high-quality internet for higher education and research 5 th of april, eurocamp, ljubljana eduroam,...
TRANSCRIPT
High-quality Internet for higher education and research
5th of April, Eurocamp, Ljubljana
eduroam, security and authentication
Paul Dekkers
High-quality Internet for higher education and research
Contents
• 802.1x and wireless innovations
• Authentication protocols– Types– Authentication servers– Examples
• Eduroam Infrastructure
• Conclusion
High-quality Internet for higher education and research
Entities in 802.1x setup
Authentication before (W)LAN access…
RADIUS server
institution
Authenticator
(AP or switch) User DB
Supplicant
GuestVLANLAN
High-quality Internet for higher education and research
Wireless technologies
• Encryption with 802.11
– WEP (RC4 keys)– WPA (RC4 + TKIP)– WPA2 (AES encryption)– 802.11i (crème de la crème)
Changes with low impact
• 802.1x is basis for future standardsIn time: as common as DHCP
• With 802.1x we can make a 64-bit WEP-key safe
High-quality Internet for higher education and research
EAP
Extensible Authentication Protocol
• Different EAP-types
• EAP-types with SSL/TLS
– “Mutual authentication”– Provide the encryption-keys
• EAP is transported and proxied within RADIUS
• The home-institution decides what type
High-quality Internet for higher education and research
Common EAP types
• EAP-TLSStrong authentication with client-certificates
• EAP-TTLSDIAMETER/RADIUS (e.g. u/p in PAP) in TLS tunnelcan be deployed with most u/p-type backends
• EAP-PEAPMicrosoft implementation with u/p via MSCHAPv2usable in MS enviromentsCisco has a different implementation
• EAP-FASTusername/password authentication the Cisco wayinstallation more complex, uses no SSL/TLS
• EAP-SIMStrong authentication with SIM-card from phones
• ...
LEAP, EAP-MD5 are old and weak
High-quality Internet for higher education and research
EAP transport
RADIUS server
institution B
RADIUS server
institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
regularVLAN
guestVLAN
Secured tunnel
High-quality Internet for higher education and research
End-users
Is the biggest security risk the end-user itself?
High-quality Internet for higher education and research
End-users
Security considerations
• In many cases username/password is good enoughCompare with POP3, IMAP, webmail, …
• SSL client certificates are sometimes easier for users
• Mutual authentication can be confusing:installers help!
High-quality Internet for higher education and research
RADIUS servers
Well known servers:
• Radiator
• FreeRADIUS
• IAS 2003– Only advised with Microsoft clients and backend
• Cisco ACS– Barely used, bad EAP compatibility
High-quality Internet for higher education and research
Radiator exampleUnderstandable monolithic linear configuration (saves time/mistakes!)
LogDir /var/log/radiusAuthPort 1812AcctPort 1813Trace 4
<Client 192.87.110.54>Secret …IdenticalClients 192.87.110.4
</Client>
<AuthBy FILE>Identifier GiveItANameFilename %D/users
</AuthBy>
<Handler>AuthBy GiveItAName
</Handler>
<Handler><AuthBy>
#Identifier GiveItAName
Filename %D/users</AuthBy>
</Handler>
or:
High-quality Internet for higher education and research
Radiator exampleProxy non-local requests to the eduroam infrastructure:
<Client obelix.a3.surf.net>Secret …Identifier SURFnet-proxyIdenticalClients idefix.a3.surf.net
</Client>
<Handler Client-Identifier=/^(?!SURFnet-proxy$)/><AuthBy RADIUS>
Host obelix.a3.surf.netHost idefix.a3.surf.netSecret …AuthPort 1812AcctPort 1813StripFromReply Tunnel-Type,Tunnel-Medium-Type,\
Tunnel-Private-Group-ID,TRPZ-VLAN-NameAddToReply TRPZ-VLAN-Name=GuestVLAN
</AuthBy>AcctLogFileName %L/proxied-accounting
</Handler>
High-quality Internet for higher education and research
Radiator example: EAP-TTLS
<Handler Realm=surfnet.nl, TunnelledByTTLS=1>…
</Handler>
<Handler Realm=surfnet.nl, EAP-Message=/.+/><AuthBy FILE>
Filename %D/dummyEAPType TTLS # you can add: TLS, PEAPEAPTLS_CAFile %D/ca.pemEAPTLS_CertificateFile %D/server.crtEAPTLS_CertificateType PEMEAPTLS_PrivateKeyFile %D/server.keyEAPTLS_PrivateKeyPassword secretEAPTLS_MaxFragmentSize 1024AutoMPPEKeysSSLeayTrace 2
</AuthBy></Handler>
<Handler Realm=surfnet.nl, Request-Type=Accounting-Request>…
</Handler>
High-quality Internet for higher education and research
Radiator example: tunneled PAP
Using POP3…
<Handler Realm=surfnet.nl, TunnelledByTTLS=1>RewriteUsername s/^([^@]+).*/$1/<AuthBy POP3>
Host mail.institution.nlNoDefaultAuthMode APOP # or BEST, PASSUseSSL
</AuthBy></Handler>
High-quality Internet for higher education and research
Radiator example: tunneled PAP
Using a (LDAP) directory server…
<Handler Realm=surfnet.nl, TunnelledByTTLS=1>RewriteUsername s/^([^@]+).*/$1/<AuthBy LDAP2>
Host directory.surfnet.nlVersion 3BaseDN %0=%1,ou=Accounts,ou=Office,dc=surfnet,dc=nlScope baseUsernameAttr uidAuthAttrDef uid,X-UserID,requestServerChecksPassword
</AuthBy></Handler>
High-quality Internet for higher education and research
Radiator example: TTLS and PEAP
Using a Windows backend (domain/AD)…
<Handler Realm=surfnet.nl, TunnelledByPEAP=1><AuthBy LSA>
EAPType MSCHAPv2</AuthBy>
</Handler>
<Handler Realm=surfnet.nl, TunnelledByTTLS=1><AuthBy LSA>
#Domain SURFNET#DefaultDomain SURFNET#Group Administrators#DomainController dc.surfnet.nl
</AuthBy></Handler>
For AuthBy LSA Radiator requires ActivePerl 5.6 and to run on a Windows platform
High-quality Internet for higher education and research
Radiator under Windows
AuthBy LSA requires Radiator under Windows.Running Radiator under Windows is not hard!
1. Get ActivePerl (from www.activeperl.com)2. ppm install
http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd
3. ppm install http://theoryx5.uwinnipeg.ca/ppmpackages/Net_SSLeay.pm.ppd
4. Get Radiator5. Run perl Makefile.PL install
Run LSA as service or change “Act as part of the operating system” policy.
High-quality Internet for higher education and research
Microsoft IAS 2003 – Clients & proxies
High-quality Internet for higher education and research
Microsoft IAS 2003 – Create policy
High-quality Internet for higher education and research
Microsoft IAS 2003 – Configure EAP
High-quality Internet for higher education and research
eduroam infrastructure
High-quality Internet for higher education and research
eduroam infrastructure
flexiblity of RADIUS works!
European top level server
.nl ....ac.uk .no.lu
uva.nl
A ccess PointA ccess Point
user@ uninett.no
uninett.nosurfnet.nl unis.no
High-quality Internet for higher education and research
eduroam infrastructure
grows rapidly!
European top level server
.nl ....ac.uk .no.lu
uva.nl
A ccess PointA ccess Point
user@ new castle.edu.au
uninett.nosurfnet.nl unis.no
A sian/ Pacifi c top level
....tw .edu.au
new castle.edu.auaarnet.edu.au
High-quality Internet for higher education and research
current infrastructure
RADIUS has its drawbacks
• RADIUS packet is “visible” on every hopthis is not bad with EAP…
• Traffic between hops is poor this is not bad with EAP…
• Static routing (based on a @realm)requires configuration at institution and research network
• Schalable, but: more connections = – more configuration– more load on the top-level servers
more…
High-quality Internet for higher education and research
current infrastructure
UDP RADIUS transport“dead server”-detection hard
European top level server
.nl ....ac.uk .no.lu
uva.nl
A ccess PointA ccess Point
user@ uninett.no
uninett.nosurfnet.nl unis.no
if not properly configured…
High-quality Internet for higher education and research
Something better…
• Disabling redundant hierarchy– Faster– More secure
(few places that see the data)
– More reliable(less “points of failure”)
• Better security on the transport-layer (tcp/ssl?)
• Flexible configuration (lookup-service?)
High-quality Internet for higher education and research
Options
• DiameterRADIUS successor(Been around for quite some time…)
• RadSecPart of Radiator
• DNSROAM & RadSecExperimental part of Radiator
High-quality Internet for higher education and research
RadSec and DNSROAM
• RADIUS packet in TCP of SCTPmore reliable, dead peer detection
• Secured with TLS/PKI (optional)offers options for limiting participation/federation:– by certificates signed by a specific CA– validated by attributes in the certificate (not
yet)
• DNSROAM uses DNS as lookup-service– dynamic routing based on the RADIUS realm– possible to deploy for just a part of the
infrastructure
High-quality Internet for higher education and research
RadSec
cliente.g. 802.11 access point
p2p(dynamic)
RADIUSServer
logic
p2p(dynamic)
RADIUSServer
logic
visiting
visit.org user account db
home
home.org user
account db
infra
p2p(static)
1authenticate /
authorize [email protected]
eduroam.org
visit.org
home.org
Certificate Authority
4p2p
3a 3b
3c
3d
2
get CA key
get CA key
(image taken from Radiate / Test description and evaluation by Telematica Instituut)
High-quality Internet for higher education and research
RadSec
Replacing RADIUS with RadSec
RadSec
RadSec
RADIUS
RadSec RadSec RadSec
RadSec RadSec
RadSec
Country-level
EU-level
EU hierarchy root
High-quality Internet for higher education and research
RadSec en DNSROAM
cliente.g. 802.11 access point
p2p(dynamic)
RADIUSServer
logic
p2p(dynamic)
RADIUSServer
logic
visiting
visit.org user account db
home
home.org user
account db
infra
p2p(static)
1authenticate /
authorize [email protected]
eduroam.org
visit.org
home.org
Certificate Authority
DNS based peer discovery and PKI based roaming domain
DNSserver
2
3
4
6p2p
(dynamic)
lookup RADIUS server for home.org
exists: is… 4a 4b
4c
4d
5
.org DNSserver
DNSserver
2a
2d
2b2c
get CA key
get CA key
High-quality Internet for higher education and research
RadSec
Replacing static connections with dynamic ones
RadSec
RADIUS
RadSec RadSec
RadSec
RadSec RadSec
RadSec
Country-level
EU-level
High-quality Internet for higher education and research
RadSec en DNSROAM
Completely dynamic
Legacy connections remain possible (using a proxy)
RadSec
RADIUS
RadSec RadSec RadSec RadSec
Country-level
EU-level
High-quality Internet for higher education and research
Conclusion
• Clients and Institutions won’t have to worry about wireless technology: 802.1x is the future… while WPA is becoming commodity WEP is fine too.
• No radical improvements required for the current infrastructure at an institution.
• EAP is flexible and fits almost every existing backend, the future will bring more EAP-types (like SSO).