1 / 12

Deliverable H: the interoperability testbed design

This deliverable discusses the design of an interoperability testbed for an AAA server access control device. The testbed incorporates features like RADIUS-based web authentication, VPN solutions, and a RADIUS proxy server hierarchy for scalability. Various network layouts and authentication methods are explored, including 802.1X, captive portal, and PKI-based authentication.

dcutter
Télécharger la présentation

Deliverable H: the interoperability testbed design

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet <Klaas.Wierenga@SURFnet.nl>

  2. AAA Server Access Control Device Internet 4. 3. 5. 1. Docking Network 2. WWW-browser Web-based with RADIUS • RADIUS based Web interface authentication at the University of Tampere The Finnish are scaling their solution by using a hierarchy of RADIUS proxy servers for their national infrastructure

  3. Dockingnetwork Dockingnetwork VPN-Gateways VPN-Gateways Campus Network Campus Network G-WiN G-WiN Intranet X Intranet X DHCP, DNS, free Web DHCP, DNS, free Web • Wbone – VPN roaming solution to 4 universities / colleges in state of Bremen. VPN • SWITCHmobile – VPN solution deployed at 7 universities across Switzerland. • A "virtual campus" initiative in Lisbon, and been testing and developing a VPN & PKI infrastructure. PPPoE – University of Bristol

  4. Cross-domain 802.1X with VLAN assignment Supplicant Authenticator (AP or switch) RADIUS server Institution A RADIUS server Institution B User DB User DB Guest piet@institution_b.nl Internet Guest VLAN Employee VLAN Central RADIUS Proxy server Student VLAN Authentication at home institution, 802.1X , TTLS (SecureW2), (proxy) RADIUS. One time passwords are also transmitted via SMS to guest users. A RADIUS Hierarchy is proposed to scale this to a European wide solution.

  5. Current status • Characteristics identified as • 802.1X - “The future”, easy to scale, secure but cutting edge, thus expensive. • VPN - Widely available, expensive, secure & hard to scale. • Web based – cheap, widely available, easy to scale, but not secure. • Preliminary selection for inter-NREN roaming – in draft, conclusions are • No national solution meets all the requirements. • The group has chosen not to consider the following • Local VPN access. • PKI • An architecture that supports the various national solutions is needed, a three stream approach is recommended…

  6. Controlled Address Space for VPN Gateways • Design and work plan documentation underway. • Interoperability tests of VPN to RADIUS proxy hierarchy agreed. • Further work to follow.

  7. Radius proxy hierarchie UNI-C FUNET DFN SURFnet UKERNA CESnet FCCN CARnet RADIUS Proxy servers connecting to a European level RADIUS proxy server RedIRIS GRnet

  8. Integration? • 802.1X • Secure SSID • RADIUS • Web-based captive portal • Open SSID • RADIUS • PKI-based • Open SSID • No RADIUS

  9. Network layout with multiple SSID’s and VLAN assignment

  10. Network layout without multiple SSID’s and VLAN assignment

  11. Layer 2 design of the interoperability testbed

  12. Conclusions • It is possible to create an interoperable solution • It’s not that hard – especially when you use delievrable H to guide you • Future will show if and how these solutions will continue to be in existence • Del. H provides also a easy upgrade path

More Related