Key to our success- developing a streamlined, standardized approach for connecting schools. Additional ongoing support from participating institutions as part of Community of Practice.
Canadian Access Federation Eduroam workshop Aug ,2011 Chris Phillips –email@example.com
Credits Thanks to other content contributors Jens Haeusser – UBC – technical negotiation slides GEANT & TERENA – Logging and other areas Prior implementors for inspiring the checklist Useful reference sites http://eduroam.ca - Canadian eduroam site http://eduroam.org - Top level eduroam site http://eduroamus.org - US eduroam site 2
Use Case – Wireless Access Without eduRoam User arrives, needs to get onto wireless Needs to talk to IT staff to get credential in system created and a password set User waits for account User uses known password, signs into wireless When user is complete, IT should be notified to delete account and terminate access (right?) IT deletes account(right?) Done With eduRoam User arrives, needs to get onto wireless, has eduRoam enabled ID Open laptop User is authenticated to home system and is online Done 3
Eduroam impact Reduces effort supporting guest network ids Support calls…How do I…? Guest account footprint in your systems Only available on wireless systems, not others 4
How does eduroam work? 802.1X - to authenticate clients before allowing access to the network EAP framework – with secure EAP methods to protect user credentials RADIUS - authentication server infrastructure RADIUS proxying – to route authentication requests to a users home institution Separate IP address space – treated as external to institution (compliance with service agreements, etc) End Users have standard internet access with as few filters as possible (if any at all).
Secure Wireless – 802.1X April 27th 2010 Canada eduroam Slide 6 Wireless Encryption Established secure.wireless.ubc.ca ssid:ubcsecure id:jdoe 1)Negotiate Authentication Method EAP-PEAPv0-MSCHAPv2 2)Certificate Validation Prevents “man-in-the-middle” attack 3)Establish Secure Tunnel Prevents eavesdropping Using MSCHAPv2 4)Perform authentication through tunnel 5)Authentication successful Establish encryption, connect to net 6)Client acquires IP address (DHCP)
Eduroam - Roaming User April 27th 2010 Canada eduroam Slide 7 Federation Server realm: ca ssid:eduroam Cert: eduroam.sfu.ca Institution Servers id: firstname.lastname@example.org realm: ubc.ca realm: sfu.ca 1) Negotiate EAP type EAP-TTLS-PAP 2) Outer Request Validate cert. Establish TLS tunnel PAP – through tunnel – secure! 3) Inner Request 4) Success Connect to network Establish encryption.
Eduroam – International Roaming April 27th 2010 Canada eduroam Slide 8 Confederation Server Federation Server realm: ca realm: edu id: email@example.com realm: ubc.ca realm: sfu.ca realm: mit.edu realm: ucla.edu
Reciprocity - Hallmark of eduroam Eduroam is about you treating guest credentials how you would like to be treated: Just think about what you would like when you travel: No filtered connections No traffic shaping Public IP address (where possible) NAT is not necessarily appropriate, but if you already private IP folks now, probably works out ok. 9
Onboarding Process Canada has ~28 of 92 universities on eduroam. US has slightly less in number (25) but 3,000 plus insitutions Eduroam operator: Standard template for connecting new sites Policy sign-off followed by technical implementation Estimated time for Canada federation-level RADIUS server personnel: on-board a new member site: a few hours to two person-days, depending on member site expertise general maintenance: ~one person-day per month Eduroam site: Local implementation from 4 hours to 4 weeks depending on capabilities Skill: operate/install RADIUS on your choice of platform (Cisco ACS, Microsoft NPS, FreeRADIUS) Operational maintenance: same as your AuthN server now 15
Important Implementation Decisions Your RADIUS platform Keep it simple and least number of cogs in the machine Running Active Directory? You may already have RADIUS (NPS) Running Cisco ACS? You can use that. Want an alternative commercial platform? RADIATOR is likely your choice – heavily Perl influenced Root servers run RADIATOR Looking for ‘free’? FREE-Radius Need to deal with MS-CHAPv2 properly Recommendation is to split the config for proxying and answering between 2 instances for clarity/diagnosis sake (see Queen’s build) 16
About Server Certificate This certificate is on your IdP Users see this & will evaluate authenticity of the passwd validation Self signed is not recommended Would YOU trust it? How do you convince the 1st year student to ascertain it as valid and not a rogue AP doing an attack? 17
AUTH LOGS Identity Providers must log all authentication attempts, recording:
Authentication result returned by authentication database.
Reason for denial or failure of authentication.
AUTH LOGS (2) At what point should logs be kept? After packet reception from client. Before handing off to proxy. After getting reply from proxy. Before sending reply back to client. Pre-configured modules exist in FreeRADIUS: auth_detail, pre_proxy_detail, post_proxy_detail, reply_detail
RELIABLE TIME SOURCE All logs must be synchronised to a reliable time source.
TECHNICAL CONTACT Each federation must designate a technical contact:
Must be available via email and telephone during office hours.
May be a named individual or an organisational unit.
Cover during absence from work must be provided.
Onboarding Checklist Are the IP addresses accurate? Some servers may be NAT’d CAF requires accurate Ips to configure local Firewall Successful local domain authentication? <you>@<yourdomain>.ca should work without shared secret as it should remain local Do you have proper password storage? If you auth via LDAP, MS-CHAPv2 win7 clients will require a certain password validation technique. Work arounds are available (smbclient), but be sure to review how the password validation occurs Proper ports configured? (dest:1645,1646) 31