1 / 28

TERENA TF-Mobility: Roaming for WLANs

TERENA TF-Mobility: Roaming for WLANs. Tim Chown tjc@ecs.soton.ac.uk University of Southampton TF-Mobility WG & UKERNA Wireless Advisory Group. TF-Mobility objectives. Formation Original participants SURFnet, UKERNA, DFN, SWITCH, UNINETT, FUNET Taskforce started on January 1 2003

connie
Download Presentation

TERENA TF-Mobility: Roaming for WLANs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TERENA TF-Mobility:Roaming for WLANs Tim Chown tjc@ecs.soton.ac.uk University of Southampton TF-Mobility WG & UKERNA Wireless Advisory Group

  2. TF-Mobility objectives • Formation • Original participantsSURFnet, UKERNA, DFN, SWITCH, UNINETT, FUNET • Taskforce started on January 1 2003 • Key objectives • Evaluate AAA techniques in mobile environments. • Create an Inter-NREN WLAN roaming architecture and test bed and conduct tests. • Evaluate mobile equipment and technology. • Evaluate next generation mobile technology for handover and roaming (mobile IPv6).

  3. TF-Mobility status • Quickly homed in on the topic of WLAN roaming between university sites • Catalogued WLAN access control technologies • Web-redirection • 802.1x • Restricted VPN • Roamnode • Selecting “best” solution for roaming support • Or at least proposing interoperability methods for the leading solutions • Operating international test beds

  4. Roaming requirements • Any system that enables roaming should: • Be scalable • Have minimal administrative overhead • Avoid the need for additional hardware/systems • Have appropriate security for the infrastructure • Have user access controlled by their home institution • Allow users to use their own security (e.g. VPN/ssh) • Have good usability for all needed/used platforms • Provide accounting and logging • Ensure AUPs and policy requirements are met

  5. Access control mechanisms • (Very) basic methods: • Hidden SSID • MAC-based authentication • DHCP control of IP addresses • Use of WEP • More advanced methods: • Web-redirect • Restricted VPN • 802.1x • Roamnode (a homebrew system, more later…)

  6. 1: Web-redirection • Commonly seen at commercial hotspots • Used by BTOpenZone, Telia Homerun, … • Popular in UK universities via BlueSocket product • User runs web client • Access controller detects web request • Redirects browser to authentication screen • User enters credentials • If successful, controller opens access for user • Users can be placed into “roles” • Allows variable external access restrictions to be applied

  7. AAA Server Access Control Device Internet 4. 3. 5. 1. Public Access Network 2. WWW-browser Web-redirection

  8. Web-redirect advantages • May authenticate using different tokens: • Username/password, scratch card, SMS • Commercial and free systems available • e.g. BlueSocket, Vernier, NoCatAuth, … • Can interface to RADIUS lookup • Important for potential scalable roaming support • Can fine tune access policy on firewall • Only requires a web browser on user’s device • Can use cheaper (non-802.1x) access points • Can run a VPN after authenticating

  9. Web-redirect disadvantages • Web challenge server could be spoofed • Users tend not to check the web server certificate • Some such systems do not offer SSL protection • Some devices may not support use of SSL • Though this is increasingly rare • Can be some issues detecting detachment • DHCP may be spoofed • User traffic may be redirected/relayed/intercepted • (Roamnode uses PPPoE for this reason)

  10. 2: Restricted VPN • User gains local IP access via DHCP • (May use RFC1918 addresses locally) • Access network only allows VPN out • To a restricted set of VPN servers • Firewall blocks all other traffic out of network • User connects to their home VPN server • Requires VPN client • Some examples in European networks • SWITCHmobile in Swiss academic network • There the “restricted set” is all Swiss universities

  11. SWITCHmobile

  12. VPN advantages • Ensures data security via VPN connection • Most (all?) universities now have a VPN service • User appears to be at home university • IP address allocated by home site • IP-based access mechanisms work • For example to access bibliographic resources • (Though IP-based authentication is not great!) • Most devices now have VPN client software • Palm Tungsten C ships with WLAN and VPN

  13. VPN disadvantages • For the roaming solution: • Need to manage large list of trusted VPN servers • Needs to be automatically applied to firewall ACLs • (Could “simplify” by using address ranges per NREN) • VPN service scalability – need to provision for: • High bandwidth/volume of remote users • All user traffic routed via home VPN • Has an impact on latency for traffic • Roamers may be a source of viruses/worms • VPNs often have no firewalling into home network

  14. Wbone for VPNs • A method deployed in Bremen • Each access network at any site uses its own unique RFC1918 address space • All sites are connected via permanent IP tunnels over the public academic network • Users connect to home VPN gateway using the private address of that gateway • Requires heavy coordination

  15. Roamnode • A homebrew solution from University of Bristol (UK) • Uses PPPoE rather than DHCP • Akin to access model for home users through their (broadband) ISP • Private IP space used for the roaming node • Once admitted, user (can only) run a VPN back to their home institution

  16. Roamnode advantages • PPPoE is more secure than DHCP • Less potential for spoofing • Visited institution does not provide an IP address • Arguably makes deployment easier • Offers RADIUS support • Potential for plug-in to a national RADIUS scheme • Clients use VPNs • Thus shares the pros and cons of VPN usage

  17. Roamnode disadvantages • PPPoE client availability • Not yet available for Pocket PC PDA platform • And because the client uses a VPN: • The usual drawbacks of VPN approach

  18. 802.1x • Port-based (layer 2) access control • Run 802.1x client on user device • Communicates with authenticator (in access point) • User supplies credential (e.g. user@foo.ac.uk) • Carried over EAP, e.g. EAP-TLS or EAP-TTLS • Access point relays request to RADIUS server • RADIUS response processed by access point • May add user to a given VLAN • Runs at Layer 2 (Ethernet admission)

  19. DB Supplicant (client) Authenticator (access point) Authentication Server (RADIUS server) Institution A Authentication Server (RADIUS server) Institution B DB Internet Central RADIUS Proxy server 802.1x with RADIUS referral

  20. 802.1x advantages • Growing client (“supplicant”) support • MacOS/X built-in, WinXP support good • EAP-TTLS needs only RADIUS server certificate • WEP keys refreshed regularly • Supported by many access points • Can interface to RADIUS • Thus has potential for a scalable roaming method • Can be used on wired docking points too • User can run a VPN after being admitted

  21. 802.1x disadvantages • Requires special client (“supplicant”) software • Not universally available • But growing in stature and popularity • Participating RADIUS server(s) must support EAP type • Any relaying servers must be able to forward EAP • Radiator RADIUS server was tested heavily in the pilot • 802.1x-capable access points expensive • But prices are falling fast • Living a little on the bleeding edge

  22. Interoperability • Interoperability will be very important • E.g. in the transition to deploy new technology, like 802.1x • May require special AP functions • Ability to offer multiple SSIDs or VLANs • Run different methods on different SSIDs/VLANs • 802.1x on “trusted” VLAN and SSID • Perhaps run a more basic method on another VLAN and SSID as a fallback mechanism during transition • 802.1x + multi-SSID + multi-VLAN access points • Still quite rare, but available

  23. A roaming infrastructure • Explore synergies between the methods • Common use of RADIUS back-end • Used by Web-redirect, 802.1x, Roamnode • Suggests concept of RADIUS referrals • Unknown credentials passed up hierarchy • Relayed by proxy to home institution • Response relayed back to querying site • Differential access based on local/remote user • In parallel explore scalability of VPN method

  24. RADIUS relationships • RADIUS carries authentication requests • Needs shared secret configuration between sites • To scale, do not want n-squared setup • So each site “peers” with national RADIUS server • Each national server “peers” with EU server • Enables “web of trust” between sites • Sites use own auth backend, eg. Active Directory • Open question: • What are the security requirements on the peerings? • Should certain access control methods be dissuaded?

  25. RADIUS proxy hierarchy testbed (network topology view) Organisational RADIUS Server Organisational RADIUS Server Organisational RADIUS Server Organisational RADIUS Server FOKUS (Berlin) Organisational RADIUS Server Currently linked to FCCN, Portugal Currently linked to CARNET, Croatia Organisational RADIUS Server National RADIUS Proxy Server National RADIUS Proxy Server National RADIUS Proxy Server Top-level RADIUS Proxy Server National RADIUS Proxy Server Organisational RADIUS Server Backup Top-level RADIUS Proxy Server Currently linked to SURFnet, Netherlands Currently hosted at SURFnet Currently linked to FUNET, Finland National RADIUS Proxy Server National RADIUS Proxy Server etlr1.radius.terena.nl (192.87.36.6) etlr2.radius.terena.nl (195.169.131.2) Organisational RADIUS Server Organisational RADIUS Server Organisational RADIUS Server University of Southampton

  26. Future work • Trials & refinement of the RADIUS hierarchy • Location Independent Networking (LIN) architecture • Consider RADIUS credential formats and semantics • Understand interoperability of methods • Study methods to scale VPN roaming • Define policy issues • Security analysis of all aspects of the LIN model • Wider trials of Bristol’s Roamnode • Consider and deploy (Mobile) IPv6 implications

  27. Internet 2 interest? • US universities have significant WLANs • Often much bigger than European deployments • Is there a desire for a roaming infrastructure? • Are mobility requirements different in the US? • What is Internet 2 doing in this area now? • Perhaps join the TF-Mobility trial? • If any university is interested • Shibboleth integration/interoperability • Many issues to consider, but should be feasible

  28. More info • TERENA TF-Mobility • http://www.terena.nl/tech/task-forces/tf-mobility/ • (Deliverable G in particular) • UKERNA WAG • http://www.ja.net/development/network_access/wireless/wag/ • Including LIN proposal • UK Networkshop event presentations • http://www.ja.net/conferences/networkshop

More Related