AAA Considerations for Mobile Network Access - TERENA · PDF fileAAA Considerations for Mobile Network Access ... Integrity/guard against data manipulation and session hijacking Allow

AAA Considerations forMobile Network Access

Malaga, November 20th, 2003

Carsten Bormann <[email protected]>

2

Overview

� WLAN Network Access Control: Technologies

� Requirements for WLAN Roaming

� Solutions and their AAA implications

3

Overview




4

WLAN Security: Requirements

� Confidentiality (Privacy):

� Nobody can understand foreign traffic

� Note: Insider attacks as likely as outsiders‘

� Accountability:

� We can find out who did something

� Prerequisite: Authentication

6

WLAN Security: Approaches

� AP-based Security: AP is network boundary� WEP (broken), WEP fixes, WPA, …

� 802.1X (EAP variants + RADIUS) + 802.11i

� Network based Security: deep security� VPNs needed by mobile people anyway

� SSH, PPTP, IPsec� Allow development of security standards

� Some VPN technologies are IPv6 enabled

� AP-based security not needed anymore!

7

AP-based security: 802.1X

Access point (or wired Ethernet switch) acts as access control device

RADIUS server

Institution A

Internet

Authenticator

(AP or switch) UserDB

Supplicant

Guest

piet@institution_a.nl

StudentVLAN

GuestVLAN

EmployeeVLAN

data

signalling

8

Intranet X

Dockingnetwork

Campusnetwork

world

VPN Gateways

DHCP, DNS, free Web

Network-basedSecurity

9

Network-based:Docking Network + VPN

� all Access Points in one docking network� use common SSID (“Uni-Bremen”)

� little infrastructure in docking network� DHCP, DNS, “free services” (internal Web)

� one VPN Gateway each for each target network� Campus Network, workgroups, possibly w/ Firewalls � decentralize� SSH, PPTP, IPsec � clients for all platforms� Gateway Cheap hardware (PC w/ Linux)

� used in many German and Swiss universities

„VPN“

10

Network-based: Hotspot-style

� Use Web server indocking network toauthenticate

� Once authenticated, opena hole in the accesscontrol device� Limited to weak security,

e.g. IP and MAC addresses

� No encryption on the air

� Used in Finland

Internet

Docking Network

AccessControl Device

AAAServer

WWW-browser

1.

2.

3.

4.

5.

„Web“

11

WLAN Access Control:Why VPN based?

� Historically, more reason to trust L3 security than L2� IPSec has lots of security analysis behind it

� Available for just about everything (Windows 98, PDA etc.)

� Easy to accommodate multiple security contexts� Even with pre-2003 infrastructure� Data is secure in the air and up to VPN gateway� Security decisions and enforcement in one place — at target

� Most of all: It just works™

12

WLAN Access Control:Why 802.1X is better� 802.1X is taking over the world anyway� The EAP/XYZ people are finally getting it right

� Only 5 more revisions before XYZ wins wide vendor support

� Available for more and more systems (Windows 2000 up)� Distribute hard crypto work to zillions of access points� Block them as early as possible

� More control to visited site admin, too!

� Easy to accommodate multiple security contexts� with Cisco 1200 and other products (to be shipped)


13

WLAN Access Control:Why Web-based filtering is better� No special client software (everybody has a browser)� Ties right into existing user/password schemes� Can be made to work easily for guest users

� It’s what the hotspots use, so guest users will know it already� May be able to tie in with Greenspot etc.

� Privacy isn’t that important anyway (use TLS and SSH)� Accountability isn’t that important anyway


14

Overview




15

Users want to roambetween institutions

� TERENA TF Mobility: Roam within Europe’s NRENs*)

� 802.1X with RADIUS (AP-based)

� Access to VPN gateways (network-based)

� Web-based authentication (network-based)

� http://www.terena.nl/mobility

*)National Research and Education Networks

16

Inter-NREN WLAN Roaming

Big assumptions:� Every NREN user is equal when it comes to roaming

network access (no user profiles for guests)

� AUPs are “close enough”

� Authentication, not Authorization problem

17

Roaming:High-level requirements

Objective:

Enable NREN users to use Internet (WLAN and wired)everywhere*) in Europe

� with minimal administrative overhead (per roaming)

� with good usability

� maintaining required security for all partners

*)at participating NREN members

18

Minimize admin overhead� Very little admin work to enable roaming per user

� (preferably none)� both for home network and even more so for visited network

� No admin work required per roaming occurrence

� Minimize the complexity of additional systems required� (consider architecture at the involved institutions)� must integrate with existing AAA systems, e.g., RADIUS� no n2 work required when scaling system

� No regulatory entanglement

19

Good usability

� Available to most current WLAN (and wired) users� standards-based; low-cost

� No additional software required to enable roaming� (software may be required for local use beforehand)� consider both Laptop and PDA usage

� Enable all work� IPv4 and IPv6� Access to home institution networks� Enable use of home addresses while roaming

� Enable local work in visited network� SLP, authorization issues/user classes?

20

Security requirements� Allow use only for approved [by who] NREN users

� Legal binding to some common terms of use

� Provide accountability� Nice to have: Provide reasonable basic (“like in wired

access”) security for individual user [cannot fulfill in allenvironments]� Confidentiality of traffic

� (not necessarily with respect to current position!)

� Integrity/guard against data manipulation and session hijacking

� Allow real security (e2e) on top (e.g., highlight thelimitations of NATs)

� Don’t aggravate security issues of visited networks

21

Security non-requirements

� No need to “protect” WLAN� ISM spectrum can’t be protected anyway

� Hard to reliably conceal positioning information

22

Overview




23

WLAN-Roaming:VPN-based solution(s)

� Just interconnect the docking networks� users can connect to home gateway from any site

�Extended Docking Network

� AAA decision and resulting access remains at home

24

Intranet X

Dockingnetwork

Campus Network

G-WiN

VPN-Gateways

DHCP, DNS, free Web

Intranet X

Dockingnetwork

Campus Network

G-WiN

VPN-Gateways

DHCP, DNS, free Web

VPN roaming:Extended Docking Network

G-WiN

Interconnect docking networks. Clientsleave through home network/gateway.

25

Wboneinterconnecting docking networks

RBriteline

Uni Bremen172.21/16

HS Bremen172.25/16

HfK

HS Brhv.10.28.64/18

IPSec

Cisco

IPSec/PPTP/SSH

Linux

IPSec

Cisco

PPTP

Linux

IPSec

Cisco

PPTP

Linux

PPTP

Linux

PPTP

Linux

AWI

extend to other sites ...

26

AAA Implications of theExtended Docking Network

� All AAA issues stay local� VPN Gateways decide locally whom they admit

� Guest user uses home IP address� Home is contact point of any incident enquiries

� Can use IP address for (weak) authentication

� Remaining problem:building the Extended Docking Network� People problem: Network Management != WLAN staff…

27

Extended Docking Network:Moving to Europe

� Scale private address architecture to European level?� Do all this in public, routable address space instead!

� Separate docking networks from controlled address spacefor gateways (CASG*)� Docking networks allow packets out to and in from CASG

� Need to add access control device (such as router with ACL)

� Nicely solve the transit problem in the process

*) née “relay network” (Ueli Kienholz)

28

Intranet X

Dockingnetwork

Campus NetworkG-WiN

VPN-Gateways

DHCP, DNS, free Web

Accesscontroller

Intranet X

Dockingnetwork

Campus NetworkG-WiN

VPN-Gateways

DHCP, DNS, free Web

Accesscontroller

Intranet X

Dockingnetwork

Campus NetworkG-WiN

VPN-Gateways

DHCP, DNS, free Web

Accesscontroller

The big bad

Internet

CASG

802.1X @ SURFnet

VPN + Certificates@ FCCN

VPN @ University of Bremen

& SWITCH

Originators of National Roaming solutions across Europe

PPPoE/Linux @University of Bristol &

The University of Swansea

Web-based redirection @ FUNET

With apologies for the map

32

Cross-domain 802.1X with VLAN assignment

Authentication at home institution, 802.1X , TTLS (SecureW2), (proxy) RADIUS. One time passwords are alsotransmitted via SMS to guest users.

A RADIUS Hierarchy is under construction to scale this to a European wide solution.

RADIUS server

Institution B

RADIUS server

Institution A

Internet

Central RADIUS

Proxy server

Authenticator

(AP or switch) UserDB

UserDB

Supplicant

Guest

piet@institution_b.nl

StudentVLAN

GuestVLAN

EmployeeVLAN

data

signalling

33

RADIUS based Web authentication solution

Internet

Docking Network

AccessControl Device

AAAServer

WWW-browser

1.

2.

3.

4.

5.

RADIUS based Web interfaceauthentication at the Universityof Tampere

The Finnish are scaling their solution byusing a hierarchy of RADIUS proxy serversfor their national infrastructure

34

TF-Mobility Recommendations� Define interoperability scenarios for each national solution and identify work needed to integrate these

solutions and three development streams together.

� A phased development / testing approach

Resolve scaling andinteroperability issuesfor 802.1x, VPN, web-

based redirect

Consolidatefindings intoa trial report

Build and scale a RADIUSproxy hierarchy for non-VPN

AAA

Conduct feasibilitytests on creatingan scalable VPN

solution

Subject tofeasibility, buildthe proposed

CASG solution

Extend to VPN in parallel

Work on software changes toRoamnode (PPPoE/Linux) to

facilitate roaming

The testing of inter-NREN roaming solutions has already started !

SURFnet

FCCN

FUNET

RADIUS proxy hierarchy established (geographic view)

RADIUS Proxy servers connecting to a European level RADIUS proxy server

University of Southampton

(DFN) • Participationguidelines arebeing drafted

• Aim is toincreasemembership.Norway,Slovenia,Czech Republic& Greece haveindicated theirwillingness tojoin.CARnet

With apologies for the map, again

36

OrganizationalRADIUS Server


Top-levelRADIUS

Proxy Server

Top-levelRADIUS

Proxy Server









NationalRADIUS

Proxy Server

NationalRADIUS

Proxy Server

NationalRADIUS

Proxy Server

NationalRADIUS

Proxy Server

University ofSouthampton

Currentlyhosted atSURFnet

Currentlylinked toFCCN,Portugal

Currentlylinked toCARNET,Croatia

BackupTop-levelRADIUS

Proxy Server

BackupTop-levelRADIUS

Proxy Server

etlr1.radius.terena.nl (192.87.36.6)

etlr2.radius.terena.nl (195.169.131.2)Organizational

RADIUS Server


NationalRADIUS

Proxy Server

NationalRADIUS

Proxy Server



Currentlylinked toSURFnet,Netherlands

NationalRADIUS

Proxy Server

NationalRADIUS

Proxy Server





Currentlylinked toFUNET,Finland

RADIUS proxy hierarchy established (network topology view)

NationalRADIUS

Proxy Server

NationalRADIUS

Proxy Server



FOKUS(Berlin)

NationalRADIUS

Proxy Server

NationalRADIUS

Proxy Server

37

AAA Implications ofRADIUS Hierarchy

� Need standard form of NAI (Network Acess Identifier)� [email protected] (RFC2486 style)

Where Username/Password is used:

� Inter-RADIUS server security issue� Solvable by IPSec

� Inter-RADIUS server/Web server trust issue� Do I trust the Web authentication service of a random Hotspot?

� What kind of TLS certificate do these use?

38

Interoperability?

� Both Web and .1X can use RADIUS hierarchy� VPN gateways can actually use it, too

� VPN sites probably want to add Web-based filtering� Helps Web and .1X users, if connected to RADIUS hierarchy

� Web-based sites easily can add CASG access� By using RADIUS hierarchy, .1X users are fine

� .1X sites with Cisco 1200 can add “docking VLAN”� CASG access and Web-based filtering to accommodate visitors

YESbut lo

ts of political problems

40

Q & A

�http://www.terena.nl/mobility/

Documents

AAA Considerations for Mobile Network Access - TERENA · PDF fileAAA Considerations for Mobile Network Access ... Integrity/guard against data manipulation and session hijacking Allow