A practical guide to Eduroam

Similar documents

FreeRADIUS server. Defining clients Access Points and RADIUS servers

Joint Research Activity 5 Task Force Mobility

Configuring PEAP / LDAP based authentication using FreeRADIUS on Debian Sarge and Cisco AP1200, with WPA2 AES encryption

Belnet Networking Conference 2013

Connecting to Secure Wireless (iitk-sec) on Fedora

802.1x Networking. tommee pickles Moloch Industries. Moloch.org tommee.net

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Certified Wireless Security Professional (CWSP) Course Overview

Case Study - Configuration between NXC2500 and LDAP Server

How to Configure a BYOD Environment with the Unified AP in Standalone Mode

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Application Note User Groups

Particularities of security design for wireless networks in small and medium business (SMB)

Interlink Networks Secure.XS and Cisco Wireless Deployment Guide

Network Startup Resource Center

IdentiFi and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

How To Set Up An Ipa 1X For Aaa On A Ipa 2.1X On A Network With Aaa (Ipa) On A Computer Or Ipa (Ipo) On An Ipo 2.0.1

Lab Configuring LEAP/EAP using Local RADIUS Authentication

Sample. Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager. Contents

Mobility Task Force. Deliverable F. Inventory of web-based solution for inter-nren roaming

ClickShare Network Integration

Configuring Routers and Their Settings

Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database

UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU

Exam Questions SY0-401

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Cisco on Cisco Best Practices Cisco Wireless LAN Design

Configuration of Cisco Autonomous Access Point with 802.1x Authentication for Avaya 3631 Wireless Telephone

eduroam wireless setup guide for Windows 7, XP and Vista

Pulse Policy Secure. RADIUS Server Management Guide. Product Release 5.1. Document Revision 1.0. Published:

1 About eduroam Wired eduroam... 1

Using Windows NPS as RADIUS in eduroam

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture

Deploying Cisco Basic Wireless LANs WDBWL v1.1; 3 days, Instructor-led

AeroLab Wireless Network Code of Conduct. Connecting to the AeroLab Wireless Network

eduroam Network guide configuration for Microsoft Windows 7

Securing Cisco Network Devices (SND)

Developing Network Security Strategies

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Eduroam wireless network - Windows 7

How to configure your Thomson SpeedTouch 780WL for ADSL2+

9 Simple steps to secure your Wi-Fi Network.

APPENDIX 3 LOT 3: WIRELESS NETWORK

ALL Mbits Powerline WLAN N Access Point. User s Manual

Eduroam wireless network Windows Vista

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

TECHNICAL NOTE REFERENCE DOCUMENT. Improving Security for Axis Products. Created: 4 October Last updated: 11 October Rev: 1.

Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller

Secure WiFi Access in Schools and Educational Institutions. WPA2 / 802.1X and Captive Portal based Access Security

AAA & Captive Portal Cloud Service TM and Virtual Appliance

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Connecting to eduroam using Windows 8

Integrating a Hitachi IP5000 Wireless IP Phone

Abstract. Avaya Solution & Interoperability Test Lab

Cisco Virtual Office Express

Wireless security. Any station within range of the RF receives data Two security mechanism

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Mobility System Software Quick Start Guide

WIRELESS SETUP FOR WINDOWS 7

freeradius A High Performance, Open Source, Pluggable, Scalable (but somewhat complex) RADIUS Server Aurélien Geron, Wifirst, January 7th 2011

On-boarding and Provisioning with Cisco Identity Services Engine

VLANs. Application Note

Application Note Secure Enterprise Guest Access August 2004

University of Hawaii at Manoa Professor: Kazuo Sugihara

Configure WorkGroup Bridge on the WAP131 Access Point

Access Control in Home Networking

Penn State Wireless 2.0 and Related Services for Network Administrators

Wireless Network Configuration Guide

Cisco Secure Access Control Server 4.2 for Windows

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

SNRS. Securing Networks with Cisco Routers and Switches. Length 5 days. Format Lecture/lab

User Guide for eduroam

TABLE OF CONTENTS NETWORK SECURITY 1...1

Security Backbone Configuration

Canterbury College Eduroam Wi-Fi Guide

Eduroam wireless network Apple Mac OSX 10.4

Tech Art: TA0001-Windows 2008 RADIUS for CISCO Device Authentication by John McManus

Network Security 1 Module 4 Trust and Identity Technology

Security Awareness. Wireless Network Security

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Administration Guide Integrating Novell edirectory with FreeRADIUS 1.1 January 02, 2011

Deploying iphone and ipad Virtual Private Networks

RWL Tech Note Wireless 802.1x Authentication with Windows NPS

Step-by-Step Secure Wireless for Home / Small Office and Small Organizations

Ruckus Wireless ZoneDirector Command Line Interface

Microsoft Lync Certification Configuration Guide for WiNG 5.5

Chapter 5 - Basic Authentication Methods

Netcomm NB604N. Modem Configuration Guide. Netcomm NB604N. Configuring in Layer2 PPPoE for Windows XP and 2000 IMPORTANT MESSAGE

The following chart provides the breakdown of exam as to the weight of each section of the exam.

netld External Authentication Setup Guide

RadSec RADIUS improved. Stig Venaas

Topics in Network Security

How To Secure Wireless Networks

The Use of Mikrotik Router Boards With Radius Server for ISPs.

Eduroam wireless network Apple Mac OSX 10.5

How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

AGLARBRI PROJECT AFRICAN GREAT LAKES RURAL BROADBAND RESEARCH INFRASTRUCTURE. RADIUS installation and configuration

Mobility, Network Access Control and Convergence for Voice, Video and Data Applications on Corporate Wireless & Wired Networks. UCOPIA White Paper

Transcription:

1 A practical guide to Eduroam Rok Papež ARNES - Academic and research network of Slovenia rok.papez@arnes.si Akyaka,Gökova, April 2007

2 Eduroam AAI

3 Eduroam wireless network components Access Points Enterprise grade equipment Wired network Broadband to internet VLAN (802.1q) Security (guest network) Radius AAA server Local authentication Foreign request proxying Supplicant Eduroam client Server certificates

4 Wired and wireless network

5 Eduroam in Slovenia Technology used SSID=eduroam WPA Enterprise (+ WPA2/802.11i) Dynamic VLANs Support for legacy networks (multiple SSIDs) Radius configuration EAP-TTLS + PAP anonymous@domain outer identity Send real user-name in Access-Accept (accounting) Log full radius accounting + IP address Freeradius

6 Which RADIUS to use RADIUS server FreeRADIUS RADIATOR Lucent VitalAAA (Croatia) JRA5 Roaming cookbook: http://www.terena.org/activities/eduroamcamp/ Other RADIUS servers Cisco Secure ACS Microsoft IAS 2003

7 Radius server: Freeradius Installation RPM packages for Fedora Core (http://www.pingo.org/eduroam) From source: http://www.freeradius.org Regexp patch from: http://www.eduroam.si Part of the installed UNIX operating system Configuration Manually Using the eduroam in a box web interface Realm proxying Eduroam realm name == DNS domain Delegete wildcard sub-domains (*.domain.tld) Authorisation based on full realm name Loop prevention

Freeradius manual configuration: Proxying (Sending the requests) /etc/raddb/proxy.conf: # handle our realm locally realm domain.tld { } # blackhole and NULL are handled (denied in users file) locally realm blackhole.domain.tld { regex = ".*\.domain\.tld" } realm NULL { } realm DEFAULT { type = radius authhost = 10.0.0.2:1812 accthost = 10.0.0.2:1813 secret = ***** nostrip } 8

Freeradius manual configuration: Proxying (Receiving requests) /etc/raddb/clients.conf: # =============================== # Upstream radius server # =============================== client 10.0.0.2 { secret = ***** shortname = primary_radius nastype = other } 9

Freeradius manual configuration: Proxying and Local LDAP search /etc/raddb/users: ######################################################## # Users with a blackhole or NULL realm should be rejected ######################################################## DEFAULT Realm == NULL, Auth-Type := Reject DEFAULT Realm == blackhole.domain.tld, Auth-Type := Reject ######################################################## # If user isn't found, check LDAP directory for it. # But only for the inner tunnel request. ######################################################## DEFAULT Realm == domain.tld, Freeradius-Proxied-To == 127.0.0.1, Autz-Type := LDAP Fall-Through = yes 10

Freeradius manual configuration: Access to LDAP /etc/raddb/radiusd.conf: modules { [...] ldap { server = "localhost" basedn = "dc=domain,dc=tld" filter = "(siedupersonprincipalname=%{user-name})" identity = "cn=root,dc=domain,dc=tld" password = "*****" password_attribute = "userpassword" start_tls = no } [...] } authorize { [...] Autz-Type LDAP { ldap } } 11

Freeradius web configuration: Eduroam in a box RADIUS peers 12

13 Access Point: Cisco 1130AG - IOS Configure Radius group: aaa group server radius radius_grp server 10.2.18.130 auth-port 1812 acct-port 1813 Configure network (SSID) dot11 ssid eduroam vlan 251 authentication open eap radius_auth authentication key-management wpa accounting default guest-mode Configure radio interface interface Dot11Radio0 encryption vlan 251 mode ciphers aes-ccm tkip ssid eduroam interface Dot11Radio1 encryption vlan 251 mode ciphers aes-ccm tkip ssid eduroam

14 Access Point: Cisco 1130AG - IOS Set RADIUS server connection secret: radius-server host 10.0.0.130 auth-port 1812 acct-port 1813 key ********** Configure server part: /etc/raddb/clients.conf: # =============== # Access Points # =============== client 10.0.0.131 { secret = ********** shortname = ap1 nastype } = cisco

15 Eduroam client Connecting without the eduroam client Setting up windows wireless Setting up SecureW2 First connect problem (certificates) Connecting with the eduroam client Uses securew2 site deployment Certificates are pre-installed SecureW2 is pre-configured username/password Wireless encryption settings ftp://ftp.arnes.si/software/eduroam

16 Eduroam client configuration

17 Windows wireless configuration

18 Eduroam in a box Configuration wizard AAI server (LDAP, Radius, SQL, DHCP,...) Web based Certificate handling Connection monitoring Logging Ethernet security mechanisms Easy to use: Part of local Linux distribution Install and open http://localhost/eduroam OpenSource: http://eduroam.sourceforge.net

Eduroam in a box: DNS configuration 19

Eduroam in a box: Commit changes 20

Eduroam in a box: Installation Types 21

Eduroam in a box: Bridge type 22

Eduroam in a box: Bridge type set-up It's easy to use: PC with multiple ethernet cards Install Linux Install EiAB ( yum install eduroam ) Connect the PC to the wired network Connect Access Points to the PC Open http://localhost/eduroam Configure the system and commit changes 23

24 Importance of statistics Gathering statistics Network planning PR team Easy with good accounting in SQL database Network use varies a lot Summer vacations Winter vacations Exam periods Steep climb network logins number of active users Most of the users are from technical faculties

25 Slovenian eduroam network use E duroam network logins 45000 40000 35000 FE /FR I FE R I 30000 FO V FDV FMF FHŠ P TUJ S KUP AJ 25000 20000 15000 10000 5000 0 9 04 10 04 11 04 12 04 1 05 2 05 3 05 4 05 5 05 monthly 6 05 7 05 8 05 9 05 10 05 11 05 12 05

Student survey: Use of eduroam in Slovenia Student survey October 2005 Use of any wi-fi Only 15.2% of students use Wi-Fi technology (routers, sharing of internet connection with a neighbor at home...) Eduroam is being used by 5% of students Reasons for not using the eduroam Not informed about it Don't own a laptop They don't know how to use it Bad experience with use Why students don't bring laptops to lectures Don't want to stand out Afraid of damage or theft 26

27 What is in this picture? Bob Metcalf, Xerox, 1972

28 Ethernet (in)security Unauthorized network use Rogue Access Points MAC spoofing ARP attacks Router Other users DHCP attacks DOS Eavesdropping IP spoofing

29 Ethernet security mechanisms Network login (wireless or wired - 802.1x) Wireless connection encrypted (WPA) Special mechanisms on a router/switch ip dhcp snooping ip arp inspection ip verify source IP security Firewall ACL

30 Future of eduroam in Slovenia Eduroam on wired networks Testing of equipment (switches) Looking at the possibility to use for dial-up RadSec for inter-radius connections Eduroam_client Localization Limited development resources Eduroam in a box Deploying eduroam in smaller organisations/departments Web configuration wizard and management tool (optional) built in firewalling (L2/L3 security) Free software http://eduroam.sourceforge.net

31 Eduroam.si http://www.eduroam.si mailto: aaa-podpora@arnes.si