Belnet Networking Conference 2013 Thursday 12 December 2013 @ http://events.belnet.be
Workshop roaming services: eduroam / govroam Belnet Aris Adamantiadis, Nicolas Loriau Bruxelles 05 December 2013
Agenda 13h30 Introduction 14h00 Technical infrastructure 14h30 Coffee break 14h45 How to implement (Linux or Windows session) 16h30 Best practices and conclusions 17h00 Networking drink
Roundtable Name and organization? Experiences with Belnet? Expectations for today s workshop?
Overview of Belnet Services
Overview of Belnet Services
What is it? EDUcation ROAMing GOVernment ROAMing Simple and secure access to wifi network Terena project to provide students access to internet For research and education institutions http://www.eduroam.be Simple and secure access to wifi network Belnet initiative based on eduroam technologies For governmental institutions, administrations, http://www.govroam.be
Why? Increased Mobility: users can make use of Wifi infrastructure at other members Easy: users only need their home organization account to login Secure: centralized accounts, no local copies Cost effective: is included with your connectivity
Technical framework
Technical infrastructure Technical Framework Principles Components Authentication flow Demo Objectives Test environment Installation Linux (Radiator, Freeradius) Windows (W2K8R2 NPS) Future of the service
Principles To install roaming services, you need: Wi-Fi access points and/or 802.1x switches RADIUS server User database / LDAP / AD Based on a hierarchy of RADIUS servers Your only point of contact is Belnet
Principles It is: A trust-based relationship between members An agreement on roaming technologies Chain of trust: All direct peers must be known beforehand A shared secrets must be enabled out-of-band Agreement on authentication protocols & methods
Principles Hierarchy of authentication servers Federation Belgian Top-Level AS Institution AS AS Institution-A.be Institution-B.be
Principles Hierarchy of authentication servers eduroam
Components Client / Supplicant SW on end user's device which handles network authentication Minimum requirements: WPA2, EAP-TTLS, PEAP enabled
Components Network Access Server / Authenticator / Service Provider IEEE 802.1X enabled switch or wireless access point which provides Clients access to the (W)LAN Seperate VLAN for home and visiting end users
Components Authentication Server / Identity Provider Remote Authentication Dial In User Service compliant (RFC 2865/2866) NOT a user database Authenticates home end users against local user database Forwards requests of visiting end users Softwares: Radiator FreeRADIUS MS Windows 2008R2 with NPS Others
Components User identity source LDAP/AD Local database / SQL
Protocols and Methods EAP Framework Extensible Authentication Protocol (RFC 5247) NOT a wire protocol nor an authentication mechanism Defines authentication data formats Negotiates which authentication method/type should be used
Protocols & Methods EAP Methods/Types "How does EAP authenticate" Uses EAP framework to remotely authenticate end user's credentials to his home institute's Identity Provider 40+ different methods exit > use common secure ones! Outer Authentication: EAP-TTLS (RFC 5281), PEAP Inner Authentication: MSCHAPv2 (RFC 2759)
Protocols & Methods EAP Encapsulation "How EAP can be transported" In order to transport EAP messages, they must be encapsulated Between client and SP (802.1x) EAP over LAN = EAPOL Between Sp & IdP, IdP & IdP RADIUS
Security Outer authentication Goal : securely transport the EAP messages between peers Authenticate the server (to avoid MitM attacks) PEAP, EAP-TTLS Inner authentication Transmit unique user attributes (credentials) via MSCHAPv2
Security EAP, 802.1X and RADIUS must be secured Service Provider Institution-A.be Client Identity Provider user@institution-b.be Institution-A.be
Security EAP, 802.1X and RADIUS must be secured Choice of security mechanisms is important Service Provider Institution-A.be Client Identity Provider user@institution-b.be Institution-A.be
Authentication Flow National Level (1/11) Belgian Top-Level Radius Identity Provider Identity Provider Service Provider Institution-A.be Institution-B.be Institution-A.be 1 The User contacts the Service Provider (SP) (Wireless Access Point) of institution A (SSID = govroam) user@institution-b.be
Authentication Flow National Level (2/11) Belgian Top-Level Radius Identity Provider Identity Provider Service Provider Institution-A.be Institution-B.be Institution-A.be 2 SP of institution A asks the user's identity. Not yet the credentials! 2 user@institution-b.be
Authentication Flow National Level (3/11) Belgian Top-Level Radius Identity Provider Identity Provider Service Provider Institution-A.be Institution-B.be Institution-A.be 2 3 User identity is transmitted to Identity Provider (IdP) (RADIUS server) of institution A using EAP Access-Request message user@institution-b.be
Authentication Flow National Level (4/11) Belgian Top-Level Radius Identity Provider Identity Provider Service Provider Institution-A.be Institution-B.be Institution-A.be 2 4 Based on the identity the IdP of the institution A knows that user doesn't belong to its own user database and will transmit the Access-Request to the Belgian RADIUS server. user@institution-b.be
Authentication Flow National Level (5/11) Belgian Top-Level Radius Identity Provider Identity Provider Service Provider Institution-A.be Institution-B.be Institution-A.be 5 Based on the realm part of the identity the Belgian RADIUS server transmits the Access-Request to the RADIUS server of institution B 2 user@institution-b.be
Authentication Flow National Level (6a/11) Identity Provider 6 Belgian Top-Level Radius Identity Provider Institution-A.be Institution-B.be Service Provider Institution-A.be 2 6a Now the IdP of institution B knows the User and a TLS tunnel is established between User and RADIUS server using EAP encapsulation mechanism (outer authentication) user@institution-b.be
Authentication Flow National Level (6b/11) Identity Provider 6 Belgian Top-Level Radius Identity Provider Institution-A.be Institution-B.be Service Provider Institution-A.be 6b The User checks during TLS establishment the RADIUS server certificate of his institution. 2 user@institution-b.be
Authentication Flow National Level (7/11) Identity Provider 6 Belgian Top-Level Radius 7 Identity Provider Institution-A.be Institution-B.be Service Provider Institution-A.be 2 7 Now the User is authenticated against its own institute's IdP, using traditional mechanisms (challenges, certificates, token...) (Inner authentication) user@institution-b.be
Authentication Flow National Level (8/11) Identity Provider 6 Belgian Top-Level Radius 7 Identity Provider Institution-A.be Institution-B.be Service Provider Institution-A.be 2 8 If the User is correctly authenticated, the RADIUS server of institution B sends an Access-Accept to the Belgian RADIUS server, otherwise it sends an Access-Reject user@institution-b.be
Authentication Flow National Level (9/11) Identity Provider 6 Belgian Top-Level Radius 7 Identity Provider Service Provider Institution-A.be 9 Institution-B.be Institution-A.be user@institution-b.be 2 9 Belgian RADIUS server sends the Access-Accept to institution A
Authentication Flow National Level (10/11) Identity Provider 6 Belgian Top-Level Radius 7 Identity Provider Service Provider Institution-A.be 9 Institution-B.be Institution-A.be user@institution-b.be 2 10 10 The IdP of institution A tells his SP to grant access to the User and provide all information related to the local access policy ( vlan, IP address,...)
Authentication Flow National Level (11/11) Identity Provider 6 Belgian Top-Level Radius 7 Identity Provider Service Provider Institution-A.be 9 Institution-B.be Institution-A.be user@institution-b.be 2 10 11 User can now access LAN and Internet
How to implement + Demo
How to implement Objectives: Configuration of RADIUS server Using radiator Using freeradius Using W2K8 Authenticate users against test domain ta.belnet.be Discuss other options Best practices 40
Prerequisites (out of scope) Wi-Fi access point that must: be IEEE 802.1X compliant broadcast the SSID "eduroam" or govroam offer IEEE 802.11b or better implement WPA/TKIP or better (Belnet strongly recommends WPA2-AES!) Allow traffic on defined ports (please refer to govroam) User database: LDAP Active Directory 41
Prerequisites (out of scope) Server certificates Don't use a self-signed server certificate Successfully import server & chain certificate into Windows Use dcs.belnet.be to get a free signed server certificate Correct server time Important for the setup of TLS-tunnels Use Belnet's NTP server time.belnet.be to get the correct time Firewalls & Ports UDP 1812 UDP 1813 42
Demo environement: Components overview Belnet Radius WAP + CTRL RADIUS Identity server (AD or LDAP) 43
Hierarchy Federation Belgian Top-Level AS Institution AS AS belnet.be ta.belnet.be
Radiator Installation Why Radiator? Belnet uses this product Easy & straightforward to deploy on Linux, Windows,... Broad support for Identity & Access Management backends One of the first solutions which supported RadSec
Radiator Installation Server set-up: Ubuntu Server 12.04 LTS out-of-the-box Radiator 4.9 for a virtual home organization ta.belnet.be in a Linux environment Valid server certificate
Freeradius Installation Why Freeradius? Free Easy to deploy on Linux, Windows,... Broad support for Identity & Access Management backends Now supports RadSec
Freeradius Installation Server set-up: Ubuntu Server 12.04 LTS out-of-the-box Latest freeradius version for virtual home organization ta.belnet.be Valid server certificate
W2K8 r2 NPS Installation Why NPS? Best option in windows environment Easy to deploy on Windows,... Broad support for Identity & Access Management backends Easy link to AD
W2K8 r2 NPS Installation Server set-up: Windows 2008 server r2 with NPS Valid server certificate
Radius server installation Belnet Radius WAP + CTRL RADIUS LDAP/AD
Radius server installation: Configuring RADIUS client (wlan controller) Belnet Radius WAP + CTRL RADIUS LDAP/AD
Radius server installation: Configuring the remote RADIUS Belnet Radius WAP + CTRL RADIUS LDAP/AD
Radius server installation: Configuring proxy RADIUS Belnet Radius WAP + CTRL RADIUS LDAP/AD
Radius server installation: Link with LDAP Belnet Radius WAP + CTRL RADIUS LDAP/AD
Radius server installation: Configuring top level RADIUS Belnet Radius WAP + CTRL RADIUS LDAP/AD 56
Registration @ Belnet govroam web-interface Facilitate the configuration of your govroam parameters RADIUS servers Shared secrets Test accounts 57
Authentication Flow 1 local - local Belgian Top-Level Radius roaming1.belnet.be roaming2.belnet.be Ta.belnet.be RADIUS + LDAP SSID = xxxroam wlan-ctrl A user from local institution ta.belnet.be will send access request to local xxxroam WLAN user@ta.belnet.be 58
Authentication Flow 2 remote - local Belgian Top-Level Radius roaming1.belnet.be roaming2.belnet.be ta.belnet.be Radius SSID = xxxroam radius.belnet.be ldap.belnet.be wlan-ctrl A remote user from Belnet will send access request to local xxxroam WLAN user@belnet.be 59
Authentication Flow 3 local - remote Belgian Top-Level Radius roaming1.belnet.be roaming2.belnet.be Ldap belnet.be SSID = eduroam Ta.belnet.be RADIUS + LDAP wlan-ctrl A local user from institution ta.belnet.be will send access request to remote Belnet's xxxroam WLAN user@ta.belnet.be 60
Conclusion
Conclusion Technical Framework Demo Belnet is there to help you Q&A
What do you think?
Final roundtable Are you ready to join? What would you need more to start?
Belnet Networking Conference 2013 Thursday 12 December 2013 @
Thank you
Use case
Use case To be added