1 / 34

5 th of April, Eurocamp, Ljubljana

eduroam, security and authentication. Paul Dekkers. 5 th of April, Eurocamp, Ljubljana. Contents. 802.1x and wireless innovations Authentication protocols Types Authentication servers Examples Eduroam Infrastructure Conclusion. Entities in 802.1x setup.

karena
Télécharger la présentation

5 th of April, Eurocamp, Ljubljana

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. eduroam, security and authentication Paul Dekkers 5th of April, Eurocamp, Ljubljana

  2. Contents • 802.1x and wireless innovations • Authentication protocols • Types • Authentication servers • Examples • Eduroam Infrastructure • Conclusion

  3. Entities in 802.1x setup Authentication before (W)LAN access… Supplicant Authenticator (AP or switch) RADIUS server institution User DB Guest VLAN LAN

  4. Wireless technologies • Encryption with 802.11 • WEP (RC4 keys) • WPA (RC4 + TKIP) • WPA2 (AES encryption) • 802.11i (crème de la crème) Changes with low impact • 802.1x is basis for future standardsIn time: as common as DHCP • With 802.1x we can make a 64-bit WEP-key safe

  5. EAP Extensible Authentication Protocol • Different EAP-types • EAP-types with SSL/TLS • “Mutual authentication” • Provide the encryption-keys • EAP is transported and proxied within RADIUS • The home-institution decides what type

  6. Common EAP types • EAP-TLSStrong authentication with client-certificates • EAP-TTLSDIAMETER/RADIUS (e.g. u/p in PAP) in TLS tunnelcan be deployed with most u/p-type backends • EAP-PEAPMicrosoft implementation with u/p via MSCHAPv2usable in MS enviromentsCisco has a different implementation • EAP-FASTusername/password authentication the Cisco wayinstallation more complex, uses no SSL/TLS • EAP-SIMStrong authentication with SIM-card from phones • ... LEAP, EAP-MD5 are old and weak

  7. EAP transport Secured tunnel Supplicant Authenticator (AP or switch) RADIUS server institution A RADIUS server institution B User DB User DB Guest user@institution-B.nl Internet guest VLAN regular VLAN Central RADIUS Proxy server

  8. End-users Is the biggest security risk the end-user itself?

  9. End-users Security considerations • In many cases username/password is good enoughCompare with POP3, IMAP, webmail, … • SSL client certificates are sometimes easier for users • Mutual authentication can be confusing:installers help!

  10. RADIUS servers Well known servers: • Radiator • FreeRADIUS • IAS 2003 • Only advised with Microsoft clients and backend • Cisco ACS • Barely used, bad EAP compatibility

  11. Radiator example Understandable monolithic linear configuration (saves time/mistakes!) LogDir /var/log/radius AuthPort 1812 AcctPort 1813 Trace 4 <Client 192.87.110.54> Secret … IdenticalClients 192.87.110.4 </Client> <AuthBy FILE> Identifier GiveItAName Filename %D/users </AuthBy> <Handler> AuthBy GiveItAName </Handler> <Handler> <AuthBy> #Identifier GiveItAName Filename %D/users </AuthBy> </Handler> or:

  12. Radiator example Proxy non-local requests to the eduroam infrastructure: <Client obelix.a3.surf.net> Secret … Identifier SURFnet-proxy IdenticalClients idefix.a3.surf.net </Client> <Handler Client-Identifier=/^(?!SURFnet-proxy$)/> <AuthBy RADIUS> Host obelix.a3.surf.net Host idefix.a3.surf.net Secret … AuthPort 1812 AcctPort 1813 StripFromReply Tunnel-Type,Tunnel-Medium-Type,\ Tunnel-Private-Group-ID,TRPZ-VLAN-Name AddToReply TRPZ-VLAN-Name=GuestVLAN </AuthBy> AcctLogFileName %L/proxied-accounting </Handler>

  13. Radiator example: EAP-TTLS <Handler Realm=surfnet.nl, TunnelledByTTLS=1> … </Handler> <Handler Realm=surfnet.nl, EAP-Message=/.+/> <AuthBy FILE> Filename %D/dummy EAPType TTLS # you can add: TLS, PEAP EAPTLS_CAFile %D/ca.pem EAPTLS_CertificateFile %D/server.crt EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/server.key EAPTLS_PrivateKeyPassword secret EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys SSLeayTrace 2 </AuthBy> </Handler> <Handler Realm=surfnet.nl, Request-Type=Accounting-Request> … </Handler>

  14. Radiator example: tunneled PAP Using POP3… <Handler Realm=surfnet.nl, TunnelledByTTLS=1> RewriteUsername s/^([^@]+).*/$1/ <AuthBy POP3> Host mail.institution.nl NoDefault AuthMode APOP # or BEST, PASS UseSSL </AuthBy> </Handler>

  15. Radiator example: tunneled PAP Using a (LDAP) directory server… <Handler Realm=surfnet.nl, TunnelledByTTLS=1> RewriteUsername s/^([^@]+).*/$1/ <AuthBy LDAP2> Host directory.surfnet.nl Version 3 BaseDN %0=%1,ou=Accounts,ou=Office,dc=surfnet,dc=nl Scope base UsernameAttr uid AuthAttrDef uid,X-UserID,request ServerChecksPassword </AuthBy> </Handler>

  16. Radiator example: TTLS and PEAP Using a Windows backend (domain/AD)… <Handler Realm=surfnet.nl, TunnelledByPEAP=1> <AuthBy LSA> EAPType MSCHAPv2 </AuthBy> </Handler> <Handler Realm=surfnet.nl, TunnelledByTTLS=1> <AuthBy LSA> #Domain SURFNET #DefaultDomain SURFNET #Group Administrators #DomainController dc.surfnet.nl </AuthBy> </Handler> For AuthBy LSA Radiator requires ActivePerl 5.6 and to run on a Windows platform

  17. Radiator under Windows AuthBy LSA requires Radiator under Windows. Running Radiator under Windows is not hard! • Get ActivePerl (from www.activeperl.com) • ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd • ppm install http://theoryx5.uwinnipeg.ca/ppmpackages/Net_SSLeay.pm.ppd • Get Radiator • Run perl Makefile.PL install Run LSA as service or change “Act as part of the operating system” policy.

  18. Microsoft IAS 2003 – Clients & proxies

  19. Microsoft IAS 2003 – Create policy

  20. Microsoft IAS 2003 – Configure EAP

  21. eduroam infrastructure

  22. eduroam infrastructure flexiblity of RADIUS works!

  23. eduroam infrastructure grows rapidly!

  24. current infrastructure RADIUS has its drawbacks • RADIUS packet is “visible” on every hop this is not bad with EAP… • Traffic between hops is poor this is not bad with EAP… • Static routing (based on a @realm) requires configuration at institution and research network • Schalable, but: more connections = • more configuration • more load on the top-level servers more…

  25. current infrastructure UDP RADIUS transport “dead server”-detection hard if not properly configured…

  26. Something better… • Disabling redundant hierarchy • Faster • More secure (few places that see the data) • More reliable(less “points of failure”) • Better security on the transport-layer (tcp/ssl?) • Flexible configuration (lookup-service?)

  27. Options • DiameterRADIUS successor(Been around for quite some time…) • RadSecPart of Radiator • DNSROAM & RadSecExperimental part of Radiator

  28. RadSec and DNSROAM • RADIUS packet in TCP of SCTP more reliable, dead peer detection • Secured with TLS/PKI (optional) offers options for limiting participation/federation: • by certificates signed by a specific CA • validated by attributes in the certificate (not yet) • DNSROAM uses DNS as lookup-service • dynamic routing based on the RADIUS realm • possible to deploy for just a part of the infrastructure

  29. RadSec (image taken from Radiate / Test description and evaluation by Telematica Instituut)

  30. RadSec Replacing RADIUS with RadSec

  31. RadSec en DNSROAM

  32. RadSec Replacing static connections with dynamic ones

  33. RadSec en DNSROAM Completely dynamic Legacy connections remain possible (using a proxy)

  34. Conclusion • Clients and Institutions won’t have to worry about wireless technology: 802.1x is the future… while WPA is becoming commodity WEP is fine too. • No radical improvements required for the current infrastructure at an institution. • EAP is flexible and fits almost every existing backend, the future will bring more EAP-types (like SSO).

More Related