Mobility Task Force. Deliverable F. Inventory of web-based solution for inter-nren roaming



Similar documents
CTS2134 Introduction to Networking. Module Network Security

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Clientless SSL VPN Users

Scenario: IPsec Remote-Access VPN Configuration

This chapter describes how to set up and manage VPN service in Mac OS X Server.

NAC Guest. Lab Exercises

Cisco QuickVPN Installation Tips for Windows Operating Systems

Exam Questions SY0-401

Network Virtualization Network Admission Control Deployment Guide

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

SonicWALL PCI 1.1 Implementation Guide

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Networking. Systems Design and. Development. CRC Press. Taylor & Francis Croup. Boca Raton London New York. CRC Press is an imprint of the

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Web Authentication Application Note

Microsoft Windows Server System White Paper

The Trivial Cisco IP Phones Compromise

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Application Note Secure Enterprise Guest Access August 2004

Authentication Methods

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

How to Configure Captive Portal

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

Figure 41-1 IP Filter Rules

Brocade Certified Layer 4-7 Professional Version: Demo. Page <<1/8>>

Cisco TrustSec How-To Guide: Guest Services

Cisco Virtual Office Express

Deploying F5 with Microsoft Active Directory Federation Services

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

ClickShare Network Integration

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

NETASQ ACTIVE DIRECTORY INTEGRATION

Implementing Cisco IOS Network Security v2.0 (IINS)

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

Product Summary RADIUS Servers

Executive Summary and Purpose

Application Note User Groups

Network Configuration Settings

Penn State Wireless 2.0 and Related Services for Network Administrators

Security. TestOut Modules

Scenario: Remote-Access VPN Configuration

Gigabit SSL VPN Security Router

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

AlliedWare Plus OS How To Use Web-authentication

Belnet Networking Conference 2013

Connecting an Android to a FortiGate with SSL VPN

WiNG 5.X How-To Guide

Using a VPN with Niagara Systems. v0.3 6, July 2013

Network Access Security It's Broke, Now What? June 15, 2010

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

A practical guide to Eduroam

1.1.1 Security The integrated model will provide the following capabilities:

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

Introduction to Endpoint Security

Configuring Global Protect SSL VPN with a user-defined port

Proxy POP3S. then authentication occurs. POP3S is for a receiving . IMAP4S. and then authentication occurs. SMTPS is for sending .

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

VPN. Date: 4/15/2004 By: Heena Patel

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

Using IEEE 802.1x to Enhance Network Security

Securing Networks with PIX and ASA

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

VLANs. Application Note

Top-Down Network Design

ADOBE CONNECT ENTERPRISE SERVER 6

Network Security Fundamentals

APPENDIX 3 LOT 3: WIRELESS NETWORK

Security + Certification (ITSY 1076) Syllabus

Understanding the Cisco VPN Client

The Security Framework 4.1 Programming and Design

PrintFleet Enterprise Security Overview

7.1. Remote Access Connection

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

V310 Support Note Version 1.0 November, 2011

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Mobility Task Force. Deliverable D. Inventory of 802.1X-based solutions for inter-nrens roaming

Portal Authentication Technology White Paper

PrintFleet Enterprise 2.2 Security Overview

Why a Reverse Proxy with My Instant Communicator for mobiles??

Preparing for GO!Enterprise MDM On-Demand Service

Securing Cisco Network Devices (SND)

Citrix Receiver for Mobile Devices Troubleshooting Guide

Configuration Guide BES12. Version 12.1

Lab Configuring Access Policies and DMZ Settings

Access Your Cisco Smart Storage Remotely Via WebDAV

BlackBerry Enterprise Service 10. Version: Configuration Guide

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

User Identification (User-ID) Tips and Best Practices

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

How to Configure Web Authentication on a ProCurve Switch

Transcription:

Mobility Task Force Deliverable F Inventory of web-based solution for inter-nren roaming Version 1.1 Authors: Sami Keski-Kasari <samikk@cs.tut.fi>, Harri Huhtanen <karrih@cs.tut.fi> Contributions: James Sankar <J.Sankar@ukerna.ac.uk> Introduction In this document we are considering a web-based authentication system as a solution to enable roaming between European research and education networks. This document complies with List of non-technical Terms [6]. 1. Architectural design The architecture of a web-based authentication system is very simple. It does not need any special functionality to be added to the access points or switches. All functionality is located near the edge of the network. On the edge of the network there is an access control device commonly referred as access control device, which acts as router or bridge to the visited institution network. The access control device denies access to the protected networks by denying the traffic from and to unauthorized hosts. The architecture and functionality can be seen in the picture below. AAA Server 3. 4. 1. Public Access Controller 5. Internet Public Access Network 2. WWW-browser

When visitor users attach to the network that uses web-based authentication they get initial docking IP address via DHCP, but are unable to receive and send traffic outside the network. To gain network access outside of the network, the visitor user must launch their web browsers which will be automatically redirected to an authentication web page (arrow number 1). The access control device manages this process by capturing the HTTP connection and redirects the user's web browser to an authentication page (arrow number 2). On the authentication page a web form appears so that the visitor user must enter user credentials (e.g. username and password). Then the access control device will authenticate the user based on these credentials (arrow number 3). If the authentication succeeds (arrow number 4) the access control device modifies the firewall rules (arrow number 5) to enable the visitor user to gain access outside of the network. If the authentication fails, an authentication error is returned to the user and the credentials are asked again. The amount of the authentication attempts can be limited. Detaching the user from the network may be initiated by the user or by the network. When the user wants to log out, there may be some kind of form or popup windows for sending the logout message. The pop-up window and regular re-registrations via HTTP may be used for ensuring the user's terminal has not left the area without logging out. Another used method is that the access control device frequently polls user terminal with ARP or ICMP requests to detect if the terminal has left the network. If the user terminal does not answer a specific amount of requests, the terminal is considered detached from the network and the access control device closes the firewall rules to prevent session hijacking. 2. Roaming Issues Within the area controlled by the same access control device users can roam to other access points or switches without re-authentication. There are some vendor specific protocols which can carry authentication information to other access control devices. In that case the users can roam between areas controlled by different access control devices. Although Mobile-IP support in existing access control devices is almost nonexistent, integrating Mobile-IP to handle IP network roaming into open access control device platform is also possible. Inter-NREN authentication roaming can be done via RADIUS or LDAP if the access control device and authentication server support those methods. For example in the TUT's selfintegrated access control device [1] there are Linux PAM-modules for both protocols. If the authentication is done using RADIUS-protocol then the similar roaming architecture as in the 802.1X case may be used [5]. This may be done so that there is one main RADIUS-server and NREN's RADIUS-servers are attached to that server and organizations' RADIUS servers are attached to those servers. With LDAP-protocol, the hierarchy can be similar but in this case interoperation with 802.1X will not work. For more detailed information about roaming with web-based access control devices information can be found from TUT's web-pages concerning public access roaming. [2] 3. Security Issues 3.1 Securing the user credentials and roaming information Access control devices use regular web servers to present the authentication form to visitor users. User's credentials are so transferred with HTTP/HTTPS protocol depending of the access control device. Some commercial access control devices do not even have HTTPSprotocol in the default software version and an additional fee must be paid to get HTTPSenabled version. Due to this kind of choice of HTTP and HTTPS, HTTPS should be recommended or in the case of intra/inter-nren roaming required from the roaming organizations to ensure that some other university doesn t jeopardize other university s user credentials by sending them as clear text. Using HTTPS and SSL/TLS-certificates also provides the possibility of using SSL/TLS - certificates in authenticating the docking networks to users. This way the risk of doing fake docking networks and controllers collecting usernames and password would be harder, but still leaves the responsibility to user to check 2

the certificate presented by web browser. In practice this would require a PKI-infrastructure to be built inside and between NRENs. The defined PKI-, CA-, etc. policies, practices and the infrastructure would benefit also other projects requiring for example SSL/TLS -certificates valid in different NRENs networks. Building the PKI-infrastructure could start inside NREN, where the NREN operator of the NREN would manage the highest CA certificate. This NREN operator would then give organizations inside NREN CA certificates and the organizations could then create SSL/TLScertificates to be used in the access control devices and other related hosts/devices needed for docking network control and roaming (e.g. for securing the Radius/LDAP-traffic with IPSEC or SSL). This PKI-infrastructure could also be scaled to even a higher level by introducing a root CA that would issue and certify the NREN CA-certificates. TERENA would be a logical suggestion for this. This practice would then enable a chain of trust where the users would only need this highest certificate installed into their terminals and still be able to verify the certificates of the access control device anywhere on the roaming area. 3.2 Network element security Both the free and commercial access control devices are usually based on some free UNIXbased operating system and may use common open source software like Apache, PHP, and Perl etc. Because of this, extra attention should be focused in securing these hosts. Besides access control devices, there are also LDAP/Radius servers and the PKIinfrastructure hosts to be secured. The protocols are encrypting credentials but for example in the hierarchical Radius/LDAP roaming scenarios the user credentials are obtainable in plain text in all RADIUS/LDAP servers and also in the access control device. For that reason in all organizations all these servers must be managed by IT management in the same way to avoid misconfigured servers and leaking of credentials. Roaming policies and requirements could be the place to define the requirements and restrictions in these kinds of issues. 4. Requirements 4.1 Client Client can be any device that has www-browser that supports HTTPS, network interface card and DHCP client. 4.2 Access Control Device Access Control Device can be build to any operating system that supports routing and route filtering and has https-server. For example Linux, Windows 2000, etc. TUT's Access Control Device [1] is built on Debian Linux. There is also commercial ready to use access control devices like Nomadix, Vernier, etc. For additional security Access Control Device should also support IPSec. 4.3 RADIUS server Radius server must support RFC 2865 [3] and 2866 [4]. For additional security RADIUS server should support IPSec. There are no other requirements. For example FreeRADIUS, Radiator and Cisco ACS have all required capabilities. FreeRADIUS is available for Unix platforms. Cisco ACS and Radiator are also available for Windows platform. For better performance the authenticating RADIUS server should use an SQL database or LDAP for storing credentials. 3

5. Scalability 5.1 Access Control Device Access Control Device is on the edge on network controlling access from docking network to the Internet. Usually one access control device is needed per network. If the operating system or NIC drivers and switches support VLAN assignments or the access control device has more than two NICs, it is possible to serve more networks using one access control device. For networks consisting of several sites/locations additional access control devices may be used when needed. 5.2 RADIUS hierarchy RADIUS hierarchy can be build by domain names, like in DNS, so it is very scalable. The number of levels in the hierarchy is not limited. 5.3 RADIUS hierarchy Because all universities have their own CA certificate that is signed with NREN s CA certificate there shouldn't be any scaling problems. Universities can grant their own client certificates, but for example they can't create new CA certificates. If cost is prohibitive, the top level certificate can be self-signed. Then users must once install the top level certificate to their terminals but after that it can be used to verify hosts everywhere inside the roaming community. 6. Interoperability 6.1 802.1X based solution Access Control Device is not compatible with 802.1X because 802.1X is layer2 solution and Access Control Device is layer3 solution. Web-based solution is still compatible with 802.1X via RADIUS hierarchy. Both techniques can use same RADIUS hierarchy. Only difference is that in 802.1X case user s home institution RADIUS server must support 802.1X. It is also possible to use both the web-based and the 802.1X authentication methods simultaneously in the wireless environment by using access points, that have the VLAN tagging and multiple network name (ESSID) capabilities. In the wired environment it is possible to get VLAN information from RADIUS to change switch port s VLAN assignment. This way it is possible to assign docking network VLAN id to switch port but the user can choose to authenticate via web-based system or 802.1X. By default the port is in the state that sends traffic to the VLAN controlled by access control device and the scenario is similar to web-based authentication. If the terminal starts 802.1X negotiation, the switch or the access point tries to authenticate the terminal via RADIUS roaming hierarchy. After the successful authentication via 802.1X the switch changes the port's VLAN assignment to a VLAN that allows traffic go through. 6.2 VPN based solution Access Control Device is fully compatible with VPN solution. Both web-based and VPN solution can co-exist in the same network. Access Control Device must be configured to allow VPN traffic to certain VPN concentrators and all other users authentication is made via webbased system. 4

7. References [1] TUT Public Access, http://www.atm.tut.fi/tut-public-access/ [2] TUT Public Access Roaming, http://www.atm.tut.fi/public-access-roaming/ [3] Remote Authentication Dial in User Service (RADIUS), IETF RFC 2865 [4] RADIUS Accounting, IETF RFC 2866 [5] Terena Mobility Taskforce, Deliverable D [6] Terena Mobility Taskforce, List of non-technical Terms 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information