Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Eduroam and IEEE 802.11u Dave Stephenson Wireless Networking Business Unit Strategic Initiatives.

Published byPrecious Barrow Modified over 10 years ago

Similar presentations

Presentation on theme: "© 2012 Cisco and/or its affiliates. All rights reserved. 1 Eduroam and IEEE 802.11u Dave Stephenson Wireless Networking Business Unit Strategic Initiatives."— Presentation transcript:

1 © 2012 Cisco and/or its affiliates. All rights reserved. 1 Eduroam and IEEE 802.11u Dave Stephenson Wireless Networking Business Unit Strategic Initiatives and CTO Office February 27, 2012

2 © 2012 Cisco and/or its affiliates. All rights reserved. 2 802.11u – Interworking with External Networks Purpose: Interworking with External Networks is a key enabler to allow IEEE 802.11 devices to interwork with external networks, as typically found in hotspots or other public networks irrespective of whether the service is subscription based or free. Interworking Service aids network discovery and selection, enabling information transfer from external networks, and enabling emergency services. It provides information to the STAs (mobile devices) about the networks prior to association. Interworking Service addresses MAC layer enhancements that allow higher layer functionality to provide the overall end-to-end interworking solution. Status: IEEE 802.11u-2011 is a fully ratified IEEE standard

3 © 2012 Cisco and/or its affiliates. All rights reserved. 3 Network discovery and selection (NDS) Generic Advertisement Service (GAS) along with Access Network Query Protocol (ANQP) and the Interworking element provide lightweight support for network selection GAS provides support for other higher-layer network discovery, service advertisement and mobility management protocols Generalized QoS L3 L2 mapping Service Provider (aka SSPN) Interface Support for emergency services including Emergency Alert Service (EAS) Standardized SAP for higher-layer mobility management protocols (only for client devices)

4 © 2012 Cisco and/or its affiliates. All rights reserved. 4

5 5 SSID is the sole identifier used for Wi-Fi network selection If the Wi-Fi network is open (no encryption) Whether mobile devices connection manager recognizes the SSID or not, the mobile device can join If the Wi-Fi network is encrypted If the mobile devices connection manager does not recognize the SSID, no further action is taken To join, the mobile device must possess a pre-provisioned profile which contains the binding of {SSID, credential, EAP method(s), AAA server ID, trust anchors} There is no way for the Hotspot to signal roaming partnersthe only option is for the SP to manage long lists of roaming-partner SSIDs/profiles in the mobile

6 © 2012 Cisco and/or its affiliates. All rights reserved. 6 All the legacy methods (i.e., pre-11u) still work! And can be used! The new question is whether the mobile device has credentials to successfully authenticate with the Wi-Fi access network, NOT whether the SSID is recognized IEEE 802.11 GAS/ANQP provides 3 types of identifiers a mobile device can use to determine whether successful authentication is possible Realms, provided in NAI Realm List PLMN ID, provided in 3GPP Cellular Information List OUI, provided in Roaming Consortium List This ANQP-provided information identifies the authentication domains of the hotspot operator and all of its roaming partners The hotspot is responsible for carrying out authentication, often using Proxy AAA service The home SP is no longer required to manage long SSIDs lists on every mobile devicethis responsibility has been transferred to the network

7 © 2012 Cisco and/or its affiliates. All rights reserved. 7 NAI Realm List A list of realms (i.e., username@realm) which can be successfully authenticated If the mobile device finds a realm in the list matching one of its credentials, successful authentication is possible Either EAP-TLS (certificate credential) or EAP-TTLS with MSCHAPv2 (username/password credential) is used depending on the credential type provisioned by the Home SP 3GPP Cellular Information A PLMN ID list; a PLMN ID is assigned to every cellular operator and has the form {MCC, MNC} If the mobile device finds a PLMN ID in the list matching the one from its SIM credential, successful authentication is possible Either EAP-SIM (2G/3G SIM credential) or EAP-AKA (4G USIM credential) are used Roaming Consortium List A list of OUIs (organizationally unique identifier)essentially the OUI part of a MAC address obtained from IEEE (note: IEEE 802.11u also uses the term OI) If the mobile device finds an OUI in the list matching the one its been provisioned with, successful authentication is possible This method can be used with Aggregators (Hotspot operator does not necessarily know all the authenticable realms) and for other special purposes For OUIs in the beacon, this is a very battery efficient roaming method (no ANQP queries needed) Eduroam could identify their authentication service using an OUI

8 © 2012 Cisco and/or its affiliates. All rights reserved. 8 802.11u Client Legacy Client Manual Setup 1.Power-on or unlock the phone 2.Select Wi-Fi network (vulnerable to rogue AP) 3.Go to Webauth 4.Browse webpage and enter right credential, usually ID/PWD 5.Choose roaming plan 6.Start Internet Automatic Setup 1. Power-on or unlock the phone 2. Handset automatically validates network and initiates connection. Makes Wi-Fi easy-to-use and secure like 3G cellular 802.11u enabled network is compatible with non-11u devices! Can you tell me your network info? Before I associate? Can you tell me your network info? Before I associate? Yes! Here it is: Realm: cisco.com EAP Method = EAP-TTLS Yes! Here it is: Realm: cisco.com EAP Method = EAP-TTLS Domain Name (hotspot operators FQDN) NAI Realm / 3GPP Cellular Info

9 © 2012 Cisco and/or its affiliates. All rights reserved. 9 Beacon with 802.11u Interworking IE Probe Request Probe Response GAS Initial Request GAS Initial Response GAS Comeback Request GAS Comeback Response 802.1X (EAPOL-Start) 802.1X (EAP-Identity Request) 802.1X (EAP-Identity Response) 802.1X (EAP-Auth. Exchange) RADIUS (EAP-Auth. Exchange) RADIUS (Access-Accept) 802.1X (EAP-Success) Pre-association protocol using 802.11 public action frames for GAS L2 transport. ANQP provides NAI Realm, 3GPP PLMN ID, etc. so mobile can select roaming candidate network PLMN ID and/or Realm + EAP Method learned from GAS exchange 802.11u-enabled connection manager supplies SSID to join AAA Server AP/WLC 802.11u doesnt change the authentication procedure Used if response requires GAS fragmentation Authentication (null) Authentication Response Association Request (SSID) Association Response (AID) 4-Way Handshake (PTK, GTK) Number of queries and query content is mobile implementation dependent

10 © 2012 Cisco and/or its affiliates. All rights reserved. 10 Wi-Fi networks also provide the following information for … Policy-based network selection (who is the hotspot operator?) Domain Name List (i.e., the domain name(s) of the hotspot operator) Aids for connection manager (their use is implementation dependent) IP Address Type Availability (e.g., IPv4 or IPv6) Aids to human network selection (aka manual selection) Venue Name (e.g., San Francisco Airport) ANQP also provides more information related to access to emergency services (including location)

11 © 2012 Cisco and/or its affiliates. All rights reserved. 11 This element is in beacons and probe responses Network type: One of: {private | private with guest access | chargeable | free} STAs can selectively scan for desired network type Internet: set to 1 if SSID provides internet access ASRA: set to 1 if Web-auth/WISPR configured on this SSID ESR (emergency services reachable): set to 1 if emergency services are reachable on this SSID UESA (un-authenticated emergency services accessible): set to 1 if emergency services are accessible for terminals not having valid security credentials on this SSID B0 - B3B4B5B6B7 Element IDLength Network Type InternetASRAESRUESA Venue Info (optional) HESSID (optional) Octets:11 0 or 20 or 6

12 © 2012 Cisco and/or its affiliates. All rights reserved. 12 This element is in beacons and probe responses Client scans & receives beacon having this element and can quickly determine if there are any Wi-Fi networks for which it has valid security credentials Each SP or consortium of SPs must register with IEEE to obtain OI Element gives OI for top 3 SPs (or consortium of SPs) having roaming agreements with Wi-Fi access network provider; remainder available via GAS-ANQP query Number of GAS-ANQP OIs provides number of additional OIs which will be returned on a GAS-ANQP query (see subsequent slide)

13 © 2012 Cisco and/or its affiliates. All rights reserved. 13 Credential Type Zero or more types in list SIM, USIM, Certificate, NFC Secure element, Hardtoken, Softoken, Username/password

14 © 2012 Cisco and/or its affiliates. All rights reserved. 14

15 © 2012 Cisco and/or its affiliates. All rights reserved. 15 Excerpts from IEEE 802.11u-2011: Each OI identifies an SP or group of SPs (i.e., a roaming consortium) … whose security credentials can be used to authenticate with the AP transmitting this [OI] Eduroam is a roaming consortium and could register for its own OI A terminal can have a locally stored binding between an OI and a set of security credentials with which it can authenticate to the network identified by the OI. Notes on ANQP and OIs ANQP does not provide the binding between OI and realm or PLMN ID For each member realm of an OI, there does not have to be an entry in the 3GPP Cellular Information List or NAI Realm Listtherefore, ANQP using OIs can support a very large number of realms

16 © 2012 Cisco and/or its affiliates. All rights reserved. 16 For roaming partners: AAA routing is based on the realm provided via EAP When a realm is provided in ANQP, the hotspot infrastructure has been configured with routing information for the authentication request Realms can be explicitly provided in the NAI Realm List or implicitly provided in the 3GPP Cellular Information List Either the Wi-Fi infrastructure (e.g., AP or access controller) or the visited AAA server is configured with this routing information For aggregators: AAA routing could be based on a prepended aggregator tag, e.g., iPass/daves@cisco.com iPass/daves@cisco.com Aggregator tags are not needed if the hotspots AAA server has routing knowledge for all the realms represented by the OIs My understanding is that this is the case with Eduroam The aggregators client realms (e.g., cisco.com) do not need to be provided in other ANQP elementscisco.com

17 © 2012 Cisco and/or its affiliates. All rights reserved. 17 Question: how does the mobile devices connection manager know whether a particular credential can be used with a given aggregator? Out-of-scope of IEEE 802.11u Might be solved by the Wi-Fi Alliances Hotspot 2.0 program

18 © 2012 Cisco and/or its affiliates. All rights reserved. 18

19 Thank you.

20 © 2012 Cisco and/or its affiliates. All rights reserved. 20

21 © 2012 Cisco and/or its affiliates. All rights reserved. 21 Provides QoS Map (DSCP to UP mapping) for consistent packet marking and queuing for all clients in the BSS Provides for each service to have the proper QoS over the air There is no standardized mapping of end-to-end QoS (DSCP) to L2 QoS Voice and Video endpoints can use this information element to provide proper mapping for each flow (e.g., voice, video, signaling) over the air Hot Spot usage Multiple service providers can share an AP at a hotspot (e.g., airport hotspot) Each SP can have their own end-to-end DSCP marking practice and network- specific QoSMap all will have harmonized L2 QoS on the shared AP

22 © 2012 Cisco and/or its affiliates. All rights reserved. 22 Permissions received from SP are saved in a MIB and enforced for each client Provides standardized support for permissions and rate limiting for each QoS level Maximum data rate permitted for each access category Maximum data transfer (in bytes) permitted for each access category Permission to use a specific access category (e.g., voice) Provides for enforcement of security requirements, location requirements Can forces dis-association of client if hotspot in non-permitted location or cipher too weak

23 © 2012 Cisco and/or its affiliates. All rights reserved. 23 Features supporting Emergency Services Identification of WLANs wherein emergency services are reachable Provision for access emergency services in an RSN (802.1x network) when client does NOT have valid security credentials Expedited Bandwidth Request element Used with admission control procedures to identify a flow as an emergency call Support for Emergency Alert Service (EAS) Uses CAPcommon alerting protocol E.g., Amber alert, severe thunderstorm warning, etc.

24 © 2012 Cisco and/or its affiliates. All rights reserved. 24 Applies only to client devices Standardized SAP having MAC primitives to support 802.21 event service and command service (but generic enough to support other mobility management protocols), eg: Network discoverytells MIH when a new network is discovered (as opposed to a new AP in the same network) ESS-Link-going-downtells MIH when device is leaving the network (as opposed to transitioning away from an AP)

Download ppt "© 2012 Cisco and/or its affiliates. All rights reserved. 1 Eduroam and IEEE 802.11u Dave Stephenson Wireless Networking Business Unit Strategic Initiatives."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Computer Concepts – Illustrated 8th edition

Computer Concepts – Illustrated 8th edition
Virtual Trunk Protocol

Virtual Trunk Protocol
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-00/087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
Doc.: IEEE 802.15-13-0262-00-0008 Submission ETRI May 2013 Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission.

Doc.: IEEE Submission ETRI May 2013 Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission.
Doc.: IEEE 802.11-03/080r0A Submission January 2003 Black/Kasslin/Sinivaara, NokiaSlide 1 A Framework for RRM Simon Black, Mika Kasslin, Hasse Sinivaara.

Doc.: IEEE /080r0A Submission January 2003 Black/Kasslin/Sinivaara, NokiaSlide 1 A Framework for RRM Simon Black, Mika Kasslin, Hasse Sinivaara.
1 IEEE 802.21 Media Independent Handoff Overview of services and scenarios for 3GPP2 Stefano M. Faccin 802.21 Liaison officer to 3GPP2.

1 IEEE Media Independent Handoff Overview of services and scenarios for 3GPP2 Stefano M. Faccin Liaison officer to 3GPP2.
Doc.: IEEE 802.21-xxx Submission May 10-14, 2004 Alan Carlton, Interdigital CommunicationsSlide 1 Defining Layer 2.5 Alan Carlton Interdigital Communications.

Doc.: IEEE xxx Submission May 10-14, 2004 Alan Carlton, Interdigital CommunicationsSlide 1 Defining Layer 2.5 Alan Carlton Interdigital Communications.
Submissions November 2007 Stephen McCann, NSNSlide 1 IEEE 802 Emergency Services (ES) Call for Interest (CFI) Date: 2007-11-13 Stephen McCann

Submissions November 2007 Stephen McCann, NSNSlide 1 IEEE 802 Emergency Services (ES) Call for Interest (CFI) Date: Stephen McCann
21-07-0238-00-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0238-02-0000 Title: Initial Network Selection in WLAN Date Submitted: June, 2007 Presented.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Initial Network Selection in WLAN Date Submitted: June, 2007 Presented.
21-06-0471-01-0000 1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-06-0471-01-0000 Title: Report on Potential Link Sync Events for IEEE 802.11r Date Submitted:

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Report on Potential Link Sync Events for IEEE r Date Submitted:
Submission Spetember 2006 Canpolat et. alSlide 1 IEEE 802.11u Network Selection & MIH Support Notice: This document has been prepared to assist IEEE 802.11.

Submission Spetember 2006 Canpolat et. alSlide 1 IEEE u Network Selection & MIH Support Notice: This document has been prepared to assist IEEE
Doc.:IEEE 802.11-11/1523r4 Submission November 2011 Access Delay Reduction for FILS: Network Discovery & Access congestion Improvements Slide 1 Authors:

Doc.:IEEE /1523r4 Submission November 2011 Access Delay Reduction for FILS: Network Discovery & Access congestion Improvements Slide 1 Authors:
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.

Technical Track Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.
Doc.: IEEE 802.11-07/2078r0 Submission July 2007 Matthew Gast, Trapeze NetworksSlide 1 802.11u and Emergency Services Notice: This document has been prepared.

Doc.: IEEE /2078r0 Submission July 2007 Matthew Gast, Trapeze NetworksSlide u and Emergency Services Notice: This document has been prepared.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I NETWORK LAYER AND IP Derived From CCNA Network Fundamentals.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I NETWORK LAYER AND IP Derived From CCNA Network Fundamentals.
Doc.: IEEE 802.11-11/1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: 2012-01-17 Authors:

Doc.: IEEE /1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: Authors:

Similar presentations

Ads by Google