRS) Institutional RADIUS (IdP and/or SP) Identity management system (IdM) Access Points, switches (NAS) Clients (Supplicant) Monitoring (F-Ticks)

Protocols and security 802.1x Supplicant to AP communication RADIUS protocol NAS to IdP communication EAP protocol Supplicant to IdP communication PAP, CHAP, TLS, TTLS, MS-CHAPv2, … TLS protocol Securing FLRS to ETLRS as well as IdP to FLRS communication

Diagram from

Authentication Protocols PAP – Password Authentication Protocol CHAP – Challenge-response Authentication Protocol TLS – Transport Layer Security – X.509 authN TTLS – Tunneled TLS with e.g. PAP

eduroam and NREN National point to the global eduroam Running FLRS Proxying requests from SPs to IdPs and ETLRS Monitoring infrastructure for IdPs

Requirements Digital certificate accepted by eduroam PMA Host with public IP address Ideally two for HA or failover configuration Web server Optionally mailing list system

Software for FLRS radsecproxy Proxying RADIUS requests Supports TLS (r)syslog Logging Monitoring eduroam monitoring

Process Incoming request is routed to National IdP Routed up to the ETLRS FLRS does not modify RADIUS packets Only filtering is applied (e.g. remove VLANs)

F-ticks Federated Ticker System Used to monitor FLRS RADIUS servers Leverage syslog Example of the message: F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=LU# CSI=%{Calling-Station- Id}#RESULT=OK# Solves also privacy issues REALM can be exchanged with undisclosed Second part of the MAC can be hashed

Communication channels Web pages Provide information for users and SPs Must be on eduroam.TLD domain Mailing list Global eduroam mailing list Mailing list for national SPs

eduroam and institution Processing user authentication Connection to the local IdM User support Usually operates as a SP

Technical Terms IdP – eduroam identity provider Supplicant NAS – Network Access Service AP – Access Point switch

Identity provider Providing user authentication IdP selects authentication method Proper user registration Ideally connected to the organization IdM IdP must be able to identify the user in person

Supplicant Software initiating user authentication (EAP) Creating secured tunnel to the IdP Transferring user credentials to the IdP via selected authN method Securing data transfer from machine to AP Included in Windows, Mac OS, Linux, Android, IOS, …

NAS WiFi Access Point/switch Must support 802.1x Communicating with home IdP using RADIUS protocol Shares secret with home IdP WiFi security: WPA2/AES Open ports see in eduroam Service Definition

Requirements Digital certificate accepted by FLRS Access to the IdM system (user authN) Host with public IP address Ideally two hosts for HA or failover Optionally have the access points

Communication channels Web pages and contact mail for users Linked from eduroam.TLD Containing information how to join to eduroam Provides information about local restrictions Filtered ports NAT/IP ranges

Sources

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.