radsecproxy - a swiss army knife for eduroam

connect communicate collaborate

radsecproxyA swiss army knife for eduroam

[ Why does eduroam work on the buses to the venue? ]

Stefan Winter, RESTENATNC 2009, 09 june 2009


Overview

What is radsecproxy?

HistoryWhy radsecproxy?Timeline

FeaturesRADIUS/UDP, .../TCP, .../DTLS, RadSec, dynamic discovery

Standardisation ImpactIETF drafts

Deployment


What is radsecproxy?

Product of Uninettparticularly Stig Vens

Universal proxy for several RADIUS transportsRADIUS over UDPRADIUS over TCPTLS-encrypted RADIUS over TCPDTLS-encrypted RADIUS over UDP

Translates bidirectionally from all to all transports

EitherSupplements Access Points which don't speak RadSec or ...a local front-end to older classic RADIUS servers or ...a complete small-footprint eduroam national (FLR) or international (TLR) proxy server


radsecproxy, the FLR

.lu radsecproxy

(to ETLR)

org1.lu org2.lu org3.lu

RADIUSRadSec


radsecproxy, the local frontend

.lu

(to ETLR)

org1.lu

org2.lu org3.lu

RADIUSRadSec

radsecproxy(@localhost)


radsecproxy and the buses (1)

(to some eduroamRadSec server)

APRADIUSRadSec



radsecproxy and the buses

(to some eduroamRadSec server)

AP


UMTS


Say cheese...


Why radsecproxy?(or: Aren't there enough RADIUS servers already?)

eduroam requirements for RADIUS servers are high: only a few really good implementations

any attempt to use RadSec narrowed choice down to one implementation (Radiator)

Radiator has a large customer base, can't be used for code experiments

GN2-JRA5 needed up-to-date reference implementation of latest IETF drafts

Work started: 2 Jan 2007(first SVN commit)1.0: Sep 21, 20071.3: Mar 12, 2009


Feature Set

Transports: two usual suspectsClassic RADIUS: RADIUS datagrams, transmitted over UDPRadSec: TLS encryption for RADIUS, transmitted over TCP

and two newcomersRADIUS, transmitted over TCP (no contemporary encryption!)[IETF spin-off of RadSec, stand-alone use not recommended]RADIUS datagrams, encrypted with TLS-like DTLS, transmitted over UDP[new IETF idea]

Dynamic discovery: find AAA server from arbitrary metadata repository( next slide)


Dynamic discovery: nothing new :-)(it delivers your mail since decades)

From: [email protected] To: [email protected]

MTAMailboxServer(bob.lu)

DNS

MX?2001:db8::c001

MTA(doe.de)

Mail for you!

Thanks!


RADIUS: no dynamics in sight

root Server

.fr .lu .nl .de . ...

bob.lu ... .lu doe.de

authenticator1 authenticator2

[email protected]@dep1.uni.au

AuthServer

(doe.de)


Dynamic discovery and RADIUS

MTAEduroam

IdP(doe.de)

DNS/metadata

eduroam?2001:db8::beef

EduroamSP

(bob.lu)

Authenticate guy?

Yes, is okay!

Login: [email protected]


Standardisation Impact

IETF drafts forRADIUS/TCP transport [A. DeKok]RADIUS/TLS [S. Winter et.al.]RADIUS/DTLS [A. DeKok]NAI-based server discovery [S. Winter]


Time for bashing!

(a.k.a. Questions?)


and why the buses sometimes didn't work

It doesn't help to have 7 buses equipped with eduroam, but they are sitting in the depot [Sunday morning]

Rebooting the bus (ignition power loss) creates race conditions [Sunday, Monday]

UMTS uplink takes ~ 2 minutes to get actual network connectionAP takes seconds only, gives up earlyAnd catching all seven buses in turn to fix that is time-consuming if you are supposed attend/organise a conference simultaneously

UMTS isn't a fiber backbone, flaky connection on handover can disrupt you/delay authentication [always]

Plus lesson learned: AP manufacturers, we hate you for not equipping your devices with a hardware clock!

MAIN PRESENTATION TITLE SPACE CAN BE TWO LINES What is GANT?Folie 3Folie 4Folie 5Folie 6Folie 7Folie 8Folie 9Folie 10Folie 11Folie 12Folie 13Folie 14Folie 15Folie 16

radsecproxy - a swiss army knife for eduroam

Documents