Supporting Wireless Mobility Through Flexible Architecture

John DouglassSr. Systems ArchitectJohn.douglass@oit.gatech.edu

Steven McDanielResNet Manager

Steven.mcdaniel@resnet.gatech.edu

ASK QUESTIONS!!

Overview

• Why is mobility important?• What were our guiding principles?• LAWN Version 1.0• The evolution of the wireless

systems• Adding 802.1x (WPA-Enterprise)• The Foo of VLAN steering• Future opportunities and challenges

Why is Mobility Important?

• Laptops are a requirement at Georgia Tech.• Cellular phones with wi-fi capabilities are

more prolific now than ever• More and more devices (such as iPads, gaming

devices, robots, lab devices, etc.) are getting into the hands of our users.

Guiding Principles

• User based authentication.• Centralized deployment across campus• Layer 2 mobility that allows for campus

roaming• No client agent – support as much as we can

that runs the protocols required• Keep requirements for access reasonable

(2001-2005) LAWN Version 1.0

How Wireless Grew into a Monster

(2001-2005) LAWN Version 1.0

Evolution of the Beast (Pre 802.1x)• 2006

– Added Wired Network– Added 2nd Wireless Network– Device Login and Cookie Based

Sessions to support mobile and other– http based API (GTLogin AP)

• 2007– Consolidated vendors to reduce the

mix of radio types (compatibility issues)

– Moved to a controller based system and converted APs to LWAPP

(2006-2007) LAWN Version 2.0

2008 Default VLAN (2 networks)

LAWN Login Page

…andthen…

And then…

How Wireless Grew into a Monster

2008 Evolution of the Beast (Pre 802.1x)

• 2008– LAWN bomb 1 (connection tracking)– LAWN bomb 2 (iptables routines)– Multiple Software Firewalls

(2008) LAWN Version 3.0

2009 Evolution of the Beast (Pre 802.1x)

2009– bonded etherchannel for uplinks– Added a 3rd wireless network– Isolation of services (web, DHCP, DB)– Process redistribution– WPA (802.1x) Pilot Begins (using sw firewal)

2009 Default VLAN (3 networks)

Why 802.1x? What’s the big deal?• Improved usability on mobile devices• Allowed us an advanced level of flexibility on

VLAN assignment• Able to use hardware based firewalls• Removed impact of web based attack on

wireless authentication• Improved service availability and recovery• Simplified our architecture and planning

Design Decisions for 802.1x

• Had existing AD backed that we found every major client supported (EAP-PEAP-MSChapV2)

• Need to support network blocking• Need to support user authorization• Need to support user feedback• User, mac, and/or source based VLAN steering

Fall 2007

77.8%

17.8%

4.4%

123

Fall 2010

32.8%

40.6%

26.6%

123

Number of Devices per Freshman

(2009) LAWN Version 4.0

Moving Complexity to MySQL

• Freeradius has a great base language (unlang) but did not have complex functions and is somewhat difficult to understand

• MySQL is widely supported on campus• Freeradius is HIGHLY configurable (you can

specify MySQL queries in the configuration)• Required data easily obtainable

Radius Based VLAN

Assignment

MySQL Foo for VLAN SteeringDelimiter |CREATE FUNCTION determineGroup(client_mac VARCHAR(17), client_username VARCHAR(64), client_ap VARCHAR(64)) RETURNS VARCHAR(64) BEGIN DECLARE returngroup VARCHAR(64); DECLARE clean_mac VARCHAR(17); DECLARE clean_ap VARCHAR(17);

SET clean_mac = REPLACE(LOWER(client_mac),'-',':'); SET clean_ap = REPLACE(LOWER(SUBSTR(client_ap,1,17)),'-',':');

IF EXISTS(SELECT groupname FROM radusergroup WHERE (mac_address = clean_mac OR username = client_username) ORDER BY priority ASC LIMIT 1) THEN SELECT groupname INTO returngroup FROM radusergroup \ WHERE ((username = client_username OR mac_address = clean_mac) AND priority = 100) \ OR (username = client_username AND mac_address = clean_mac AND source_ap = clean_ap AND priority = 150) \ OR (mac_address = client_mac AND priority = 200) \ OR (username = client_username AND mac_address = clean_mac AND priority = 300) \ OR (username = client_username AND priority = 400) \ OR (username = 'DEFAULT') \ ORDER BY priority ASC LIMIT 1; IF returngroup IS NULL THEN IF EXISTS(SELECT uid FROM mage WHERE (uid = client_username AND login > 0) LIMIT 1) THEN SELECT determineGroupByHash(clean_mac, client_username) INTO returngroup; ELSE SET returngroup = 'NOTAUTHORIZED'; END IF; END IF; ELSE IF EXISTS(SELECT uid FROM mage WHERE (uid = client_username AND login > 0) LIMIT 1) THEN SELECT determineGroupByHash(clean_mac, client_username) INTO returngroup; ELSE SET returngroup = 'NOTAUTHORIZED'; END IF; END IF; RETURN returngroup; END|

MySQL Foo for VLAN SteeringDELIMITER | CREATE FUNCTION simpleHash(hashthis VARCHAR(30), hashsize INT) RETURNS INT DETERMINISTIC BEGIN DECLARE hashval INT; DECLARE hashme VARCHAR(30); SET hashme = UPPER(hashthis); SET hashval = CONV(SUBSTR(md5(hashme),-8),16,10) % hashsize; RETURN hashval; END|DELIMITER ;

DELIMITER | CREATE FUNCTION determineGroupByHash(client_mac VARCHAR(17), client_username VARCHAR(64)) RETURNS VARCHAR(64) DETERMINISTIC BEGIN DECLARE hashval INT; DECLARE hashsize INT; DECLARE chain_pref VARCHAR(32); DECLARE returngroup VARCHAR(64); DECLARE rownum INT;

SET @rownum = -1; SET chain_pref = determinePreferredChain(client_mac, client_username); SELECT count(*) INTO hashsize FROM radhashgroup WHERE status = 'ACTIVE' AND chain = chain_pref; SET hashval = simpleHash(client_mac, hashsize); SELECT r1.groupname INTO returngroup FROM (SELECT @rownum:=@rownum+1 AS hash_value, groupname FROM radhashgroup WHERE status =

'ACTIVE' AND chain = chain_pref ORDER BY groupname ASC) as r1 WHERE hash_value = hashval; RETURN returngroup; END|DELIMITER ;

MySQL Foo for VLAN SteeringDELIMITER |CREATE FUNCTION determinePreferredChain(client_mac VARCHAR(17), client_username VARCHAR(64)) RETURNS VARCHAR(64) DETERMINISTIC BEGIN DECLARE returnchain VARCHAR(64); IF EXISTS(SELECT chain FROM user_prefs WHERE (mac_address = client_mac AND username = client_username) LIMIT 1) THEN SELECT chain INTO returnchain FROM user_prefs WHERE (mac_address = client_mac AND username = client_username)

LIMIT 1; ELSE SET returnchain = 'stateful'; END IF; RETURN returnchain; END|DELIMITER ;

In $RADIUS/etc/raddb/sql/mysql/dialup.conf

group_membership_query = "SELECT determineGroup('%{Calling-Station-Id}','%{SQL-User-Name}','%{Called-Station-Id}') as groupname";

MySQL Foo for VLAN Steeringmysql> select * from mage;+---------------+-----------+-------+| account_index | uid | login |+---------------+-----------+-------+| 313171 | blinkie3 | 1 | | 12 | twx63 | 1 | | 23 | mandy | 0 | +---------------+-----------+-------+mysql> select * from radhashgroup;+----+-----------+---------------+---------+| id | groupname | chain | status |+----+-----------+---------------+---------+| 1 | vlan1296 | authenticated | STANDBY | | 2 | vlan1296 | stateful | STANDBY | | 4 | vlan0316 | stateful | ACTIVE | | 8 | vlan1332 | authenticated | ACTIVE | | 6 | vlan0808 | stateful | ACTIVE | | 7 | vlan1312 | stateful | ACTIVE | +----+-----------+---------------+---------+mysql> select * from user_prefs;+----+----------+-------------------+---------------+| id | username | mac_address | chain |+----+----------+-------------------+---------------+| 3 | mandy | 55:b0:3a:67:55:9b | authenticated | +----+----------+-------------------+---------------+

mysql> select * from radusergroup order by priority; +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+| id | username | mac_address | source_ap | groupname | priority | comment |+-----+-----------------+-------------------+-----------+-----------+----------+------------------------+| 375 | blinkie3 | | | vlan1296 | 100 | block_id:3423 | | 393 | mango678 | | | vlan1296 | 100 | block_id:3768 | | 506 | smcdaniel12 | 00:21:6a:78:8b:74 | | vlan1296 | 300 | testing for Steven McD | | 516 | jdouglass187 | | | vlan0316 | 400 | testing for johnd | +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+

(2011) LAWN Version 4.4

User Distribution on 802.1x

VLAN Distribution

WEP vs 802.1x

Significant Challenges for 802.1x

• Not all clients support it (fallback = captive portal)

• Configuration gotchas on all platforms• Difficult to put together accurate timeline of

activity when debugging• AD integration (this adds a new dependency)

Future Opportunities and Challenges

• Many consumer grade devices do not (and will not) support 802.1x (WPA-Enterprise)

• Centralized steering with radius is not as dependent upon controller based or single vendor architecture

• Acts as a new jumping off point for an 802.1x wired solution using similar/identical technologies

For More Information

• http://www.lawn.gatech.edu• http://www.freeradius.org• John.Douglass@oit.gatech.edu• Steven.McDaniel@resnet.gatech.edu

Evaluation (Be Kind but Honest!!)http://www.resnetsymposium.org/rspm/evaluation/