supporting wireless mobility through flexible architecture john douglass sr. systems architect...
TRANSCRIPT
Supporting Wireless Mobility Through Flexible Architecture
John DouglassSr. Systems [email protected]
Steven McDanielResNet Manager
ASK QUESTIONS!!
Overview
• Why is mobility important?• What were our guiding principles?• LAWN Version 1.0• The evolution of the wireless
systems• Adding 802.1x (WPA-Enterprise)• The Foo of VLAN steering• Future opportunities and challenges
Why is Mobility Important?
• Laptops are a requirement at Georgia Tech.• Cellular phones with wi-fi capabilities are
more prolific now than ever• More and more devices (such as iPads, gaming
devices, robots, lab devices, etc.) are getting into the hands of our users.
Guiding Principles
• User based authentication.• Centralized deployment across campus• Layer 2 mobility that allows for campus
roaming• No client agent – support as much as we can
that runs the protocols required• Keep requirements for access reasonable
(2001-2005) LAWN Version 1.0
How Wireless Grew into a Monster
(2001-2005) LAWN Version 1.0
Evolution of the Beast (Pre 802.1x)• 2006
– Added Wired Network– Added 2nd Wireless Network– Device Login and Cookie Based
Sessions to support mobile and other– http based API (GTLogin AP)
• 2007– Consolidated vendors to reduce the
mix of radio types (compatibility issues)
– Moved to a controller based system and converted APs to LWAPP
(2006-2007) LAWN Version 2.0
2008 Default VLAN (2 networks)
LAWN Login Page
…andthen…
And then…
How Wireless Grew into a Monster
2008 Evolution of the Beast (Pre 802.1x)
• 2008– LAWN bomb 1 (connection tracking)– LAWN bomb 2 (iptables routines)– Multiple Software Firewalls
(2008) LAWN Version 3.0
2009 Evolution of the Beast (Pre 802.1x)
2009– bonded etherchannel for uplinks– Added a 3rd wireless network– Isolation of services (web, DHCP, DB)– Process redistribution– WPA (802.1x) Pilot Begins (using sw firewal)
2009 Default VLAN (3 networks)
Why 802.1x? What’s the big deal?• Improved usability on mobile devices• Allowed us an advanced level of flexibility on
VLAN assignment• Able to use hardware based firewalls• Removed impact of web based attack on
wireless authentication• Improved service availability and recovery• Simplified our architecture and planning
Design Decisions for 802.1x
• Had existing AD backed that we found every major client supported (EAP-PEAP-MSChapV2)
• Need to support network blocking• Need to support user authorization• Need to support user feedback• User, mac, and/or source based VLAN steering
Fall 2007
77.8%
17.8%
4.4%
123
Fall 2010
32.8%
40.6%
26.6%
123
Number of Devices per Freshman
(2009) LAWN Version 4.0
Moving Complexity to MySQL
• Freeradius has a great base language (unlang) but did not have complex functions and is somewhat difficult to understand
• MySQL is widely supported on campus• Freeradius is HIGHLY configurable (you can
specify MySQL queries in the configuration)• Required data easily obtainable
Radius Based VLAN
Assignment
MySQL Foo for VLAN SteeringDelimiter |CREATE FUNCTION determineGroup(client_mac VARCHAR(17), client_username VARCHAR(64), client_ap VARCHAR(64)) RETURNS VARCHAR(64) BEGIN DECLARE returngroup VARCHAR(64); DECLARE clean_mac VARCHAR(17); DECLARE clean_ap VARCHAR(17);
SET clean_mac = REPLACE(LOWER(client_mac),'-',':'); SET clean_ap = REPLACE(LOWER(SUBSTR(client_ap,1,17)),'-',':');
IF EXISTS(SELECT groupname FROM radusergroup WHERE (mac_address = clean_mac OR username = client_username) ORDER BY priority ASC LIMIT 1) THEN SELECT groupname INTO returngroup FROM radusergroup \ WHERE ((username = client_username OR mac_address = clean_mac) AND priority = 100) \ OR (username = client_username AND mac_address = clean_mac AND source_ap = clean_ap AND priority = 150) \ OR (mac_address = client_mac AND priority = 200) \ OR (username = client_username AND mac_address = clean_mac AND priority = 300) \ OR (username = client_username AND priority = 400) \ OR (username = 'DEFAULT') \ ORDER BY priority ASC LIMIT 1; IF returngroup IS NULL THEN IF EXISTS(SELECT uid FROM mage WHERE (uid = client_username AND login > 0) LIMIT 1) THEN SELECT determineGroupByHash(clean_mac, client_username) INTO returngroup; ELSE SET returngroup = 'NOTAUTHORIZED'; END IF; END IF; ELSE IF EXISTS(SELECT uid FROM mage WHERE (uid = client_username AND login > 0) LIMIT 1) THEN SELECT determineGroupByHash(clean_mac, client_username) INTO returngroup; ELSE SET returngroup = 'NOTAUTHORIZED'; END IF; END IF; RETURN returngroup; END|
MySQL Foo for VLAN SteeringDELIMITER | CREATE FUNCTION simpleHash(hashthis VARCHAR(30), hashsize INT) RETURNS INT DETERMINISTIC BEGIN DECLARE hashval INT; DECLARE hashme VARCHAR(30); SET hashme = UPPER(hashthis); SET hashval = CONV(SUBSTR(md5(hashme),-8),16,10) % hashsize; RETURN hashval; END|DELIMITER ;
DELIMITER | CREATE FUNCTION determineGroupByHash(client_mac VARCHAR(17), client_username VARCHAR(64)) RETURNS VARCHAR(64) DETERMINISTIC BEGIN DECLARE hashval INT; DECLARE hashsize INT; DECLARE chain_pref VARCHAR(32); DECLARE returngroup VARCHAR(64); DECLARE rownum INT;
SET @rownum = -1; SET chain_pref = determinePreferredChain(client_mac, client_username); SELECT count(*) INTO hashsize FROM radhashgroup WHERE status = 'ACTIVE' AND chain = chain_pref; SET hashval = simpleHash(client_mac, hashsize); SELECT r1.groupname INTO returngroup FROM (SELECT @rownum:=@rownum+1 AS hash_value, groupname FROM radhashgroup WHERE status =
'ACTIVE' AND chain = chain_pref ORDER BY groupname ASC) as r1 WHERE hash_value = hashval; RETURN returngroup; END|DELIMITER ;
MySQL Foo for VLAN SteeringDELIMITER |CREATE FUNCTION determinePreferredChain(client_mac VARCHAR(17), client_username VARCHAR(64)) RETURNS VARCHAR(64) DETERMINISTIC BEGIN DECLARE returnchain VARCHAR(64); IF EXISTS(SELECT chain FROM user_prefs WHERE (mac_address = client_mac AND username = client_username) LIMIT 1) THEN SELECT chain INTO returnchain FROM user_prefs WHERE (mac_address = client_mac AND username = client_username)
LIMIT 1; ELSE SET returnchain = 'stateful'; END IF; RETURN returnchain; END|DELIMITER ;
In $RADIUS/etc/raddb/sql/mysql/dialup.conf
group_membership_query = "SELECT determineGroup('%{Calling-Station-Id}','%{SQL-User-Name}','%{Called-Station-Id}') as groupname";
MySQL Foo for VLAN Steeringmysql> select * from mage;+---------------+-----------+-------+| account_index | uid | login |+---------------+-----------+-------+| 313171 | blinkie3 | 1 | | 12 | twx63 | 1 | | 23 | mandy | 0 | +---------------+-----------+-------+mysql> select * from radhashgroup;+----+-----------+---------------+---------+| id | groupname | chain | status |+----+-----------+---------------+---------+| 1 | vlan1296 | authenticated | STANDBY | | 2 | vlan1296 | stateful | STANDBY | | 4 | vlan0316 | stateful | ACTIVE | | 8 | vlan1332 | authenticated | ACTIVE | | 6 | vlan0808 | stateful | ACTIVE | | 7 | vlan1312 | stateful | ACTIVE | +----+-----------+---------------+---------+mysql> select * from user_prefs;+----+----------+-------------------+---------------+| id | username | mac_address | chain |+----+----------+-------------------+---------------+| 3 | mandy | 55:b0:3a:67:55:9b | authenticated | +----+----------+-------------------+---------------+
mysql> select * from radusergroup order by priority; +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+| id | username | mac_address | source_ap | groupname | priority | comment |+-----+-----------------+-------------------+-----------+-----------+----------+------------------------+| 375 | blinkie3 | | | vlan1296 | 100 | block_id:3423 | | 393 | mango678 | | | vlan1296 | 100 | block_id:3768 | | 506 | smcdaniel12 | 00:21:6a:78:8b:74 | | vlan1296 | 300 | testing for Steven McD | | 516 | jdouglass187 | | | vlan0316 | 400 | testing for johnd | +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+
(2011) LAWN Version 4.4
User Distribution on 802.1x
VLAN Distribution
WEP vs 802.1x
Significant Challenges for 802.1x
• Not all clients support it (fallback = captive portal)
• Configuration gotchas on all platforms• Difficult to put together accurate timeline of
activity when debugging• AD integration (this adds a new dependency)
Future Opportunities and Challenges
• Many consumer grade devices do not (and will not) support 802.1x (WPA-Enterprise)
• Centralized steering with radius is not as dependent upon controller based or single vendor architecture
• Acts as a new jumping off point for an 802.1x wired solution using similar/identical technologies
For More Information
• http://www.lawn.gatech.edu• http://www.freeradius.org• [email protected]• [email protected]
Evaluation (Be Kind but Honest!!)http://www.resnetsymposium.org/rspm/evaluation/