2007 © SWITCH TNC2007

Extending SWITCH Public Wireless LAN with EAP-SIM

Kurt Baumann

SWITCHmobile

Project Leader

kurt.baumann@switch.ch

2007 © SWITCH 2TNC2007

Agenda

Introduction SWITCH Public Wireless LAN - a brief history Current Architecture - Symmetric ApproachEAP(-SIM) Introduction EAP / EAP-SIM Extension Current Architecture with EAP-SIM

Pilot ETHZ - Architecture-Layout Implementation EAP-SIM at ETHZ Rollout-plan

Progression of PWLAN Statistics Outlook - Multi Provider Capable InfrastructureConclusions

2007 © SWITCH 3TNC2007

PWLAN Motivation

2007 © SWITCH 4TNC2007

PWLAN History, Goals and Requirements

Project goals • Extend footprint • Increase mobility for students, staff and researchers

• Create a platform that offers more flexibility for other future SWITCH services

Project requirements

• Traditional SWITCHmobile concept must be obtained (VPN Solution)

• Costs for Universities shall be minimized as much as possible - symmetrical approach

• Solution should be combinable with eduroam

• Solution should support other SWITCH activities that depend on roaming access (triple play services)

• Solution must be flexible, modular and state of the art

History • 2004 Concept SWITCH PWLAN: Universities: ETHZ, UNINE, ZHW and SWITCHWISPs: tpn, Monzoon, TheNet

• 2005 Trial Phases and institutional extension (EPFL, UniBE, BFH, HSR) inclusivea new WISP, Swisscom.

• 06/2006: Productive Phase and technical extension with EAP-SIM

2007 © SWITCH 5TNC2007

PWLAN Symmetric Approach

Docking Network University A

Campus Network

University A VPN GW

Internet

SWITCHmobile ACL

Docking Network University B

Campus Network

University B VPN GW

SWITCHmobile ACL

Legend: VPN Tunnel User Traffic

CommercialUser

12

34

Legend:

1: User opens browser and lands on landing page

2: User clicks PWLAN provider logo

3: All corresponding user traffic is forwarded to landing page of PWLAN provider

4: Customer is redirected to landing page of PWLAN provider

5: Customer gets internet access after authentication (NAT)

5

Student A

Student_A

@University_B

MPP

MPP

Student AStudent_A

@PWLAN

WISP

SWITCHmobile ACL

Landing

Page

MPP = Multi Provider Portal WISP = Wireless Internet SP

2007 © SWITCH 7TNC2007

EAP Definition

EAPRFC 3748

EAP stands for Extending Authentication Protocol.

It defines an authentication framework, which supports multiple authentication methods.

EAP typically runs directly over data link layers

such as Point-to-Point Protocol (PPP) or IEEE802, without requiring IP.

2007 © SWITCH 8TNC2007

EAP Method How it works

Supplicant

Client

Authenticator

AP

Authentication Server

(RADIUS/AAA)

[ 0 ] EAP starts [ 0 ] Establish data link

EAP over IEEE 802()()()()()()())()(()

[ 1 ] Identity exchange

Request- response paradigm[ 1 ] A message is sent and the sender waits for a response before sending an other message - a “lock step” protocol

Multiple Message Sequences depending on the authentication process

Systems for authentication, RADIUS, Corporate Identity Servers, etc. using various protocols and methods.

[ 2 ] Authentication, process-specific message exchange

[ 2 ] All exchanges between Client, Authenticator and Authentication-systems are defined in a variety of specific RFC’s

Success?

EAP-Success

EAP-Failure

Yes

No

[ 3 ] Authentication messages: Success or Failure

[ 3 ] The Authenticator determines whether the authentication is a success or failure

2007 © SWITCH 10TNC2007

EAP-SIM Definition

EAP-SIMRFC 4186

EAP-SIM is a mechanism for mutual authentication and Session-Key-agreement using the Global System for Mobile Communications (GSM)

and Subscriber Identity Module (SIM).

2007 © SWITCH 11TNC2007

Success?

EAP-Success

EAP-Failure

EAP Method How it works

Supplicant

Client

Authenticator

AP

Authentication Server

(RADIUS/AAA)

Yes

[ 0 ] EAP starts [ 0 ] Establish data link

No

EAP over IEEE 802()()()()()()())()(()

[ 1 ] Identity exchange

Request- response paradigm[ 1 ] A message is sent and the sender waits for a response before sending an other message - a “lock step” protocol

[ 2 ] Authentication, process-specific message exchange

[ 2 ] All exchanges between Client, Authenticator and Authentication-systems are defined in a variety of specific RFC’s

Multiple Message Sequences depending on the authentication process

Systems for authentication, RADIUS, Corporate Identity Servers, etc. using various protocols and methods.

[ 3 ] Authentication messages: Success or Failure

[ 3 ] The Authenticator determines whether the authentication is a success or failure

2007 © SWITCH 12TNC2007

EAP-SIM Method How it works

GSM-Authentication flow: Client/SIM-card AP AAA/RADIUS (GSM)AuC

ITPMAP-Proxy

SS7 Network

EAP-Resp/SIM/Start

(IMSI@realm)

(RAND)

RADIUS/EAP-Resp/

SIM/Start (IMSI@realm)

(RAND)

GSM-Triplet-Request

(GetAuthInfo)

GSM-Triplet

(RAND,SRES,Kc)

GSM-Triplet(s):

(RAND,SRES,Kc)

1. Triplet-request

2. GSM-Triplet(s)

RADIUS/EAP-Req/

SIM/Challenge

(RAND,MAC_RAND)

EAP-Req/SIM/Challenge

(RAND,MAC_RAND)

Server Authentication: MAC_RAND(AAA)=MAC_RAND(SIM)

EAP-Resp/SIM/Challenge

(MAC_SRES)

RADIUS/EAP-Resp

/SIM/Challenge

(MAC_SRES)

Client Authentication:MAC_SRES(SIM)=MAC_SRES(AAA)

RADIUS/EAP-Req

SIM/Start

EAP-Req/SIM/Start

SIM calculates

RAND

2007 © SWITCH 13TNC2007

EAP-SIM Architecture

Extension Current PWLAN- Architecture with EAP-SIM:

- Project-Organization

- Architecture

- Proof of Concept: EAP-SIM@ETHZ

- Roll-out Concept

2007 © SWITCH 14TNC2007

EAP-SIM Architecture Project Organization

Pilot: Organization

• Educational Association:

ETHZ and SWITCH

• WISP:

Swisscom

Pilot: Implementation

• ETHZ

- Reconfiguration WLAN

- Implementation Swisscom

Components

Roll-out:

SWITCH leads the Roll-out

- Definition of Roll-out plan

- Repository:

FAQ: Implementation EAP-SIM

2007 © SWITCH 15TNC2007

EAP-SIM Architecture Ideas

SCM Router = Swisscom Mobile Router

2007 © SWITCH 16TNC2007

EAP-SIM Architecture High-level concept

EAP-SIM: Requirements

- Implementation

top of 802.1X-enabled network

- Separate VLAN,

SSID: MOBILE-EAPSIM

- Swisscom-like-Implementation:

VLAN is a half C-class IP-Addr.-Range

Source-, Destination-NAT (SCM-router)

DHCP-request handled by SCM-router

2007 © SWITCH 17TNC2007

EAP-SIM Architecture Pilot@ETHZ with Swisscom

SSID: MOBILE-EAPSIMRadius: Radiusx@swisscom

SSID:public-> MPP

MPLS

MPP

VLAN for ,Public’ Client dataVLAN for EAPSIM data

VLAN for AP-Management

GRE tunnel between MPP and Swisscom router

Router from Swisscom Mobile

ADSL connection from Swisscom

Tasks of the Router:1. NAT of the Radiusrequest to Swisscom-Radius2. DHCP-Server for the EAP-SIM Vlan3. NAT of the MPP Clients, going to Swisscom

Functions of the router:1. Forward dhcp-request

to MPP2. Forward dhcp-request to router from Swisscom

Swisscom EAP-SIM Mobile setup

- New SSID “MOBILE-EAPSIM”

- Authentication 802.1X with WEP

- ETHZ reserved official IP for their radius

- Swisscom-router makes source-destination nat.

- Clients are in a separate VLAN (VRF)

- Swisscom provides the Subnets and DHCP.

Problems

- System does not scale (more WISPs)

- The implementation solves most problems on the

Swisscom router

- Channel 13 support of the Swisscom cards?

- Swapping between Wireless Domains?

2007 © SWITCH 18TNC2007

EAP-SIM Architecture Roll-out

Service Deployment - PWLAN 2006 2007

Q2 Q3 Q4 Q1 Q2 Q3 Q4Brainstorming, Info PWLAN-members

Definition Architecture, technical solution

“Proof of concept” - Build up a test bed SWITCH/ETHZ/Swisscom

Service: Tests, Test-results and Documentation

Rollout: step by step to further PWLAN-members , Marketing

Pilot und Roll-out EAP-SIM

•Up and Running:

ETHZ, BFH, EPFL, HSR and SWITCH

2007 © SWITCH 20TNC2007

Statistics Overview Members

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Internet

~330 Hotspots

~175 Hotspots

~265 Hotspots

~1600 Hotspots

PWLAN

Academic Association

represented by

~ 97’700 People

2007 © SWITCH 21TNC2007

Statistics Monitoring

Monzoon

TheNet

TPN

Academic

Association

GRE

VPN

GRE

VPNGRE

VPN

SwisscomStarting April 2007

GRE

VPN

2007 © SWITCH 22TNC2007

Statistics Monitoring

2007 © SWITCH 23TNC2007

Commercial WISP market in Switzerland

Market shares

23%

8%

17%

50%

2%

MonzoonTPNTheNetSwisscomOthers

2007 © SWITCH 25TNC2007

EAP(-SIM) Multi Provider Capable Infrastructure

2007 © SWITCH 26TNC2007

Conclusions

SWITCH PWLAN extends the footprint for the Academic Association and for the WISP’s.

SWITCH PWLAN corresponds technologically to the most current standards; IEEE802.1x, EAP/EAP-SIM.

SWITCH PWLAN makes a further enlargement of the user population possible by a “Multi Provider Capable Infrastructure”.

2007 © SWITCH 27

Q & A