Canadian Access Federation<br />Eduroam workshop<br />Aug  ,2011<br />Chris Phillips –chris.phillips@canarie.ca<br />
Credits<br />Thanks to other content contributors<br />Jens Haeusser – UBC – technical negotiation slides<br />GEANT & TER...
Use Case – Wireless Access<br />Without eduRoam<br />User arrives, needs to get onto wireless<br />Needs to talk to IT sta...
Eduroam impact<br />Reduces <br />effort supporting guest network ids<br />Support calls…How do I…? <br />Guest account fo...
How does eduroam work?<br />802.1X - to authenticate clients before allowing access to the network<br />EAP framework – wi...
Secure Wireless – 802.1X<br />April 27th 2010<br />Canada eduroam<br />Slide 6<br />Wireless Encryption Established<br />s...
Eduroam - Roaming User<br />April 27th 2010<br />Canada eduroam<br />Slide 7<br />Federation Server<br />realm: ca<br />ss...
Eduroam – International Roaming<br />April 27th 2010<br />Canada eduroam<br />Slide 8<br />Confederation Server<br />Feder...
Reciprocity - Hallmark of eduroam<br />Eduroam is about you treating guest credentials how you would like to be treated:<b...
eduRoam @ CANHEIT2011 - McMaster<br />10<br />
Canadian eduRoam Coverage<br />11<br />
Digging into Deployment Details<br />12<br />
Sample Deployment: Queen’s<br />13<br />
Cisco ACS Config<br />14<br />
Onboarding Process<br />Canada has ~28 of 92 universities on eduroam.<br />US has slightly less in number (25) but 3,000 p...
Important Implementation Decisions<br />Your RADIUS platform<br />Keep it simple and least number of cogs in the machine<b...
About Server Certificate<br />This certificate is on your IdP<br />Users see this & will evaluate authenticity of the pass...
Problem Solving/Diagnosis<br />18<br />
Logging<br />Cue GEANT Module 5<br />19<br />
Module 5: Log Files, Statistics and Incidents<br />
WHY KEEP LOG FILES?<br />Log files are used to track malicious users and to debug possible problems.<br />Aim: provide evi...
Why not provide the User-Name?
User-Name attribute could be obfuscated.
Outer identity could be anonymous or forged.</li></li></ul><li>TRACING THE USER’S REALM (1)<br />You should keep:<br /><ul...
RADIUS Authorisation log.
Clock synchronised with Network Time Protocol (NTP).</li></li></ul><li>TRACING THE USER’S REALM (2)<br />Steps:<br /><ul><...
Find MAC address in DHCP or ARP sniffing log.
Find authentication session in Auth log.
Take realm and timestamp from Auth log.</li></li></ul><li>NEXT STEPS<br />Approach eduroam Operations Team (OT).<br /><ul>...
Home federation can find user’s identity provider.
Identity provider can find the user name.
Cross-reference timestamp from service provider’s auth log with own logs.</li></li></ul><li>A CLOSER LOOK AT LOGGING REQUI...
Auth logs.
Reliable time source.
Technical contact.</li></li></ul><li>NETWORK ADDRESSING<br />Service Providers:<br /><ul><li>Should provide visitors with ...
Upcoming SlideShare
Loading in …5
×

Canarie CAF-eduroam Technical Workshop

1,213 views

Published on

CANARIE-CAF's 1/2 day Technical Workshop slide deck discussion eduroam and implementation profiles and lessons learned.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,213
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Current as of May 2011
  • Key to our success- developing a streamlined, standardized approach for connecting schools. Additional ongoing support from participating institutions as part of Community of Practice.
  • Canarie CAF-eduroam Technical Workshop

    1. 1. Canadian Access Federation<br />Eduroam workshop<br />Aug ,2011<br />Chris Phillips –chris.phillips@canarie.ca<br />
    2. 2. Credits<br />Thanks to other content contributors<br />Jens Haeusser – UBC – technical negotiation slides<br />GEANT & TERENA – Logging and other areas<br />Prior implementors for inspiring the checklist<br />Useful reference sites<br />http://eduroam.ca - Canadian eduroam site<br />http://eduroam.org - Top level eduroam site<br />http://eduroamus.org - US eduroam site<br />2<br />
    3. 3. Use Case – Wireless Access<br />Without eduRoam<br />User arrives, needs to get onto wireless<br />Needs to talk to IT staff to get credential in system created and a password set<br />User waits for account<br />User uses known password, signs into wireless<br />When user is complete, IT should be notified to delete account and terminate access (right?)<br />IT deletes account(right?)<br />Done<br />With eduRoam<br />User arrives, needs to get onto wireless, has eduRoam enabled ID<br />Open laptop<br />User is authenticated to home system and is online<br />Done<br />3<br />
    4. 4. Eduroam impact<br />Reduces <br />effort supporting guest network ids<br />Support calls…How do I…? <br />Guest account footprint in your systems<br />Only available on wireless systems, not others<br />4<br />
    5. 5. How does eduroam work?<br />802.1X - to authenticate clients before allowing access to the network<br />EAP framework – with secure EAP methods to protect user credentials<br />RADIUS - authentication server infrastructure<br />RADIUS proxying – to route authentication requests to a users home institution<br />Separate IP address space – treated as external to institution (compliance with service agreements, etc)<br />End Users have standard internet access with as few filters as possible (if any at all).<br />
    6. 6. Secure Wireless – 802.1X<br />April 27th 2010<br />Canada eduroam<br />Slide 6<br />Wireless Encryption Established<br />secure.wireless.ubc.ca<br />ssid:ubcsecure<br />id:jdoe<br />1)Negotiate Authentication Method<br />EAP-PEAPv0-MSCHAPv2<br />2)Certificate Validation<br />Prevents “man-in-the-middle” attack<br />3)Establish Secure Tunnel<br />Prevents eavesdropping<br />Using MSCHAPv2<br />4)Perform authentication through tunnel<br />5)Authentication successful<br />Establish encryption, connect to net<br />6)Client acquires IP address (DHCP)<br />
    7. 7. Eduroam - Roaming User<br />April 27th 2010<br />Canada eduroam<br />Slide 7<br />Federation Server<br />realm: ca<br />ssid:eduroam<br />Cert: eduroam.sfu.ca<br />Institution Servers<br />id: joe@sfu.ca<br />realm: ubc.ca<br />realm: sfu.ca<br />1) Negotiate EAP type<br />EAP-TTLS-PAP<br />2) Outer Request<br />Validate cert.<br />Establish TLS tunnel<br />PAP – through tunnel – secure!<br />3) Inner Request<br />4) Success<br />Connect to network<br />Establish encryption.<br />
    8. 8. Eduroam – International Roaming<br />April 27th 2010<br />Canada eduroam<br />Slide 8<br />Confederation Server<br />Federation Server<br />realm: ca<br />realm: edu<br />id: pam@mit.edu<br />realm: ubc.ca<br />realm: sfu.ca<br />realm: mit.edu<br />realm: ucla.edu<br />
    9. 9. Reciprocity - Hallmark of eduroam<br />Eduroam is about you treating guest credentials how you would like to be treated:<br />Just think about what you would like when you travel:<br />No filtered connections<br />No traffic shaping<br />Public IP address (where possible)<br />NAT is not necessarily appropriate, but if you already private IP folks now, probably works out ok.<br />9<br />
    10. 10. eduRoam @ CANHEIT2011 - McMaster<br />10<br />
    11. 11. Canadian eduRoam Coverage<br />11<br />
    12. 12. Digging into Deployment Details<br />12<br />
    13. 13. Sample Deployment: Queen’s<br />13<br />
    14. 14. Cisco ACS Config<br />14<br />
    15. 15. Onboarding Process<br />Canada has ~28 of 92 universities on eduroam.<br />US has slightly less in number (25) but 3,000 plus insitutions<br />Eduroam operator:<br />Standard template for connecting new sites<br />Policy sign-off followed by technical implementation<br />Estimated time for Canada federation-level RADIUS server personnel:<br />on-board a new member site: a few hours to two person-days, depending on member site expertise<br />general maintenance: ~one person-day per month<br />Eduroam site:<br />Local implementation from 4 hours to 4 weeks depending on capabilities<br />Skill: operate/install RADIUS on your choice of platform (Cisco ACS, Microsoft NPS, FreeRADIUS) <br />Operational maintenance: same as your AuthN server now<br />15<br />
    16. 16. Important Implementation Decisions<br />Your RADIUS platform<br />Keep it simple and least number of cogs in the machine<br />Running Active Directory? You may already have RADIUS (NPS)<br />Running Cisco ACS? You can use that.<br />Want an alternative commercial platform?<br />RADIATOR is likely your choice – heavily Perl influenced<br />Root servers run RADIATOR<br />Looking for ‘free’?<br />FREE-Radius<br />Need to deal with MS-CHAPv2 properly<br />Recommendation is to split the config for proxying and answering between 2 instances for clarity/diagnosis sake (see Queen’s build)<br />16<br />
    17. 17. About Server Certificate<br />This certificate is on your IdP<br />Users see this & will evaluate authenticity of the passwd validation<br />Self signed is not recommended<br />Would YOU trust it?<br />How do you convince the 1st year student to ascertain it as valid and not a rogue AP doing an attack?<br />17<br />
    18. 18. Problem Solving/Diagnosis<br />18<br />
    19. 19. Logging<br />Cue GEANT Module 5<br />19<br />
    20. 20. Module 5: Log Files, Statistics and Incidents<br />
    21. 21. WHY KEEP LOG FILES?<br />Log files are used to track malicious users and to debug possible problems.<br />Aim: provide evidence to government agencies:<br /><ul><li>Offender’s realm and login time.
    22. 22. Why not provide the User-Name?
    23. 23. User-Name attribute could be obfuscated.
    24. 24. Outer identity could be anonymous or forged.</li></li></ul><li>TRACING THE USER’S REALM (1)<br />You should keep:<br /><ul><li>DHCP or ARP sniffing log.
    25. 25. RADIUS Authorisation log.
    26. 26. Clock synchronised with Network Time Protocol (NTP).</li></li></ul><li>TRACING THE USER’S REALM (2)<br />Steps:<br /><ul><li>Identify IP address of malicious user.
    27. 27. Find MAC address in DHCP or ARP sniffing log.
    28. 28. Find authentication session in Auth log.
    29. 29. Take realm and timestamp from Auth log.</li></li></ul><li>NEXT STEPS<br />Approach eduroam Operations Team (OT).<br /><ul><li>OT can link realm to a home federation.
    30. 30. Home federation can find user’s identity provider.
    31. 31. Identity provider can find the user name.
    32. 32. Cross-reference timestamp from service provider’s auth log with own logs.</li></li></ul><li>A CLOSER LOOK AT LOGGING REQUIREMENTS<br />Let’s look more closely at logging requirements:<br /><ul><li>Network addressing.
    33. 33. Auth logs.
    34. 34. Reliable time source.
    35. 35. Technical contact.</li></li></ul><li>NETWORK ADDRESSING<br />Service Providers:<br /><ul><li>Should provide visitors with publicly routable IPv4 addresses using DHCP.
    36. 36. Side-thought: why is NAT considered bad?
    37. 37. Must be able to find a MAC address from the IP address.
    38. 38. Must log:
    39. 39. Time client’s DHCP lease was issued.
    40. 40. MAC address of client.
    41. 41. IP address allocated to client.</li></li></ul><li>AUTH LOGS<br />Identity Providers must log all authentication attempts, recording:<br /><ul><li>Authentication result returned by authentication database.
    42. 42. Reason for denial or failure of authentication.</li></li></ul><li>AUTH LOGS (2)<br />At what point should logs be kept?<br />After packet reception from client.<br />Before handing off to proxy.<br />After getting reply from proxy.<br />Before sending reply back to client.<br /> Pre-configured modules exist in FreeRADIUS:<br /> auth_detail, pre_proxy_detail, post_proxy_detail, reply_detail<br />
    43. 43. RELIABLE TIME SOURCE<br />All logs must be synchronised to a reliable time source.<br /><ul><li>E.g. using Network Time Protocol (NTP).
    44. 44. SNTP also okay.</li></li></ul><li>TECHNICAL CONTACT<br />Each federation must designate a technical contact:<br /><ul><li>Must be available via email and telephone during office hours.
    45. 45. May be a named individual or an organisational unit.
    46. 46. Cover during absence from work must be provided.</li></li></ul><li>Onboarding Checklist<br />Are the IP addresses accurate?<br />Some servers may be NAT’d<br />CAF requires accurate Ips to configure local Firewall<br />Successful local domain authentication?<br /><you>@<yourdomain>.ca should work without shared secret as it should remain local<br />Do you have proper password storage?<br />If you auth via LDAP, MS-CHAPv2 win7 clients will require a certain password validation technique.<br />Work arounds are available (smbclient), but be sure to review how the password validation occurs<br />Proper ports configured?<br /> (dest:1645,1646)<br />31<br />
    47. 47. Issue Escalation<br />32<br />
    48. 48. USER SUPPORT: PROBLEM ESCALATION SCENARIO (1)<br />home federation<br />OT<br />visited federation<br />fed.-level admin.<br />local institution admin.<br />fed.-level admin.<br />3<br />local institution admin.<br />1,2<br />4<br />user<br />
    49. 49. USER SUPPORT: PROBLEM ESCALATION SCENARIO (2)<br />home federation<br />OT<br />visited federation<br />4a<br />4b<br />fed.-level admin.<br />4<br />local institution admin.<br />3<br />fed.-level admin.<br />5<br />local institution admin.<br />1,2<br />6<br />user<br />
    50. 50. Questions?<br />For more info or details please contact: Chris.phillips@canarie.ca<br />35<br />

    ×