Belnet Networking Conference 2013
Thursday 12 December 2013 @
Belnet - Workshop govroam
3/12/2013
Workshop roaming services:
eduroam / govroam
Belnet – Aris Adamantiadis, Nicolas Loriau
Bruxelles – 05 December 2013
Agenda
13h30
Introduction
14h00
Technical infrastructure
14h30
Coffee break
14h45
How to implement (Linux or Windows session)
16h30
Best practices and conclusions
17h00
Networking drink
Belnet - Workshop govroam
Roundtable
• Name and organization?
• Experiences with Belnet?
What is it?
• GOVernment ROAMing
• Simple and secure
access to wifi network
• Belnet initiative based on
eduroam technologies
• For governmental
institutions,
administrations, …
• http://www.govroam.be
• EDUcation ROAMing
• Simple and secure
access to wifi network
• Terena project to
provide students
access to internet
• For research and
education institutions
Why ?
• Increased Mobility:
users can make use of Wifi infrastructure at other members
• Easy:
users only need their home organization account to login
• Secure:
centralized accounts, no local copies
• Cost effective:
is included with your connectivity
Belnet - Workshop govroam
Technical infrastructure
Technical Framework
– Principles – Components – Authentication flowDemo
– Objectives – Test environment – Installation• Linux (Radiator, Freeradius) • Windows (W2K8R2 NPS)
Future of the service
Belnet - Workshop govroam
Principles
To install roaming services, you need:
– Wi-Fi access points and/or 802.1x switches – RADIUS server
– User database / LDAP / AD
Based on a hierarchy of RADIUS servers
Principles
It is:
– A trust-based relationship between members – An agreement on roaming technologies
Chain of trust:
– All direct peers must be known beforehand
– A shared secrets must be enabled “out-of-band” – Agreement on authentication protocols & methods
Belnet - Workshop govroam
Principles
Hierarchy of authentication servers
AS Institution-A.be AS Institution-B.be Belgian Top-Level AS “Federation” “Institution”
Principles
Hierarchy of authentication servers eduroam
Belnet - Workshop govroam
Components
Client / Supplicant
– SW on end user's device which handles network authentication – Minimum requirements: WPA2, EAP-TTLS, PEAP enabled
Components
Network Access Server / Authenticator / Service
Provider
– IEEE 802.1X enabled switch or wireless access point which
provides Clients access to the (W)LAN
– Seperate VLAN for home and visiting end users
Belnet - Workshop govroam
Components
Authentication Server / Identity Provider
– Remote Authentication Dial In User Service compliant (RFC
2865/2866)
– NOT a user database
– Authenticates home end users against local user database – Forwards requests of visiting end users
– Softwares:
• Radiator • FreeRADIUS
• MS Windows 2008R2 with NPS • Others
Components
User identity source
– LDAP/AD
– Local database / SQL
Belnet - Workshop govroam
Protocols and Methods
EAP Framework
– Extensible Authentication Protocol (RFC 5247)
– NOT a wire protocol nor an authentication mechanism – Defines authentication data formats
Protocols & Methods
EAP Methods/Types "How does EAP authenticate"
– Uses EAP framework to remotely authenticate end user's credentials to
his home institute's Identity Provider
– 40+ different methods exit > use common secure ones!
• Outer Authentication: EAP-TTLS (RFC 5281), PEAP • Inner Authentication: MSCHAPv2 (RFC 2759)
Belnet - Workshop govroam
Protocols & Methods
EAP Encapsulation "How EAP can be
transported"
– In order to transport EAP messages, they must be encapsulated – Between client and SP (802.1x)
• EAP over LAN = “EAPOL”
– Between Sp & IdP, IdP & IdP
Security
Outer authentication
– Goal : securely transport the EAP messages between peers – Authenticate the server (to avoid MitM attacks)
– PEAP, EAP-TTLS
Inner authentication
– Transmit unique user attributes (credentials) – via MSCHAPv2
Belnet - Workshop govroam
Security
EAP, 802.1X and RADIUS must be secured
Service Provider Institution-A.be [email protected] Identity Provider Institution-A.be Client
Security
EAP, 802.1X and RADIUS must be secured
Choice of security mechanisms is important
Belnet - Workshop govroam
3/12/2013 Service Provider Institution-A.be [email protected] Identity Provider Institution-A.be Client
Authentication Flow
National Level (1/11)
1
The User contacts the Service Provider (SP) (Wireless Access Point) of institution A (SSID = govroam)
Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be Belgian Top-Level Radius
Authentication Flow
Belnet - Workshop govroam
3/12/2013
National Level (2/11)
2
SP of institution A asks the user's identity. Not yet the credentials!
Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be Belgian Top-Level Radius [email protected] 2
Authentication Flow
National Level (3/11)
3
User identity is transmitted to Identity Provider (IdP) (RADIUS server)
of institution A
using EAP Access-Request message
Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be Belgian Top-Level Radius 2
Authentication Flow
Belnet - Workshop govroam
3/12/2013
National Level (4/11)
4
Based on the identity the IdP
of the institution A knows that user doesn't belong to its own user database and will transmit
the Access-Request to the Belgian RADIUS server. Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be Belgian Top-Level Radius [email protected] 2
Authentication Flow
National Level (5/11)
5
Based on the realm part of the identity the Belgian RADIUS server transmits
the Access-Request
to the RADIUS server of institution B
Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be Belgian Top-Level Radius 2
Authentication Flow
Belnet - Workshop govroam
3/12/2013
National Level (6a/11)
6a
Now the IdP of institution B knows the User and a TLS tunnel
is established between User and RADIUS server using EAP encapsulation mechanism
(outer authentication)
6
Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be Belgian Top-Level Radius [email protected] 2Authentication Flow
National Level (6b/11)
6b
The User checks during TLS establishment the RADIUS server certificate
of his institution.
6
Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be Belgian Top-Level Radius 2Authentication Flow
Belnet - Workshop govroam
3/12/2013
National Level (7/11)
7
Now the User is authenticated against its own institute's IdP, using traditional mechanisms (challenges, certificates, token...)
(Inner authentication)
6
7
Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be Belgian Top-Level Radius [email protected] 2Authentication Flow
National Level (8/11)
8
If the User is correctly authenticated, the RADIUS server of institution B
sends an Access-Accept to the Belgian RADIUS server, otherwise it sends an Access-Reject
6
7
Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be Belgian Top-Level Radius 2Authentication Flow
Belnet - Workshop govroam
3/12/2013
National Level (9/11)
9
Belgian RADIUS server sends the Access-Accept to institution A
6
7
Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be [email protected] Belgian Top-Level Radius 2 9Authentication Flow
National Level (10/11)
10
The IdP of institution A tells his SP to grant access
to the User and provide all information related to the local access policy
( vlan, IP address, ...)
6
7
Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be Belgian Top-Level Radius 10 2 9Authentication Flow
Belnet - Workshop govroam
3/12/2013
National Level (11/11)
11
User can now access LAN and Internet
6
7
Service Provider Identity Provider Institution-A.be Institution-A.be Identity Provider Institution-B.be Belgian Top-Level Radius 10 2 940
How to implement
Objectives:
– Configuration of RADIUS server
• Using radiator • Using freeradius • Using W2K8
– Authenticate users against test domain ta.belnet.be
– Discuss other options
– Best practices
Prerequisites (out of scope)
Wi-Fi access point that must:
– be IEEE 802.1X compliant
– broadcast the SSID "eduroam" or “govroam” – offer IEEE 802.11b or better
– implement WPA/TKIP or better (Belnet strongly recommends
WPA2-AES!)
– Allow traffic on defined ports (please refer to govroam)
User database:
– LDAP
42
Prerequisites (out of scope)
Server certificates
– Don't use a self-signed server certificate
– Successfully import server & chain certificate into Windows – Use dcs.belnet.be to get a free signed server certificate
Correct server time
– Important for the setup of TLS-tunnels
– Use Belnet's NTP server time.belnet.be to get the correct time
Firewalls & Ports
– UDP 1812 – UDP 1813
Demo environement:
Components overview
WAP + CTRL
RADIUS Identity server (AD or LDAP)
Hierarchy
3/12/2013 Belnet - Workshop govroam
AS belnet.be AS ta.belnet.be Belgian Top-Level AS “Federation” “Institution”
Radiator Installation
Why “Radiator”?
– Belnet uses this product
– Easy & straightforward to deploy on Linux, Windows, ...
– Broad support for Identity & Access Management backends – One of the first solutions which supported RadSec
Radiator Installation
Server set-up:
– Ubuntu Server 12.04 LTS “out-of-the-box”
– Radiator 4.9 for a virtual home organization “ta.belnet.be” in a
Linux environment
– Valid server certificate
Freeradius Installation
Why “Freeradius”?
– Free
– Easy to deploy on Linux, Windows, ...
– Broad support for Identity & Access Management backends – Now supports RadSec
Freeradius Installation
Server set-up:
– Ubuntu Server 12.04 LTS “out-of-the-box”
– Latest freeradius version for virtual home organization
“ta.belnet.be”
– Valid server certificate
W2K8 r2 NPS Installation
Why “NPS”?
– Best option in windows environment – Easy to deploy on Windows, ...
– Broad support for Identity & Access Management backends – Easy link to AD
W2K8 r2 NPS Installation
Server set-up:
– Windows 2008 server r2 with NPS – Valid server certificate
Radius server installation
RADIUS LDAP/AD
WAP + CTRL
Radius server installation:
Configuring RADIUS client (wlan controller)
3/12/2013 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Radius server installation:
Configuring the remote RADIUS
WAP + CTRL
RADIUS LDAP/AD
Radius server installation:
Configuring proxy RADIUS
3/12/2013 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Radius server installation:
Link with LDAP
WAP + CTRL
RADIUS LDAP/AD
56
Radius server installation:
Configuring top level RADIUS
3/12/2013 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Registration @ Belnet
govroam web-interface
– Facilitate the configuration of your govroam parameters
• RADIUS servers • Shared secrets • Test accounts
58
Authentication Flow 1
local - local
A user from local institution ta.belnet.be will send access request
to local “xxxroam” WLAN
Ta.belnet.be RADIUS + LDAP Belgian Top-Level Radius [email protected] wlan-ctrl SSID = “xxxroam” roaming1.belnet.be roaming2.belnet.be
Authentication Flow 2
remote - local
A remote user from Belnet will send access request to local “xxxroam” WLAN
ta.belnet.be Radius Belgian Top-Level Radius wlan-ctrl SSID = “xxxroam” radius.belnet.be ldap.belnet.be roaming1.belnet.be roaming2.belnet.be
60
Authentication Flow 3
local - remote
A local user from institution ta.belnet.be will send access request
to remote Belnet's “xxxroam” WLAN
Ta.belnet.be RADIUS + LDAP Belgian Top-Level Radius [email protected] wlan-ctrl SSID = “eduroam” Ldap belnet.be roaming1.belnet.be roaming2.belnet.be
Conclusion
Technical Framework
Demo
Belnet is there to help you
Q&A
Belnet - Workshop govroam
Belnet - Workshop govroam
3/12/2013
