Implementation of federated authentication Case study Cesar Pacheco Politecnico di Torino Politecnico di Torino 2-3-4 March 2005 EuroCAMP

Working The members come from Departments of Politecnico, ISPs, Research Institute and ICT companies Ce.S.I.T. (ICT Project and mangement resources) coordinator Marcello Maggiora, Cesar Pacheco, Antonio Lantieri DAUIN (Control and Computer Engineering) Antonio Lioy DELEN (Electronics) TLC - Fabio Neri GESD (Student Support Services) Enrico Venuto ISMB (Istituto Superiore Mario Boella Research Institute) Daniele Mazzocchi, Daniele Brevi Telecom Italia Marco Boasso Hewlett-Packard external support Cisco Systems external support

Overview Politecnico di Torino Campus project Politecnico User databases Authentication methods WLAN Network Infrastructure Cisco ACS Implementation Proxy Radius Infrastructure Proxy Radius configuration for Eduroam and Telecom Italia roaming

Politecnico di Torino Campus 725 teachers, 600 technical and administrative employees 27,000 students 1000 courses for 70,000 hours/year of classes 17 campuses in Piemonte 10,000 fixed network points

Politecnico di Torino Campuses Torino: 10 Alessandria Aosta Biella Chivasso Ivrea Vercelli Mondovì 17

project The WiFi Project at Politecnico di Torino started in 2003 as an initiative to implement a scalable WLAN network for the geographically dispersed campus of Politecnico di Torino. Features: Centralized management of the covered radio areas Centralized authentication Centralized access control.

Politecnico User databases Politecnico Student Database HP Enterprise Directory Server (X.500) 40,000 users user@studenti.polito.it Personal and Teacher Database Stalker Communigate Pro V 4.18 (LDAP Directory) 3,000 users user@polito.it

Authentication methods SECURITY Auth. Models Status Autent. Mutual Security level (air) Username Prot. Password Prot. Data Prot. Suggested activities Open HTTPS SSL3 Enabled All areas Client Password Server Certificate Not at network level Internet Browsing Secure Apps Tunnel VPN Enabled All areas Client Password Like wired polito Users 802.1x WPA-TKIP Field test Client Password Server Certificate Low in MS-PEAP Like wired polito Users 802.1x EAP/TLS- WPA Lab. test Client Certificate Server Certificate Low - Like wired polito Users

STAT UTIL DUPLEX SPEED LINE PWR SYSTEM RPS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 CATALYST 3550IN LINEPOWER 1 2 WLAN Network Infrastructure Athen Backbone Access Point 802.11 a/b/g POE Switch WLAN Open WLAN 802.1x SSID1 SSID2 Informative Portal Captive Portal DHCP Server Firewall ACS Radius Server Radio Management VPN Concentrator Internet

Cisco ACS Implementation For students database ODBC connection to X.500 Supports MS-CHAP authentication methods like PEAP-EAP-MSCHAP Limitations for digital certificates comparison For teachers and employees Bind LDAP v3 to LDAP Directory SAN or binary comparison for digital certificates Limitations for MS-CHAP authentication methods like PEAP-EAP-MSCHAP

Proxy Radius Infrastructure Proxy radius Athen Backbone Proxy radius Telecom Italia Garr Internet Central Proxy Radius (handler for polito.it) Bind LDAP v3 Students Radius ODBC Edu-Roam LDAP Directory X.500 Oracle

Proxy Radius Configuration Radius Servers shared secret (-Garr) Proxy Distribution Table polito.it domains local proxy wifiarea.it Telecom Italia other domains Garr -Eduroam

Questions Time http://wifi wifi.polito..polito.it Politecnico di Torino 2-3-4 March 2005 EuroCAMP