Presentation is loading. Please wait.

Presentation is loading. Please wait.

2007 © SWITCH TNC2007 Extending SWITCH Public Wireless LAN with EAP-SIM Kurt Baumann SWITCHmobile Project Leader

Published byOpal Mason Modified over 8 years ago

Similar presentations

Presentation on theme: "2007 © SWITCH TNC2007 Extending SWITCH Public Wireless LAN with EAP-SIM Kurt Baumann SWITCHmobile Project Leader"— Presentation transcript:

1 2007 © SWITCH TNC2007 Extending SWITCH Public Wireless LAN with EAP-SIM Kurt Baumann SWITCHmobile Project Leader kurt.baumann@switch.ch

2 2007 © SWITCH 2 TNC2007 Agenda Introduction  SWITCH Public Wireless LAN - a brief history  Current Architecture - Symmetric Approach EAP(-SIM)  Introduction EAP / EAP-SIM  Extension Current Architecture with EAP-SIM  Pilot ETHZ - Architecture-Layout  Implementation EAP-SIM at ETHZ  Rollout-plan Progression of PWLAN  Statistics  Outlook - Multi Provider Capable Infrastructure Conclusions

3 2007 © SWITCH 3 TNC2007 PWLAN Motivation

4 2007 © SWITCH 4 TNC2007 PWLAN History, Goals and Requirements Project goals Extend footprint Increase mobility for students, staff and researchers Create a platform that offers more flexibility for other future SWITCH services Project requirements Traditional SWITCHmobile concept must be obtained (VPN Solution) Costs for Universities shall be minimized as much as possible - symmetrical approach Solution should be combinable with eduroam Solution should support other SWITCH activities that depend on roaming access (triple play services) Solution must be flexible, modular and state of the art History 2004 Concept SWITCH PWLAN: Universities: ETHZ, UNINE, ZHW and SWITCH WISPs: tpn, Monzoon, TheNet 2005 Trial Phases and institutional extension (EPFL, UniBE, BFH, HSR) inclusive a new WISP, Swisscom. 06/2006: Productive Phase and technical extension with EAP-SIM

5 2007 © SWITCH 5 TNC2007 PWLAN Symmetric Approach Docking Network University A Campus Network University A VPN GW Internet SWITCHmobile ACL Docking Network University B Campus Network University B VPN GW SWITCHmobile ACL Legend: VPN TunnelUser Traffic Commercial User 1 2 3 4 Legend: 1: User opens browser and lands on landing page 2: User clicks PWLAN provider logo 3: All corresponding user traffic is forwarded to landing page of PWLAN provider 4: Customer is redirected to landing page of PWLAN provider 5: Customer gets internet access after authentication (NAT) 5 Student A Student_A @University_B MPP Student A Student_A @PWLAN WISP SWITCHmobile ACL Landing Page MPP = Multi Provider PortalWISP = Wireless Internet SP

6 2007 © SWITCH 6 TNC2007 Introduction EAP/EAP-SIM EAP: Definition, Model, How it works EAP-SIM: Definition, How it works

7 2007 © SWITCH 7 TNC2007 EAP Definition EAP RFC 3748 EAP stands for Extending Authentication Protocol. It defines an authentication framework, which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE802, without requiring IP.

8 2007 © SWITCH 8 TNC2007 EAP Method How it works Supplicant Client Authenticator AP Authentication Server (RADIUS/AAA) [ 0 ] EAP starts [ 0 ] Establish data link EAP over IEEE 802 ()()()()()()())()(() [ 1 ] Identity exchange Request- response paradigm [ 1 ] A message is sent and the sender waits for a response before sending an other message - a “lock step” protocol Multiple Message Sequences depending on the authentication process Systems for authentication, RADIUS, Corporate Identity Servers, etc. using various protocols and methods. [ 2 ] Authentication, process-specific message exchange [ 2 ] All exchanges between Client, Authenticator and Authentication-systems are defined in a variety of specific RFC’s Success? EAP-Success EAP-Failure Yes No [ 3 ] Authentication messages: Success or Failure [ 3 ] The Authenticator determines whether the authentication is a success or failure

9 2007 © SWITCH 9 TNC2007 Introduction EAP/EAP-SIM Definition / Model EAP Definition: EAP stands for Extending Authentication Protocol. It is primarily developed as a PPP (RFC 3748) EAP-Model: Lower layer: The lower layer is responsible for transmitting and receiving EAP frames between the peer and authenticator. EAP layer: The EAP layer receives and transmits EAP packets via the lower layer, implements duplicate detection and retransmission, and delivers and receives EAP messages to and from the EAP peer and authenticator layers. EAP peer and authenticator layers: Based on the Code field, the EAP layer demultiplexes incoming EAP packets to the EAP peer and authenticator layers. EAP method layers: EAP methods implement the authentication algorithms and receive and transmit EAP messages via the EAP peer and authenticator layers.

10 2007 © SWITCH 10 TNC2007 EAP-SIM Definition EAP-SIM RFC 4186 EAP-SIM is a mechanism for mutual authentication and Session-Key- agreement using the Global System for Mobile Communications (GSM) and Subscriber Identity Module (SIM).

11 2007 © SWITCH 11 TNC2007 Success? EAP-Success EAP-Failure EAP Method How it works Supplicant Client Authenticator AP Authentication Server (RADIUS/AAA) Yes [ 0 ] EAP starts [ 0 ] Establish data link No EAP over IEEE 802 ()()()()()()())()(() [ 1 ] Identity exchange Request- response paradigm [ 1 ] A message is sent and the sender waits for a response before sending an other message - a “lock step” protocol [ 2 ] Authentication, process-specific message exchange [ 2 ] All exchanges between Client, Authenticator and Authentication-systems are defined in a variety of specific RFC’s Multiple Message Sequences depending on the authentication process Systems for authentication, RADIUS, Corporate Identity Servers, etc. using various protocols and methods. [ 3 ] Authentication messages: Success or Failure [ 3 ] The Authenticator determines whether the authentication is a success or failure

12 2007 © SWITCH 12 TNC2007 EAP-SIM Method How it works GSM-Authentication flow: Client/SIM-cardAPAAA/RADIUS(GSM)AuC ITPMAP-Proxy SS7 Network EAP-Resp/SIM/Start (IMSI@realm) (RAND) RADIUS/EAP-Resp/ SIM/Start (IMSI@realm) (RAND) GSM-Triplet-Request (GetAuthInfo ) GSM-Triplet (RAND,SRES,Kc) GSM-Triplet(s): (RAND,SRES,Kc) 1.Triplet-request 2.GSM-Triplet(s) RADIUS/EAP-Req/ SIM/Challenge (RAND,MAC_RAND ) EAP-Req/SIM/Challenge (RAND,MAC_RAND) Server Authentication: MAC_RAND(AAA)=MAC_RAND(SIM) EAP-Resp/SIM/Challenge (MAC_SRES) RADIUS/EAP-Resp /SIM/Challenge (MAC_SRES) Client Authentication: MAC_SRES(SIM)=MAC_SRES(AAA) RADIUS/EAP-Req SIM/Start EAP-Req/SIM/Start SIM calculates RAND

13 2007 © SWITCH 13 TNC2007 EAP-SIM Architecture Extension Current PWLAN- Architecture with EAP-SIM: - Project-Organization - Architecture - Proof of Concept: EAP-SIM@ETHZ - Roll-out Concept

14 2007 © SWITCH 14 TNC2007 EAP-SIM Architecture Project Organization Pilot: Organization Educational Association: ETHZ and SWITCH WISP: Swisscom Pilot: Implementation ETHZ - Reconfiguration WLAN - Implementation Swisscom Components Roll-out: SWITCH leads the Roll-out - Definition of Roll-out plan - Repository: FAQ: Implementation EAP-SIM

15 2007 © SWITCH 15 TNC2007 EAP-SIM Architecture Ideas SCM Router = Swisscom Mobile Router

16 2007 © SWITCH 16 TNC2007 EAP-SIM Architecture High-level concept EAP-SIM: Requirements - Implementation top of 802.1X-enabled network - Separate VLAN, SSID: MOBILE-EAPSIM - Swisscom-like-Implementation: VLAN is a half C-class IP-Addr.-Range Source-, Destination-NAT (SCM-router) DHCP-request handled by SCM-router

17 2007 © SWITCH 17 TNC2007 EAP-SIM Architecture Pilot@ETHZ with Swisscom Swisscom EAP-SIM Mobile setup - New SSID “MOBILE-EAPSIM” - Authentication 802.1X with WEP - ETHZ reserved official IP for their radius - Swisscom-router makes source-destination nat. - Clients are in a separate VLAN (VRF) - Swisscom provides the Subnets and DHCP. Problems - System does not scale (more WISPs) - The implementation solves most problems on the Swisscom router - Channel 13 support of the Swisscom cards? - Swapping between Wireless Domains?

18 2007 © SWITCH 18 TNC2007 EAP-SIM Architecture Roll-out Service Deployment - PWLAN 20062007 Q2Q3Q4Q1Q2Q3Q4 Brainstorming, Info PWLAN-members Definition Architecture, technical solution “Proof of concept” - Build up a test bed SWITCH/ETHZ/Swisscom Service: Tests, Test-results and Documentation Rollout: step by step to further PWLAN- members, Marketing Pilot und Roll-out EAP-SIM Up and Running: ETHZ, BFH, EPFL, HSR and SWITCH

19 2007 © SWITCH 19 TNC2007 Statistics PWLAN Participants Statistics

20 2007 © SWITCH 20 TNC2007 Statistics Overview Members Internet ~330 Hotspots ~175 Hotspots ~265 Hotspots ~1600 Hotspots PWLAN Academic Association represented by ~ 97’700 People

21 2007 © SWITCH 21 TNC2007 Statistics Monitoring Monzoon TheNet TPN Academic Association GRE VPN GRE VPN GRE VPN Swisscom Starting April 2007 GRE VPN

22 2007 © SWITCH 22 TNC2007 Statistics Monitoring

23 2007 © SWITCH 23 TNC2007 Commercial WISP market in Switzerland

24 2007 © SWITCH 24 TNC2007 EAP-SIM Outlook Outlook: Implementation EAP-SIM - Multi Provider Capable Infrastructure

25 2007 © SWITCH 25 TNC2007 EAP(-SIM) Multi Provider Capable Infrastructure

26 2007 © SWITCH 26 TNC2007 Conclusions  SWITCH PWLAN extends the footprint for the Academic Association and for the WISP’s.  SWITCH PWLAN corresponds technologically to the most current standards; IEEE802.1x, EAP/EAP-SIM.  SWITCH PWLAN makes a further enlargement of the user population possible by a “Multi Provider Capable Infrastructure”.

27 2007 © SWITCH 27 Q & A

Download ppt "2007 © SWITCH TNC2007 Extending SWITCH Public Wireless LAN with EAP-SIM Kurt Baumann SWITCHmobile Project Leader"

Similar presentations

Authentication.

Authentication.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Implementing Inter-VLAN Routing

Implementing Inter-VLAN Routing
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Omniran-13-0040-00-0000 1 3GPP Trusted WLAN Access to EPC Use Case Analysis Date: 2013-05-15 Authors: NameAffiliationPhoneEmail Max RiegelNSN+49 173 293.

Omniran GPP Trusted WLAN Access to EPC Use Case Analysis Date: Authors: NameAffiliationPhone Max RiegelNSN
Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Communications and Networks Chapter 8.

Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Communications and Networks Chapter 8.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
1 An overview Always Best Connected Networks Dênio Mariz Igor Chaves Thiago Souto Aug, 2004.

1 An overview Always Best Connected Networks Dênio Mariz Igor Chaves Thiago Souto Aug, 2004.
Peer WLAN Consortium: A P2P Case Study Mobile Multimedia Laboratory Department of Informatics Athens University of Economics & Business Athens MMAPPS Meeting,

Peer WLAN Consortium: A P2P Case Study Mobile Multimedia Laboratory Department of Informatics Athens University of Economics & Business Athens MMAPPS Meeting,
WLAN security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

Similar presentations

Ads by Google