An Architectural Framework for Providing WLAN Roaming
|
|
- Jayson Crawford
- 8 years ago
- Views:
Transcription
1 An Architectural Framework for Providing WLAN Roaming D.Vassis, G.Kormentzas Dept. of Information and Communication Systems Engineering University of the Aegean GR-83200, Karlovassi, GREECE s:{divas; ABSTRACT The wireless revolution in the local area networking landscape brought Wireless LAN (WLAN) technology in the foreground. In the emerging WLAN market, a significant number of different WLAN operators/providers are expected to claim its own portions. One of the basic clients demands will be the provision of wireless connections to multiple WLAN settings in different domains/hot spots (e.g., hotels, airports, corporate environments, etc.). The need for global WLAN roaming is self-evident given that a single WLAN operator/provider can not possess (or even administer) all the possible WLAN settings in which one of its client may require a wireless connection. Towards this direction, the paper discusses an architectural framework for providing WLAN roaming. The proposed framework conforms to IEEE b (Wi-Fi) standard and adopts standards-based authentication mechanisms. Implementation issues of a prototype are also discussed. KEYWORDS: Authentication, EAP, IEEE 802.1X, RADIUS, Roaming, WLAN. I. INTRODUCTION As the adoption of Wireless Local Area Networks (WLANs) is growing rapidly in both corporate environments and public spaces, the local area networking landscape is heavily reshaped. In this setting, a significant number of different WLAN Internet Service Providers (WISPs) is anticipated to emerge. The provision of secure roaming for WISPs clients can constitute an important benefit for WISPs in order to strengthen their presence in the wireless market [1]. When a wireless user wants to join a WLAN, a subscription to the corresponding WISP is required. This can mainly be achieved either by a prepaid-time card (user logs on WISP using username and password inscribed in the prepaid-time card), or a fixed account. The WLAN roaming problem concerns the fact that a wireless user subscription (through a prepaid-time card or a fixed account) is valid only to WISP in which it has been initially activated. In other words, in the current WLAN setting, when a wireless user (even if disposes a WISP subscription) desires to roam in a different WISP, a new prepaid-time card or fixed account is needed. Conforming to the IEEE b (Wi-Fi) standard [2], the paper discusses an architectural framework for roaming on WLANs. The framework adopts standards-based WLAN authentication mechanisms allowing a wireless user to move across multiple WLAN settings administered by different WISPs. The rest of the paper is organised as follows: Section 2 gives an outline of the basic WLAN authentication mechanisms that are used in the proposed roaming framework. Section 3 presents the framework and Section 4 discusses implementation issues of a prototype wireless networking setting, which is going to provide WLAN roaming according to the framework s conceptions. Finally, Section 5 concludes the paper giving also some directions for future work. II. BASIC WLAN AUTHENTICATION MECHANISMS In a WLAN networking setting, a typical authentication procedure involves three elements (see Figure 1): the wireless user under authentication, the corresponding Access Point (AP), which provides wireless access to the user and the Authentication Server, which actually performs the authentication operation. 49/1
2 Wireless User AP Authentication Server Figure 1: WLAN entities involved in an authentication procedure Typically, the authentication-purposed communication between the wireless user and the AP is achieved through the combined operation of Extensible Authentication Protocol Over LAN (EAPOL) [3] and 802.1X protocol [4], while the corresponding communication between the AP and the authentication server is based on RADIUS (Remote Authentication Dial In User Service) [5]. For achieving secure communication, the mentioned protocols make use of encryption [6] and public-key based certification [7] mechanisms. The major operational objective of IEEE 802.1X protocol is to authenticate the traffic flows running through the ports of an AP. Highlighting this operation, until the certification of the wireless user s credentials, the AP s port serving the user of the wireless terminal under authentication rejects all the user s messages except those of EAP type. When the user s credentials are certified, the port accepts any type of legal traffic. Subsequently, the authenticated user takes an IP address and obtains access to network services offered by the WLAN operator hosting the AP, which participated in the authentication process. EAPOL defines the messages (which are encapsulated in frames) needed for the communication between the wireless user and the AP during the authentication process [8]. The most significant EAPOL messages for the proposed roaming framework are: EAP-Request: Through this message, an AP requests authentication information from a wireless user. EAP-Response: A wireless user sends to an AP the requested authentication data. EAP-Success: A wireless user is informed by an AP about the success of the authentication process. EAP-Failure: A wireless user is informed by an AP about the failure of the authentication process. EAPOL-Start: An AP defines the beginning of an authentication session. EAPOL-Logoff: A wireless user informs an AP about its intention to close the session. The RADIUS messages [9, 10] are similar to those of EAP with the difference that the RADIUS messages are encapsulated in UDP messages, meaning that an IP session must pre-exist [11, 12]. The most significant RADIUS messages for the proposed roaming framework are: Access-Request: Request authentication from an AP to the RADIUS server (i.e., authentication server). Access-Accept: RADIUS server accepts the AP s request. (User s credentials are valid.) Access-Reject: RADIUS server rejects the AP s request (User s credentials are invalid.) Access-Challenge: RADIUS server requests an ΑΡ to send information concerning the credentials of a user. Accounting-Request: Αn AΡ provides accounting information to the RADIUS server and requests for accounting operations to take place. Accounting-Response: RADIUS server acknowledges the receipt of the accounting information. III. THE PROPOSED ROAMING FRAMEWORK The term WLAN Community constitutes one of the basic concepts of the proposed roaming framework. A WLAN community is created by the WISPs that are going to participate into the framework. Explicit Service Level Agreements (SLAs) define the collaboration terms (especially the accounting ones) among the participants of the community. A key module of the proposed architectural framework is a central database, which contains contact information records for all WISPs that participate in a particular WLAN community. Hereafter, we will refer to this database by the name WISP server (WISPR). WISPR can be hosted from any WISP of the WLAN 49/2
3 community, while for achieving secure communication among WISPR and WISPs a protocol such as SSL [13] can be adopted. The format of the WISPR records is given in the following figure. Name Country Code Provider Code IP Address Location 16 octets 3 octets 5 octets 4 octets 8 octets Figure 2: WISPR records Outlining the fields of a particular WISP record in WISPR, we have the following: Name: The name of WISP. Country Code: The country code of WISP. Provider Code: A code defined by WISPR. It constitutes an abbreviation of the WISP name and facilitates the WISP identification. IP address: The IP address of the RADIUS server owned by the particular WISP. It is considered that RADIUS server includes also accounting information. Location: The location of WISP. When a WISP desires to become member of the proposed roaming framework, it must upload to WISPR its RADIUS server contact information. Simultaneously, the under registration WISP retrieves the contact information of the other registered WISPs. Periodically (e.g., every day), a registered WISP informs WISPR about its current status. Both for registration and update phases, the exchanged UDP messages are shown in Figure 3. WISP Registration_Request WISPR WISP Update_Request WISPR Registration_Challenge Registration_Response Update_Retrieve Update_ACK Registration_Retrieve Registration_ACK Registration Periodic update Figure 3: Exchanged messages between WISP and WISPR Commenting on registration phase, a WISP sends a Registration_Request message to WISPR asking for registration. Through a Registration_Challenge message, WISPR asks from WISP under registration the provision of the appropriate registration record (see Figure 2). WISP provides the requested record sending a Registration_Response message to WISPR. Furthermore, WISPR informs WISP about the contact information records of all the other registered WISPs through a Registration_Retrieve message. WISP acknowledges the reception of the WISPR records sending a Registration_ACK message to WISPR. For the periodic update phase, a registered WISP periodically sends to WISPR an Update_Request message in order to retrieve new or changed WISPR records. If there are such records, WISPR provides them to WISP through an Update_Retrieve message. The process is completed though an Update_ACK message sending from WISP to WISPR. Besides the retrieved WISPR records, each WISP participating in the WLAN roaming community, keeps for its own served users the corresponding profiling information records. For each WISP, both WISPR records and user profiling records are stored in a respective local database. The format of the user profiling records is given in the following figure. 49/3
4 Country Code Provider Code User Code Password Date Registered Time Spend/ Remaining Card Username 3 Octs 8 Octs 5 Octs 32 Octs 8 Octs 8 Octs 32 Octs username Figure 4: WISP user profiling records Outlining the fields of a particular user record in the WISP local database, we have the following: Country Code and Provider Code: The same fields as in the records of WISPR database. User Code: The user code provided by WISP. Password: The user password provided by WISP. Date Registered: The date in which the user account (either a prepaid-time card, or a permanent subscription) has been activated. Time Spend/Remaining: If it refers to a permanent account, this field corresponds to the total time that the user has been connected in any of the WISPs participating in the roaming supported WLAN community. For a certain time period this field is continuously increased, while periodically (e.g., every month), it turns to zero. If the described field refers to a prepaid time-card, it corresponds to the user s WLAN connection remaining time. It is continuously decreased until the expiration of the user s prepaid connection time. Card username: If a wireless user joins a WLAN community using a prepaid-time card, it is possible that the recorded username in the card will not follow the format of username depicted in Figure 4 (i.e., Country Code Provider Code User Code). For this purpose, WISP keeps in the field Card Username the username of the card and assigns to the user (after the authentication phase) a new username conventional to the depicted format. It is assumed that the prepaid-time card is activated for the first time in a WLAN area administered by the card provider. Putting the presented concepts together, Figure 5 depicts the proposed architectural roaming framework. WLAN Community WISPR AP FISP RADIUS HISP RADIUS Registered WISPs FISP Users Registered WISPs HISP Users User WWW Figure 5: The proposed roaming framework Home ISP (HISP) refers to the WLAN provider in which the wireless user has been originally subscribed (using a prepaid time card or a fixed account). HISP includes its own RADIUS server and local database hosting WISPR records (providing contact information for the other WISPs of the WLAN community) and profiling information records for the users currently served by HISP. Analogically, Foreign ISP (FISP) concerns the remote WLAN provider in which the wireless user desires to be connected. FISP includes its own RADIUS server and local database with the corresponding records. The following subsection discusses an example operational scenario of the proposed roaming framework. The described framework actions are based on EAP and RADIUS messages that are presented in Section 2. 49/4
5 A. AN EXAMPLE SCENARIO OF ROAMING OPERATION Figure 6 demonstrates the functional operation of the proposed roaming framework in case where a registered user in a home WLAN operator (i.e., HISP) is moved to another WLAN networking setting serving by a different WLAN operator (i.e., FISP) in which the user under consideration does not have an account or a prepaid time card. The Access Point (AP) of FISP, which perceives the presence of new wireless client, commences through EAP Request messages the user authentication (the sequence of the corresponding messages is depicted in Figure 6). Receiving the client s username (parameter MyID) through the appropriate EAP Response message, AP creates and forwards to FISP RADIUS server an appropriate RADIUS Access Request message asking for client authentication. FISP RADIUS server checks the client s username (MyID) and finds out the corresponding HISP code. Subsequently, it checks its local database containing WISPs contact information (updated frequently from WISPR) and retrieves the IP address of HISP RADIUS server. Subsequently, FISP RADIUS server sends to HISP RADIUS server a RADIUS Access Request message requesting authentication and accounting information for the examined client. HISP RADIUS server asks the client s password through a RADIUS Access Challenge message, which is firstly transmitted to FISP RADIUS server, then it passes to the appropriate AP and finally it reaches as an EAP Request message to the client. The client responds to the password request and sends it firstly to the corresponding AP as an EAP Response message (parameter OTPpw). AP creates the respective RADIUS Access Request message and forwards it to FISP RADIUS server, which in its turn it forwards the RADIUS Access Request message to HISP RADIUS server. The latter checks the client s credentials and either accept or reject the client. For a successful authentication process (as in our case depicted in Figure 6), the HISP RADIUS server sends a RADIUS Access Accept message to FISP RADIUS server, which delivers it to the appropriate AP. The latter informs the client about its successful authentication through an EAP Success message. Client AP FISP HISP EAP Request Auth ACK EAP Auth EAP Request Identity EAP Response (MyID) Access Request/ EAP Message/ EAP Response(MyID) Access Request/ EAP Message/ EAP Response (MyID) EAP-Request OTP/OTP Challenge Access Challenge/ EAP-Message/ EAP-Request OTP/OTP Challenge Access Challenge/ EAP-Message/ EAP-Request OTP/OTP Challenge EAP Response/ OTP, OTPpw Access Request/ EAP-Message/ EAP-Response OTPpw Access Request/ EAP-Message/ EAP-Response OTPpw EAP Success Access Accept/ EAP Message/ EAP Success Access Accept/ EAP Message/ EAP Success Figure 6: Exchanged messages for roaming 49/5
6 After the successful client authentication, FISP RADIUS server records the time the user remains connected. When the user asks to log off, FISP RADIUS server informs HISP RADIUS server about the log off and the time the client remained connected to its own network. Based on this information and the corresponding SLAs (Service Level Agreements) between the WISPs, the appropriate charging operations can be performed. In case where the user owns a prepaid-time card, FISP RADIUS server disconnects the user when its available time (known from the time remaining field of the corresponding record in the FISP database keeping the users under service) expires. The exchanged messages for log off are depicted in Figure 8. The client sends an EAP LOGOFF message to the corresponding AP informing it about its intention to log off. AP sends the corresponding RADIUS Accounting Request message to the FISP RADIUS server, which forwards it to the HISP RADIUS server. The latter performs the necessary accounting operations in order the user s account to be charged appropriately and sends a RADIUS Accounting Response message to FISP RADIUS Server, which passes it to AP completing in this way the log off process. Client AP FISP HISP EAP LOGOFF Accounting Request Accounting Request Accounting Response Accounting Response Figure 7: Exchanged messages for log off IV. AN IMPLEMENTED PROTOTYPE A prototype of the proposed roaming framework is under development. The prototype targets to include a WLAN community hosting two virtual WLAN providers, each one consisting of an AP and a RADIUS server. The two RADIUS servers (emulating the roles of HISP and FISP RADIUS servers) and the prototype s WISPR server will be statically interconnected in a wired Ethernet topology. Among the variety of RADIUS servers that have been developed by several vendors, the prototype under implementation will adopt the open source FreeRadius RADIUS server [14], which runs both on Windows and LINUX operating platforms. It is planned that FreeRadius will be installed without any software changes in the APs (running Windows XP) of the prototype [15, 16]. Some software modifications (according to the design guidelines of the previous section) are anticipated for the installation of FreeRadius in the HISP and FISP servers. Specifically, the states transition diagrams of Figures 8-10 will be implemented. EAP Logoff AUTHENTICATED Access Accept Access Reject DISCONNECTED CONNECTING AUTHENTICATING (Access Reject && reauthcount = reauthmax) EAP Logoff Figure 8: States transition diagram for AP 49/6
7 ACCOUNTING Accounting Request UNAUTH/ED Access Request AUTH/TING Access Accept AUTH/ED Access Reject Figure 9: States transition diagram for FISP ACCOUNTING Accounting Request UNAUTH/TED Access Request AUTH/TING Usern/Passwd Valid AUTH/ED Usern/passwd Invalid Figure 10: States transition diagram for HISP The 802.1X protocol will be implemented without any software changes. The fact that Windows XP operating platform (planned to run on both the APs and the wireless clients of the prototype) support it [17] will heavily facilitate the protocol implementation. Mysql database [18] will be used for the WISPR implementation. The exchanged messages between WISPR and HISP/FISP (described in the previous section) will constitute the basis for the implementation of the WISPR transactions. V. CONCLUSIONS Given that currently there is no established standard or industry practice for WLAN roaming, the paper proposes a simple architectural framework for roaming on WLANs. The proposed framework conforms to IEEE b (Wi-Fi) standard and adopts standards-based authentication mechanisms. Specifically, the EAP/802.1X protocol is used without any modifications, while a short expansion of RADIUS protocol is required. A prototype of the proposed roaming framework is under development and is expected to be finalised in the near future. The prototype will validate both the functionality and the efficiency of the proposed framework. Another future direction of this work will concern the comparison of the discussed roaming framework with other similar undergoing activities performed by WECA (creator of WiFi standard), IETF, and 3GPP. VI. REFERENCES [1] VeriSign Inc, Secure Global Roaming for WLANs, [2] IEEE IEEE Standard for Information Technology Telecommunications and information exchange between systems-local and metropolitan area networks-specific requirements- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specification, /7
8 [3] L.Blunk, and J.Vollbrecht, PPP Extensible Authentication Protocol (EAP), RFC 2284, IETF, March [4] IEEE 802.1X, IEEE Standard for Local and Metropolitan Area Networks-Part 1X: Port Based Network Access Control, [5] C. Rigney, S. Willens, A. Rubens and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, IETF, June [6] R.Rivest, The MD5 Message Digest Algorithm, RFC 1321, IETF, April [7] C.Adams and S.Farrell, Internet X.509 Public Key Infrastracture Certificate Management Protocols, RFC 2510, IETF, March [8] D.Aboda, D.Simon, PPP EAP TLS Authentication Protocol, RFC 2716, IETF, October [9] C. Rigney, "RADIUS Accounting", RFC 2866, IETF, June [10] C. Rigney, W. Willats and P. Calhoun, "RADIUS Extensions", RFC 2869, IETF, June [11] S. Kent and R. Atkinson. IP Authentication Header. RFC 2402, IETF, Nov [12] S. Kent and R. Atkinson. IP Encapsulation Security Payload. RFC 2406, IETF, Nov [13] A. Frier, P. Karlton, and P. Kocher, The SSL 3.0 Protocol Version 3.0, Information available in [14] Free Radius RADIUS server. Information available in [15] K. Rosen, HOWTO: Setup for FreeRADIUS and windows XP supplicant, April [16] A. Sulmicki, HOWTO on EAP/TLS authentication between FreeRadius and WindowsXP, April [17] J. Davies, Enterprise Deployment of IEEE Using WindowsXP and Windows2000 Internet Authentication Service, Microsoft Corporation, March [18] Mysql Database, Information available in 49/8
A Dynamic Extensible Authentication Protocol for Device Authentication in Transport Layer Raghavendra.K 1, G. Raghu 2, Sumith N 2
A Dynamic Extensible Authentication Protocol for Device Authentication in Transport Layer Raghavendra.K 1, G. Raghu 2, Sumith N 2 1 Dept of CSE, P.A.College of Engineering 2 Dept of CSE, Srnivas institute
More informationUNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU
UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU ITMS: 26140230008 DOPYTOVO ORIENTOVANÝ PROJEKT Moderné
More informationHow To Authenticate With Port Based Authentication
Chapter 2, Port-Based Authentication Concepts Author: Jim Geier Principal Consultant, Wireless-Nets, Ltd. Email: jimgeier@wireless-nets.com This chapter is a sample from the book Implementing 802.1x Security
More informationLecture 3. WPA and 802.11i
Lecture 3 WPA and 802.11i Lecture 3 WPA and 802.11i 1. Basic principles of 802.11i and WPA 2. IEEE 802.1X 3. Extensible Authentication Protocol 4. RADIUS 5. Efficient Handover Authentication 1 Lecture
More informationIEEE 802.1X Overview. Port Based Network Access Control
IEEE 802.1X Overview Port Based Network Access Control 802.1X Motivation and History Increased use of 802 LANs in public and semi-public places Desire to provide a mechanism to associate end-user identity
More informationChapter 10 Security Protocols of the Data Link Layer
Chapter 10 Security Protocols of the Data Link Layer IEEE 802.1x Point-to-Point Protocol (PPP) Point-to-Point Tunneling Protocol (PPTP) [NetSec], WS 2006/2007 10.1 Scope of Link Layer Security Protocols
More informationBelnet Networking Conference 2013
Belnet Networking Conference 2013 Thursday 12 December 2013 @ http://events.belnet.be Workshop roaming services: eduroam / govroam Belnet Aris Adamantiadis, Nicolas Loriau Bruxelles 05 December 2013 Agenda
More informationfreeradius A High Performance, Open Source, Pluggable, Scalable (but somewhat complex) RADIUS Server Aurélien Geron, Wifirst, January 7th 2011
freeradius A High Performance, Open Source, Pluggable, Scalable (but somewhat complex) RADIUS Server Aurélien Geron, Wifirst, January 7th 2011 freeradius is... Multiple protocoles : RADIUS, EAP... An Open-Source
More informationEvaluation of EAP Authentication Methods in Wired and Wireless Networks
Master Thesis Electrical Engineering October 2012 Evaluation of EAP Authentication Methods in Wired and Wireless Networks Tirumala Rao Kothaluru Mohamed Youshah Shameel Mecca School of Computing Blekinge
More informationAuthentication and Security in IP based Multi Hop Networks
7TH WWRF MEETING IN EINDHOVEN, THE NETHERLANDS 3RD - 4TH DECEMBER 2002 1 Authentication and Security in IP based Multi Hop Networks Frank Fitzek, Andreas Köpsel, Patrick Seeling Abstract Network security
More informationConfiguring Wired 802.1x Authentication on Windows Server 2012
Configuring Wired 802.1x Authentication on Windows Server 2012 Johan Loos johan@accessdenied.be Version 1.0 Why 802.1x Authentication? The purpose of this document is to guide you through the procedure
More informationCisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com. 2006 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS Overview By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com 2006 Cisco Systems, Inc. All rights reserved. 1 Cisco Secure Access Control System Policy Control and
More informationUsing IEEE 802.1x to Enhance Network Security
Using IEEE 802.1x to Enhance Network Security Table of Contents Introduction...2 Terms and Technology...2 Understanding 802.1x...3 Introduction...3 802.1x Authentication Process...3 Before Authentication...3
More informationEnhanced Intranet Management in a DHCP-enabled Environment
Enhanced Intranet Management in a DHCP-enabled Environment Jenq-Haur Wang and Tzao-Lin Lee Department of Computer Science and Information Engineering, National Taiwan University, Taipei, Taiwan. E-mail:
More informationCertficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN. Daniel Schwarz
Certficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN Daniel Schwarz Overview: 1. Introduction I. PKIX 2. Basics I. PPP II. EAP III. 802.1x IV. X.509 certificate extensions
More informationAuthentication, Authorization and Accounting (AAA) Protocols
Authentication, Authorization and Accounting (AAA) Protocols Agententechnologien in der Telekommunikation Sommersemester 2009 Babak Shafieian babak.shafieian@dai-labor.de 10.06.2009 Agententechnologien
More informationWhat information will you find in this document?
AlliedWare TM OS How To Configure Basic 802.1x Port Authentication Introduction This How To Note is a guide to 802.1x and Port Authentication. It outlines the implementation of the IEEE 802.1x standard
More informationExecutive Summary. This white paper includes the following sections: A.What Does 802.1x Do? B. An Overview of the 802.1x Standard
Allied Telesis White Paper 802.1x White Paper Executive Summary Security and flexibility are often seen as mutually exclusive requirements in a network, yet both are equally important. Security is crucial
More informationIEEE 802.1X For Wireless LANs
IEEE 802.1X For Wireless LANs John Roese, Ravi Nalmati, Cabletron Albert Young, 3Com Carl Temme, Bill McFarland, T-Span David Halasz, Aironet Paul Congdon, HP Andrew Smith, Extreme Networks Slide 1 Outline
More informationNetwork Authentication - 802.1X Secure the Edge of the Network - Technical White Paper
Bosch Security Systems Video Systems Network Authentication - 802.1X Secure the Edge of the Network - Technical White Paper 4 July 2016 Secure the edge of the network Security devices are mostly located
More informationHow To Create A Virtual Network With A Router And Network Operating System (Ip) For A Network (Ipv) (Ip V2) (Netv) And A Virtualization) (Network) (Wired) (Virtual) (Wire)
Post-IP technologies virtualization and security Guy Pujolle 1 Virtualization for a post-ip network 2 Geni Intel would like to propose a generic router Intel proposes to have a generic hardware with virtual
More informationChapter 4: Security of the architecture, and lower layer security (network security) 1
Chapter 4: Security of the architecture, and lower layer security (network security) 1 Outline Security of the architecture Access control Lower layer security Data link layer VPN access Wireless access
More informationWIRELESS BANDWIDTH MANAGEMENT AUTHENTICATION IMPROVING QUALITY OF SERVICE
WIRELESS BANDWIDTH MANAGEMENT AUTHENTICATION IMPROVING QUALITY OF SERVICE Amanda PEART & Alice GOOD ABSTRACT: With the popularity of distributed applications such as BitTorrent and Peer 2 Peer (P2P) networks,
More information802.1x in the Enterprise Network
802.1x in the Enterprise Network Harrison Forest ICTN 6823 Abstract: This paper aims to provide a general over view of 802.1x authentication and its growing importance on enterprise networks today. It
More informationWIRELESS NETWORK SECURITY
WIRELESS NETWORK SECURITY Much attention has been focused recently on the security aspects of existing Wi-Fi (IEEE 802.11) wireless LAN systems. The rapid growth and deployment of these systems into a
More informationRadSec RADIUS improved. Stig Venaas venaas@uninett.no
RadSec RADIUS improved Stig Venaas venaas@uninett.no Overview RADIUS overview RadSec overview What is wrong with RADIUS RadSec benefits Radsec implementations, deployment and standardisation RADIUS overview
More informationNetwork Access Security It's Broke, Now What? June 15, 2010
Network Access Security It's Broke, Now What? June 15, 2010 Jeffrey L Carrell Network Security Consultant Network Conversions SHARKFEST 10 Stanford University June 14-17, 2010 Network Access Security It's
More informationApplication Note: Onsight Device VPN Configuration V1.1
Application Note: Onsight Device VPN Configuration V1.1 Table of Contents OVERVIEW 2 1 SUPPORTED VPN TYPES 2 1.1 OD VPN CLIENT 2 1.2 SUPPORTED PROTOCOLS AND CONFIGURATION 2 2 OD VPN CONFIGURATION 2 2.1
More informationHow To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)
Wireless LAN Security with 802.1x, EAP-TLS, and PEAP Steve Riley Senior Consultant MCS Trustworthy Computing Services So what s the problem? WEP is a euphemism Wired Equivalent Privacy Actually, it s a
More informationBridge Functions Consortium
Port-Based Network Access Control Technical Document Revision 2.0 University of New Hampshire 121 Technology Drive, Suite 2 Durham, NH 03824-4716 Phone: +1-603-862-3525 http://www.iol.unh.edu Fax: +1-603-862-4181
More informationAn Experimental Study of Cross-Layer Security Protocols in Public Access Wireless Networks
An Experimental Study of Cross-Layer Security Protocols in Public Access Wireless Networks Avesh K. Agarwal Wenye Wang Department of Electrical and Computer Engineering North Carolina State University,
More informationHow To Test An Eap Test On A Network With A Testnet (Networking) On A Pc Or Mac Or Ipnet (For A Network) On An Ipnet Or Ipro (For An Ipro) On Pc Or Ipo
Chapter 6 - EAP Authentication This chapter describes using Extensible Authentication Protocol with FreeRADIUS. The following topics are discussed in this chapter: EAP Overview Types/Methods Testing with
More informationWireless Robust Security Networks: Keeping the Bad Guys Out with 802.11i (WPA2)
Wireless Robust Security Networks: Keeping the Bad Guys Out with 802.11i (WPA2) SUNY Technology Conference June 21, 2011 Bill Kramp FLCC Network Administrator Copyright 2011 William D. Kramp All Rights
More informationEAP-WAI Authentication Protocol
EAP-WAI Authentication Protocol draft-richard-emu-wai-00 Richard 2009-07-26 Stockholm, IETF 75th Preface WAPI is a WLAN security protocol and brought forward By a Standard Group in China. It was invited
More informationEAP-SIM Authentication using Interlink Networks RAD-Series RADIUS Server
Application Note EAP-SIM Authentication using Interlink Networks RAD-Series RADIUS Server Introduction The demand for wireless LAN (WLAN) access to the public IP network is growing rapidly. It is only
More informationExtensible Authentication Protocol Transport Layer Security Deployment Guide for Wireless LAN Networks
White Paper Extensible Authentication Protocol Transport Layer Security Deployment Guide for Wireless LAN Networks 1 Scope This document discusses the Extensible Authentication Protocol Transport Layer
More informationWiNG 4.X / WiNG 5.X RADIUS Attributes
Configuration Guide for RFMS 3.0 Initial Configuration XXX-XXXXXX-XX WiNG 4.X / WiNG 5.X RADIUS Attributes Part No. TME-08-2011-01 Rev. C MOTOROLA and the Stylized M Logo are registered in the US Patent
More informationCorso di Network Security a.a. 2012/2013. Collection of some exercises on the second part of the course
University of Parma Department of Information Engineering Corso di Network Security a.a. 2012/2013 Collection of some exercises on the second part of the course 1) Specify the name of the CHAP messages
More informationState of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture
State of Kansas Interim Wireless Local Area Networks Security and Technical Architecture October 6, 2005 Prepared for Wireless Policy Committee Prepared by Revision Log DATE Version Change Description
More informationChapter 2 Wireless Networking Basics
Chapter 2 Wireless Networking Basics Wireless Networking Overview Some NETGEAR products conform to the Institute of Electrical and Electronics Engineers (IEEE) 802.11g standard for wireless LANs (WLANs).
More informationRADIUS: A REMOTE AUTHENTICATION DIAL-IN USER SERVICE
InSight: RIVIER ACADEMIC JOURNAL, VOLUME 5, NUMBER 2, FALL 2009 RADIUS: A REMOTE AUTHENTICATION DIAL-IN USER SERVICE Daniel Szilagyi*, Arti Sood** and Tejinder Singh M.S. in Computer Science Program, Rivier
More informationBirdstep Intelligent Mobile IP Client v2.0, Universal Edition. Seamless secure mobility across all networks. Copyright 2002 Birdstep Technology ASA
White Paper Birdstep Intelligent Mobile IP Client v2.0, Universal Edition Seamless secure mobility across all networks Copyright 2002 Birdstep Technology ASA Haakon VII's gate 5B, N-0161 Oslo, Norway Tel:
More informationSecuring Wireless LANs with LDAP
A P P L I C A T I O N N O T E Securing Wireless LANs with LDAP Many organizations have standardized on LDAP (Lightweight Directory Access Protocol) servers as a repository for their users and related security
More informationvwlan External RADIUS 802.1x Authentication
6ABSCG0002-29B July 2013 Configuration Guide vwlan External RADIUS 802.1x Authentication This configuration guide provides an in-depth look at external Remote Authentication Dial-In User Service (RADIUS)
More informationNetwork Access Control and Cloud Security
Network Access Control and Cloud Security Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More information3GPP TS 29.161 V6.3.0 (2007-12)
TS 29.161 V6.3.0 (2007-12) Technical Specification 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Interworking between the Public Land Mobile Network (PLMN)
More informationEnabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches
print email Article ID: 4941 Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches Objective In an ever-changing business environment, your
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationChapter 5. Data Communication And Internet Technology
Chapter 5 Data Communication And Internet Technology Purpose Understand the fundamental networking concepts Agenda Network Concepts Communication Protocol TCP/IP-OSI Architecture Network Types LAN WAN
More informationThe following chart provides the breakdown of exam as to the weight of each section of the exam.
Introduction The CWSP-205 exam, covering the 2015 objectives, will certify that the successful candidate understands the security weaknesses inherent in WLANs, the solutions available to address those
More informationDesign of a Network Security Testing Environment
Design of a Network Security Testing Environment T. Andrew Yang (yang@cl.uh.edu) 1 Overview The primary objective of designing a high-speed networking environment is to build a set of interconnected networks
More informationConfiguring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication
Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication This application note describes how to authenticate users on a Cisco ISA500 Series security appliance. It includes these
More information802.1X AUTHENTICATION IN ACKSYS BRIDGES AND ACCESS POINTS
APPLICATION NOTE Ref APNUS004 rev. A-0, March 08, 2007 802.1X AUTHENTICATION IN ACKSYS BRIDGES AND ACCESS POINTS Why? In addition to MAC address filtering, ACKSYS products support a more reliable authentication
More informationDATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0
DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS
More informationComputer Networks. Secure Systems
Computer Networks Secure Systems Summary Common Secure Protocols SSH HTTPS (SSL/TSL) IPSec Wireless Security WPA2 PSK vs EAP Firewalls Discussion Secure Shell (SSH) A protocol to allow secure login to
More informationRADIUS Authentication and Accounting
5 RADIUS Authentication and Accounting Contents Overview...................................................... 5-2 Terminology................................................... 5-3 Switch Operating Rules
More informationApplication Note User Groups
Application Note User Groups Application Note User Groups Table of Contents Background... 3 Description... 3 Benefits... 4 Theory of Operation... 4 Interaction with Other Features... 6 Configuration...
More informationWIRELESS SECURITY IN 802.11 (WI-FI ) NETWORKS
January 2003 January WHITE 2003 PAPER WIRELESS SECURITY IN 802.11 (WI-FI ) NETWORKS With the increasing deployment of 802.11 (or Wi-Fi) wireless networks in business environments, IT organizations are
More informationParticularities of security design for wireless networks in small and medium business (SMB)
Revista Informatica Economică, nr. 4 (44)/2007 93 Particularities of security design for wireless networks in small and medium business (SMB) Nicolae TOMAI, Cluj-Napoca, Romania, tomai@econ.ubbcluj.ro
More informationWireless Security. New Standards for 802.11 Encryption and Authentication. Ann Geyer 209-754-9130 ageyer@tunitas.com www.tunitas.
Wireless Security New Standards for 802.11 Encryption and Authentication Ann Geyer 209-754-9130 ageyer@tunitas.com www.tunitas.com National Conference on m-health and EOE Minneapolis, MN Sept 9, 2003 Key
More informationEnabling WISPr (Hotspot Services) in the ZoneDirector
A P P L I C A T I O N N O T E Enabling WISPr ( Services) in the Introduction This document describes the WISPr support (hotspot service) for. Unauthenticated users: The users who have not passed authentication
More informationALL1682511. 500Mbits Powerline WLAN N Access Point. User s Manual
ALL1682511 500Mbits Powerline WLAN N Access Point User s Manual Contents 1. Introduction...1 2. System Requirements...1 3. Configuration...1 4. WPS...9 5. Wireless AP Settings...9 6. FAQ... 15 7. Glossary...
More informationETSI TS 129 161 V10.0.1 (2011-04) Technical Specification
TS 129 161 V10.0.1 (2011-04) Technical Specification Universal Mobile Telecommunications System (UMTS); LTE; Interworking between the Public Land Mobile Network (PLMN) supporting packet based services
More informationClickShare Network Integration
ClickShare Network Integration Application note 1 Introduction ClickShare Network Integration aims at deploying ClickShare in larger organizations without interfering with the existing wireless network
More informationConfiguring Security Solutions
CHAPTER 3 This chapter describes security solutions for wireless LANs. It contains these sections: Cisco Wireless LAN Solution Security, page 3-2 Using WCS to Convert a Cisco Wireless LAN Solution from
More informationThe Use of Mikrotik Router Boards With Radius Server for ISPs.
The Use of Mikrotik Router Boards With Radius Server for ISPs. By Zaza Zviadadze, Irakli Nozadze. Intellcom Group, Georgia. RouterOS features for ISP s RouterOS reach features gives possibilities to ISP
More informationRouterOS with Radius Server for Android
RouterOS with Radius Server for Android PRESENTED BY MANA KAEWCHAROEN 22 MAY 2014 MUM in Bangkok, Thailand About me Mana Kaewcharoen MikroTik user since May 2013 MikroTik Trainer since Feb 2014 Coordinator
More informationTrustSec How-To Guide: On-boarding and Provisioning
TrustSec How-To Guide: On-boarding and Provisioning For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...
More information802.11b Wireless LAN Authentication, Encryption, and Security
802.11b Wireless LAN Authentication, Encryption, and Security Young Kim ELEN 6951 1. Abstract With the rapid growth of wireless local area network, security has been the number one concern in this arena
More informationOn-boarding and Provisioning with Cisco Identity Services Engine
On-boarding and Provisioning with Cisco Identity Services Engine Secure Access How-To Guide Series Date: April 2012 Author: Imran Bashir Table of Contents Overview... 3 Scenario Overview... 4 Dual SSID
More informationRA-MPLS VPN Services. Kapil Kumar Network Planning & Engineering Data. E-mail: Kapil.Kumar@relianceinfo.com
RA-MPLS VPN Services Kapil Kumar Network Planning & Engineering Data E-mail: Kapil.Kumar@relianceinfo.com Agenda Introduction Why RA MPLS VPNs? Overview of RA MPLS VPNs Architecture for RA MPLS VPNs Typical
More informationVantage RADIUS 50. Quick Start Guide Version 1.0 3/2005
Vantage RADIUS 50 Quick Start Guide Version 1.0 3/2005 1 Introducing Vantage RADIUS 50 The Vantage RADIUS (Remote Authentication Dial-In User Service) 50 (referred to in this guide as Vantage RADIUS)
More informationCertified Wireless Security Professional (CWSP) Course Overview
Certified Wireless Security Professional (CWSP) Course Overview This course will teach students about Legacy Security, encryption ciphers and methods, 802.11 authentication methods, dynamic encryption
More informationWhite paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points. http://www.veryxtech.com
White paper Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points http://www.veryxtech.com White Paper Abstract Background The vulnerabilities spotted in the Wired Equivalent Privacy (WEP) algorithm
More informationChapter 9. IP Secure
Chapter 9 IP Secure 1 Network architecture is usually explained as a stack of different layers. Figure 1 explains the OSI (Open System Interconnect) model stack and IP (Internet Protocol) model stack.
More informationpfsense Captive Portal: Part One
pfsense Captive Portal: Part One Captive portal forces an HTTP client to see a special web page, usually for authentication purposes, before using the Internet normally. A captive portal turns a web browser
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication Objectives Define authentication Describe the different types of authentication credentials List and explain the
More informationCisco TrustSec How-To Guide: Guest Services
Cisco TrustSec How-To Guide: Guest Services For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...
More informationThe next generation of knowledge and expertise Wireless Security Basics
The next generation of knowledge and expertise Wireless Security Basics HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404 (fax), www.hta-inc.com
More informationHuawei WLAN Authentication and Encryption
Huawei WLAN Authentication and Encryption The Huawei integrated Wireless Local Area Network (WLAN) solution can provide all-round services for municipalities at various levels and enterprises and institutions
More information9243060 Issue 1 EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation
9243060 Issue 1 EN Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation Nokia 9300i Configuring connection settings Nokia 9300i Configuring connection settings Legal Notice
More informationLecture 4b AAA protocols (Authentication Authorization Accounting)
Lecture 4b AAA protocols (Authentication Authorization Accounting) Network security (19265400 / 201000086) Lecturers: Aiko Pras Pieter-Tjerk de Boer Anna Sperotto Ramin Sadre Georgios Karagiannis Lecture
More informationConfiguring RADIUS Servers
CHAPTER 13 This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS), that provides detailed accounting information and flexible administrative control
More informationMobility Task Force. Deliverable F. Inventory of web-based solution for inter-nren roaming
Mobility Task Force Deliverable F Inventory of web-based solution for inter-nren roaming Version 1.1 Authors: Sami Keski-Kasari , Harri Huhtanen Contributions: James
More informationSecurity in IEEE 802.11 WLANs
Security in IEEE 802.11 WLANs 1 IEEE 802.11 Architecture Extended Service Set (ESS) Distribution System LAN Segment AP 3 AP 1 AP 2 MS MS Basic Service Set (BSS) Courtesy: Prashant Krishnamurthy, Univ Pittsburgh
More informationCase Study for Layer 3 Authentication and Encryption
CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client
More informationADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3
ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3 TO THE Overview EXHIBIT T to Amendment No. 60 Secure Wireless Network Services are based on the IEEE 802.11 set of standards and meet the Commonwealth of Virginia
More informationFreeRADIUS server. Defining clients Access Points and RADIUS servers
FreeRADIUS server Freeradius (http://www.freeradius.org) is a very powerfull/configurable and freely available opensource RADIUS server. ARNES recommends it for the organisations that connect to ARNES
More informationWireless Networking Basics. NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA
Wireless Networking Basics NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA n/a October 2005 2005 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR and Auto Uplink are trademarks
More informationGigaset IP and IP-PRO Phones Provisioning / Remote Management. last modifications by J. Stahl, Bocholt, January the 18 th 2011
Gigaset IP and IP-PRO Phones Provisioning / Remote Management last modifications by J. Stahl, Bocholt, January the 18 th 2011 Agenda Provisioning / Remote Management for Gigaset IP phones Introduction
More informationU.S. Patent Appl. No. 13/247.308 filed September 28, 2011 NETWORK ADDRESS PRESERVATION IN MOBILE NETWORKS TECHNICAL FIELD
U.S. Patent Appl. No. 13/247.308 filed September 28, 2011 NETWORK ADDRESS PRESERVATION IN MOBILE NETWORKS TECHNICAL FIELD [0001] The disclosure relates to mobile networks and, more specifically, to wireless
More informationSymm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2
Wi-Fi Security FEUP>MIEIC>Mobile Communications Jaime Dias Symmetric cryptography Ex: RC4, AES 2 Digest (hash) Cryptography Input: variable length message Output: a fixed-length bit
More informationNetwork Access Control ProCurve and Microsoft NAP Integration
HP ProCurve Networking Network Access Control ProCurve and Microsoft NAP Integration Abstract...2 Foundation...3 Network Access Control basics...4 ProCurve Identity Driven Manager overview...5 Microsoft
More informationThe Security Framework 4.1 Programming and Design
Tel: (301) 587-3000 Fax: (301) 587-7877 E-mail: info@setecs.com Web: www.setecs.com Security Architecture for Development and Run Time Support of Secure Network Applications Sead Muftic, President/CEO
More informationTable of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example
Table of Contents Wi Fi Protected Access 2 (WPA 2) Configuration Example...1 Document ID: 67134...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...2 Conventions...2 Background Information...2
More informationEduroam wireless network Windows Vista
Eduroam wireless network Windows Vista university for the creative arts How to configure laptop computers to connect to the eduroam wireless network Contents Contents Introduction Prerequisites Instructions
More informationUnderstanding the Cisco VPN Client
Understanding the Cisco VPN Client The Cisco VPN Client for Windows (referred to in this user guide as VPN Client) is a software program that runs on a Microsoft Windows -based PC. The VPN Client on a
More informationNCP Secure Enterprise Management Next Generation Network Access Technology
Data Sheet NCP Secure Enterprise Management Next Generation Network Access Technology General description NCP Secure Enterprise Management is the central component of the NCP Next Generation Network Access
More informationHow To Secure A Wireless Network With A Wireless Device (Mb8000)
MB8000 Network Security and Access Control Overview MB8000 employs almost all of the current popular WLAN security mechanisms. These include wireless-user isolation, closed system (by turning off SSID
More informationWiNG 5.x How-To Guide
WiNG 5.x How-To Guide Remote Debugging Part No. TME-02-2012-01 Rev. A MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings,
More information