Your SlideShare is downloading. ×
Canarie CAF-eduroam Technical Workshop
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Canarie CAF-eduroam Technical Workshop

873
views

Published on

CANARIE-CAF's 1/2 day Technical Workshop slide deck discussion eduroam and implementation profiles and lessons learned. …

CANARIE-CAF's 1/2 day Technical Workshop slide deck discussion eduroam and implementation profiles and lessons learned.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
873
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Current as of May 2011
  • Key to our success- developing a streamlined, standardized approach for connecting schools. Additional ongoing support from participating institutions as part of Community of Practice.
  • Transcript

    • 1. Canadian Access Federation
      Eduroam workshop
      Aug ,2011
      Chris Phillips –chris.phillips@canarie.ca
    • 2. Credits
      Thanks to other content contributors
      Jens Haeusser – UBC – technical negotiation slides
      GEANT & TERENA – Logging and other areas
      Prior implementors for inspiring the checklist
      Useful reference sites
      http://eduroam.ca - Canadian eduroam site
      http://eduroam.org - Top level eduroam site
      http://eduroamus.org - US eduroam site
      2
    • 3. Use Case – Wireless Access
      Without eduRoam
      User arrives, needs to get onto wireless
      Needs to talk to IT staff to get credential in system created and a password set
      User waits for account
      User uses known password, signs into wireless
      When user is complete, IT should be notified to delete account and terminate access (right?)
      IT deletes account(right?)
      Done
      With eduRoam
      User arrives, needs to get onto wireless, has eduRoam enabled ID
      Open laptop
      User is authenticated to home system and is online
      Done
      3
    • 4. Eduroam impact
      Reduces
      effort supporting guest network ids
      Support calls…How do I…?
      Guest account footprint in your systems
      Only available on wireless systems, not others
      4
    • 5. How does eduroam work?
      802.1X - to authenticate clients before allowing access to the network
      EAP framework – with secure EAP methods to protect user credentials
      RADIUS - authentication server infrastructure
      RADIUS proxying – to route authentication requests to a users home institution
      Separate IP address space – treated as external to institution (compliance with service agreements, etc)
      End Users have standard internet access with as few filters as possible (if any at all).
    • 6. Secure Wireless – 802.1X
      April 27th 2010
      Canada eduroam
      Slide 6
      Wireless Encryption Established
      secure.wireless.ubc.ca
      ssid:ubcsecure
      id:jdoe
      1)Negotiate Authentication Method
      EAP-PEAPv0-MSCHAPv2
      2)Certificate Validation
      Prevents “man-in-the-middle” attack
      3)Establish Secure Tunnel
      Prevents eavesdropping
      Using MSCHAPv2
      4)Perform authentication through tunnel
      5)Authentication successful
      Establish encryption, connect to net
      6)Client acquires IP address (DHCP)
    • 7. Eduroam - Roaming User
      April 27th 2010
      Canada eduroam
      Slide 7
      Federation Server
      realm: ca
      ssid:eduroam
      Cert: eduroam.sfu.ca
      Institution Servers
      id: joe@sfu.ca
      realm: ubc.ca
      realm: sfu.ca
      1) Negotiate EAP type
      EAP-TTLS-PAP
      2) Outer Request
      Validate cert.
      Establish TLS tunnel
      PAP – through tunnel – secure!
      3) Inner Request
      4) Success
      Connect to network
      Establish encryption.
    • 8. Eduroam – International Roaming
      April 27th 2010
      Canada eduroam
      Slide 8
      Confederation Server
      Federation Server
      realm: ca
      realm: edu
      id: pam@mit.edu
      realm: ubc.ca
      realm: sfu.ca
      realm: mit.edu
      realm: ucla.edu
    • 9. Reciprocity - Hallmark of eduroam
      Eduroam is about you treating guest credentials how you would like to be treated:
      Just think about what you would like when you travel:
      No filtered connections
      No traffic shaping
      Public IP address (where possible)
      NAT is not necessarily appropriate, but if you already private IP folks now, probably works out ok.
      9
    • 10. eduRoam @ CANHEIT2011 - McMaster
      10
    • 11. Canadian eduRoam Coverage
      11
    • 12. Digging into Deployment Details
      12
    • 13. Sample Deployment: Queen’s
      13
    • 14. Cisco ACS Config
      14
    • 15. Onboarding Process
      Canada has ~28 of 92 universities on eduroam.
      US has slightly less in number (25) but 3,000 plus insitutions
      Eduroam operator:
      Standard template for connecting new sites
      Policy sign-off followed by technical implementation
      Estimated time for Canada federation-level RADIUS server personnel:
      on-board a new member site: a few hours to two person-days, depending on member site expertise
      general maintenance: ~one person-day per month
      Eduroam site:
      Local implementation from 4 hours to 4 weeks depending on capabilities
      Skill: operate/install RADIUS on your choice of platform (Cisco ACS, Microsoft NPS, FreeRADIUS)
      Operational maintenance: same as your AuthN server now
      15
    • 16. Important Implementation Decisions
      Your RADIUS platform
      Keep it simple and least number of cogs in the machine
      Running Active Directory? You may already have RADIUS (NPS)
      Running Cisco ACS? You can use that.
      Want an alternative commercial platform?
      RADIATOR is likely your choice – heavily Perl influenced
      Root servers run RADIATOR
      Looking for ‘free’?
      FREE-Radius
      Need to deal with MS-CHAPv2 properly
      Recommendation is to split the config for proxying and answering between 2 instances for clarity/diagnosis sake (see Queen’s build)
      16
    • 17. About Server Certificate
      This certificate is on your IdP
      Users see this & will evaluate authenticity of the passwd validation
      Self signed is not recommended
      Would YOU trust it?
      How do you convince the 1st year student to ascertain it as valid and not a rogue AP doing an attack?
      17
    • 18. Problem Solving/Diagnosis
      18
    • 19. Logging
      Cue GEANT Module 5
      19
    • 20. Module 5: Log Files, Statistics and Incidents
    • 21. WHY KEEP LOG FILES?
      Log files are used to track malicious users and to debug possible problems.
      Aim: provide evidence to government agencies:
      • Offender’s realm and login time.
      • 22. Why not provide the User-Name?
      • 23. User-Name attribute could be obfuscated.
      • 24. Outer identity could be anonymous or forged.
    • TRACING THE USER’S REALM (1)
      You should keep:
      • DHCP or ARP sniffing log.
      • 25. RADIUS Authorisation log.
      • 26. Clock synchronised with Network Time Protocol (NTP).
    • TRACING THE USER’S REALM (2)
      Steps:
      • Identify IP address of malicious user.
      • 27. Find MAC address in DHCP or ARP sniffing log.
      • 28. Find authentication session in Auth log.
      • 29. Take realm and timestamp from Auth log.
    • NEXT STEPS
      Approach eduroam Operations Team (OT).
      • OT can link realm to a home federation.
      • 30. Home federation can find user’s identity provider.
      • 31. Identity provider can find the user name.
      • 32. Cross-reference timestamp from service provider’s auth log with own logs.
    • A CLOSER LOOK AT LOGGING REQUIREMENTS
      Let’s look more closely at logging requirements:
      • Network addressing.
      • 33. Auth logs.
      • 34. Reliable time source.
      • 35. Technical contact.
    • NETWORK ADDRESSING
      Service Providers:
      • Should provide visitors with publicly routable IPv4 addresses using DHCP.
      • 36. Side-thought: why is NAT considered bad?
      • 37. Must be able to find a MAC address from the IP address.
      • 38. Must log:
      • 39. Time client’s DHCP lease was issued.
      • 40. MAC address of client.
      • 41. IP address allocated to client.
    • AUTH LOGS
      Identity Providers must log all authentication attempts, recording:
      • Authentication result returned by authentication database.
      • 42. Reason for denial or failure of authentication.
    • AUTH LOGS (2)
      At what point should logs be kept?
      After packet reception from client.
      Before handing off to proxy.
      After getting reply from proxy.
      Before sending reply back to client.
      Pre-configured modules exist in FreeRADIUS:
      auth_detail, pre_proxy_detail, post_proxy_detail, reply_detail
    • 43. RELIABLE TIME SOURCE
      All logs must be synchronised to a reliable time source.
      • E.g. using Network Time Protocol (NTP).
      • 44. SNTP also okay.
    • TECHNICAL CONTACT
      Each federation must designate a technical contact:
      • Must be available via email and telephone during office hours.
      • 45. May be a named individual or an organisational unit.
      • 46. Cover during absence from work must be provided.
    • Onboarding Checklist
      Are the IP addresses accurate?
      Some servers may be NAT’d
      CAF requires accurate Ips to configure local Firewall
      Successful local domain authentication?
      <you>@<yourdomain>.ca should work without shared secret as it should remain local
      Do you have proper password storage?
      If you auth via LDAP, MS-CHAPv2 win7 clients will require a certain password validation technique.
      Work arounds are available (smbclient), but be sure to review how the password validation occurs
      Proper ports configured?
      (dest:1645,1646)
      31
    • 47. Issue Escalation
      32
    • 48. USER SUPPORT: PROBLEM ESCALATION SCENARIO (1)
      home federation
      OT
      visited federation
      fed.-level admin.
      local institution admin.
      fed.-level admin.
      3
      local institution admin.
      1,2
      4
      user
    • 49. USER SUPPORT: PROBLEM ESCALATION SCENARIO (2)
      home federation
      OT
      visited federation
      4a
      4b
      fed.-level admin.
      4
      local institution admin.
      3
      fed.-level admin.
      5
      local institution admin.
      1,2
      6
      user
    • 50. Questions?
      For more info or details please contact: Chris.phillips@canarie.ca
      35