Inter WISP WLAN roamingInter WISP WLAN roaming

A service conceptA service conceptby Wirlabby Wirlab

© Wirlab Research Center

© Wirlab Research Center

Inter-WISP roamingInter-WISP roaming

• most of RADIUS servers support domain-based AAA most of RADIUS servers support domain-based AAA proxying capabilitiesproxying capabilities

• increasing number of RADIUS servers support 802.1X via increasing number of RADIUS servers support 802.1X via different authentication methods (EAP-MD5, EAP-TLS, EAP-different authentication methods (EAP-MD5, EAP-TLS, EAP-TTLS ...)TTLS ...)

• Access Controllers and wireless access points are Access Controllers and wireless access points are hardware that support RADIUS protocol for AAA purposeshardware that support RADIUS protocol for AAA purposes

• Standard based equipment should be used in order to Standard based equipment should be used in order to achieve vendor independency and easier managementachieve vendor independency and easier management

© Wirlab Research Center

© Wirlab Research Center

RADIUSRADIUS

• How does the RADIUS server work in inter-WISP How does the RADIUS server work in inter-WISP roaming?roaming?– it checks the domain part of the authenticating username it checks the domain part of the authenticating username

((mtm@wirlab.netmtm@wirlab.net) visiting a foreign domain ) visiting a foreign domain ((operator.fioperator.fi))

– based on the domain name it decides whether to based on the domain name it decides whether to authenticate the user locally or proxy the request to an authenticate the user locally or proxy the request to an external serverexternal server

– a specific a specific Clearing House ProxyClearing House Proxy handles all the AAA- handles all the AAA-messages between WISPsmessages between WISPs

– after the username has been authenticated from its home after the username has been authenticated from its home server, reply messages are delivered back to the server, reply messages are delivered back to the originating server via the originating server via the Clearing HouseClearing House

– each RADIUS server along the path keeps track of its own each RADIUS server along the path keeps track of its own messages, but the messages, but the Clearing HouseClearing House processes all inter-WISP processes all inter-WISP messages, toomessages, too

© Wirlab Research Center

AAAAAA

• Beside the authentication for roaming users, Beside the authentication for roaming users, the the Clearing House ProxyClearing House Proxy stores accounting stores accounting informationinformation– timestamps, amount of transferred data, start-timestamps, amount of transferred data, start-

alive-stop messages and authenticator IP-alive-stop messages and authenticator IP-addresses are stored into a database from which addresses are stored into a database from which all roaming reports are generatedall roaming reports are generated

– the organization taking care of the the organization taking care of the ClearingClearing provides all participants with the roaming provides all participants with the roaming statistics for billingstatistics for billing

• RADIUS servers can also be used for RADIUS servers can also be used for authorization of servicesauthorization of services

© Wirlab Research Center

802.1X802.1X

• Fairly new, port-based authentication Fairly new, port-based authentication schemescheme– a user logs on to the network with a a user logs on to the network with a

separate authentication client on his/her PCseparate authentication client on his/her PC– client comes bundled with Windows XP, client comes bundled with Windows XP,

other OS’s have third party clients availableother OS’s have third party clients available– multiple methods are underway and multiple methods are underway and

implemented: MD5, EAP-TLS, TTLS, LEAP, implemented: MD5, EAP-TLS, TTLS, LEAP, PEAP ...PEAP ...

© Wirlab Research Center

Access ControllersAccess Controllers

• Multiple WLAN vendors have integrated 802.1X / RADIUS Multiple WLAN vendors have integrated 802.1X / RADIUS support in their hardwaresupport in their hardware– Cisco, Nokia, Avaya, 3Com ...Cisco, Nokia, Avaya, 3Com ...

• Separate Access Controllers are available also from multiple Separate Access Controllers are available also from multiple vendorsvendors– Nokia, USG, Vernier, Cisco ...Nokia, USG, Vernier, Cisco ...– these AC’s use HTTP-authentication via web browser to these AC’s use HTTP-authentication via web browser to

authenticate the users to the network. No separate clients authenticate the users to the network. No separate clients needed for the user!needed for the user!

• Separate Access Controllers can also be used in traditional Separate Access Controllers can also be used in traditional wired environments where existing network can easily be wired environments where existing network can easily be turned to inter ISP roaming serviceturned to inter ISP roaming service

© Wirlab Research Center

From theory to practiseFrom theory to practise

• Although there are a lot of white papers Although there are a lot of white papers about inter-WISP roaming, no standard about inter-WISP roaming, no standard based service has been announcedbased service has been announced

• Wirlab has built a working environment with Wirlab has built a working environment with 802.1X WLAN access-points and separate 802.1X WLAN access-points and separate Access Controllers combined with an Access Controllers combined with an efficient RADIUS serverefficient RADIUS server

• The solution has been in testing for the last The solution has been in testing for the last six months and no major problems have six months and no major problems have occuredoccured

© Wirlab Research Center

ExampleExample

Client: mtm@wirlab.net

wirlab.net RADIUS

operator.fi RADIUS

Internet

CLEARING HOUSE RADIUS

Access Controlle

rUser DB User DB

ISP DB

Client: mtm@wirlab.net

© Wirlab Research Center

Example – RADIUS Example – RADIUS messagesmessages

operator.fi RADIUS

wirlab.net RADIUS

CLEARING HOUSE RADIUS

1. Access-Request

1. Access-Request

1. Access-Request

2. Access-Challenge

2. Access-Challenge

2. Access-Challenge

3. Access-Request

3. Access-Request

3. Access-Request

4. Access-Accept

4. Access-Accept

4. Access-Accept

5. Accounting-Request

5. Accounting-Request

5. Accounting-Request

6. Accounting-Response

6. Accounting-Response

6. Accounting-Response

© Wirlab Research Center

User’s view / 802.1XUser’s view / 802.1X

• On a 802.1X enabled On a 802.1X enabled OSOS

As soon as the wireless client isassociated to the access point, the AP prompts the user for usernameand password

© Wirlab Research Center

User’s view / 802.1XUser’s view / 802.1X

• A new window opens for the required A new window opens for the required informationinformation

© Wirlab Research Center

User’s view / 802.1XUser’s view / 802.1X

• After the information is sent and the user is After the information is sent and the user is authenticated by the RADIUS-servers, the view in authenticated by the RADIUS-servers, the view in the Network Connections changes as follows. The the Network Connections changes as follows. The user is authenticated and the network session can user is authenticated and the network session can beginbegin

© Wirlab Research Center

User’s view / HTTPUser’s view / HTTP

• When authenticating via HTTP, the user has to open his/her When authenticating via HTTP, the user has to open his/her browser and then be redirected to the authentication page. browser and then be redirected to the authentication page. After entering the username and password the user is After entering the username and password the user is granted access to the networkgranted access to the network

Example: Cisco BBSM

© Wirlab Research Center

User’s view / HTTPUser’s view / HTTP

• A pop-up window containing a ”Logoff” or ”Disconnect” A pop-up window containing a ”Logoff” or ”Disconnect” button is usually initialized after login. Until the user logs button is usually initialized after login. Until the user logs off, all traffic is passed through the Access Controller. This off, all traffic is passed through the Access Controller. This enables accounting for the sessionenables accounting for the session

© Wirlab Research Center

Clearing HouseClearing House

• Inter WISP traffic logs per given Inter WISP traffic logs per given timeframetimeframe

Displays informationof usernames, visited and visiting domains,timestamps, in/out bytes and number ofaccounting messages

© Wirlab Research Center

Clearing House (contd.)Clearing House (contd.)

• Collect balance information from current timeCollect balance information from current time

Balance figures peroperator reflectedagainst others

© Wirlab Research Center

CH Management (contd.)CH Management (contd.)

• Administrate WISP RADIUS-servers via browserAdministrate WISP RADIUS-servers via browser

© Wirlab Research Center

http://www.wirlab.net/http://www.wirlab.net/