Embed Size (px)
Citation preview
Authorised Global RoamingOffering Accessible Authorization
Services to EduRoam
David Chadwick, George Beitis, Gareth OwenUniversity of Kent
Introduction
• Aim of project was to provide a solution for adding authorization to EduRoam
• Solution must build on top of existing authentication service provided by the EduRoam federation in a non destructive and backwards compatible way
• Solution must be built on standards and open source code
• Solution should work for both remote and local users, be flexible and fine grained
EduRoam
• World Wide Academic Roaming Network• Result of the TERENA Mobility Task Force• Defines a roaming architecture between
National Research and Education Networks
• Uses AAA (RADIUS) servers and the 802.1X standard.
• Provides Authentication Services• Members sign a Service level agreement
Example
• Assume that the University of Kent and the University of Athens are both members of Eduroam
• Bob from the University of Kent visits the University of Athens to attend a convention
• He can log in to the wireless service using his Kent credentials and can use the wireless service there to access the internet
Eduroam – How Does It Work?
• Bob enters his username and password– Username: [email protected]
• Credentials are passed to the local RADIUS server
• RADIUS server proxies credentials to the Kent University RADIUS server using EduRoam federation proxy servers– Sees the realm of the user: kent.ac.uk
• Kent University returns reply (either Access Accept or Access Reject) after authenticating the user
Eduroam Local Authentication
Network Access Server (with Radius
client)
Local LDAP repository
Compare PW Attribute
True/False
Local RADIUS Server
Access Request
Access Decision
[email protected] password
Actions Performed
Receive request and credentials (un+pw)
If authentication succeeds Authorize User, else reject userReturn Access-Accept or Access-Reject Decision
Authenticate User by comparing PW stored in LDAP
Eduroam Remote Authentication
Supplicant
NAS
Local RADIUS Server
National RADIUS Proxy server
Remote LDAP Repository
Access Request +U.A.
Access Decision
Access Request
+ user attributes
Access Decision
Compare PW Attribute
True/
False
Access Request
+ user attributes
Access Decision
Access Request +U.A.
Access Decision
Remote Radius Server
U.A. = User Attributes => Username@realm + password e.g. username: [email protected], password pass123
RADIUS (RFC 2865)• Remote Authentication Dial In Service
– Protocol for carrying Authentication, Authorization and Configuration information between a Network Access Server (NAS) and an Authentication Server
• Designed for centralized authentication and authorization
• RADIUS protocol does not distinguish between Authorization and Authentication– One request is made for combined
authentication/authorisation– Authentication is equal to authorization, Radius server is
expected to make the decision “can this user access the network”
– One combined Authn/Authz reply which is Access-Accept or Access-Reject
What EduRoam is Missing
• Only offers Authentication
• Does not provide method for universal authorization
• Knowing that Bob is really Bob is not enough
• Which services should Bob be allowed to access whilst he is in Athens?
• We need Authorization
Why Authorization?• Authentication simply tells us that you are who you claim to be,
nothing else• Most Academic Institutions offer different levels of service to
different classes of user– E.g. Academics have more available resources than students who have
more than guests– Most achieve this by adding different users to different Virtual LANS– The 802.1Q protocol defines Virtual LANS (VLANS). Traffic is tagged
between switches and access points allowing LANS to be created that are not restricted by physical location
– E.g. One VLAN for academic staff, one VLAN for students, one for guests et cetera
• We want to allow universities to be able to use this mechanism for Eduroam services for both local and visiting users by providing authorization services to EduRoam
Existing Authorization Solutions• Some universities add all Eduroam users to the same LAN
or VLAN– No distinction between users– Authentication is equal to authorization
• Simple Authorization solutions include:– Separate local and remote users– Custom made scripts to filter between local users using local
databases• hardcoded logic, not extensible
• CISCO Secure Access Control Server (ACS) or similar proprietary solutions– Only works for organisations own users and not those of other
organisations– Licences cost a lot, training costs a lot, needs CISCO compatible
hardware– Difficult to extend it or customize it to specific needs
• No ability to offer different levels of access and services to all users regardless of their origin
The Initial Idea
• Allow the RADIUS Servers to Authenticate users as now
• Then extend the RADIUS servers to perform authorization after a user is successfully authenticated
• Put users onto different Virtual LANs (VLANs) according to their authorisation
• But many issues to resolve first, such as:– What to use for authorisation? ACLs or PDPs?
• ACLs not scalable. PDPs are, but need user attributes– How to locate the user’s authz attributes?– What protocols to use to get the attributes
Conceptual Model
• Find the location of the user’s home institution’s Attribute Authority servers or repositories;
• Query them for the user's roles/attributes i.e. authorisation credentials;
• Validate the authorisation credentials using a locally specified policy;
• Determine which VLAN the user is permitted to access using a locally specified policy and the user’s valid attributes/roles;
• Supply an attribute in the response to the RADIUS server indicating the VLAN that the user should be placed on.
Implementation• Use DNS SRV records to locate the user’s attribute
authority/repository• Use Freeradius as the RADIUS server
– Most Popular open source RADIUS server– Supports plug in modules for callouts at workflow points (pre-auth, auth,
post-auth)• Use JRadius as a plug in module
– Written in Java, so can easily add Java authorisation infrastructure• Use PERMIS as the Authorization Engine
– Is open source Java, flexible and customisable– Supports both credential validation and access control– Has a Policy Editor GUI that makes it easy to write XML policies
• Use EduPerson schema for authorisation attributes• Use Apache WebDAV server in initial pilot to hold user roles as
signed attribute certificates• Use IEEE 802.1Q VLANs and PERMIS policies for fine grained
authorisation
IEEE 802.1Q (VLAN Tagging)
• Defines a Virtual LAN or VLAN• Allows multiple bridged networks (VLANs) to
transparently share the same physical network link without the information carried by them leaking between the virtual networks.
• Switches on the network are configured to insert a VLAN tag into all data frames arriving from equipment used by a specific user. After the frames are switched through the corporate network, the VLAN tag is stripped off before the frame is delivered to the destination (which must be in the same VLAN). In this way, traffic between different user groups, e.g. lecturers and students, cannot be leaked to or snooped from one to another
DNS SRV Records• SRV Records have the format
_Service._Proto.Name TTL Class SRV Priority Weight Port Target
• WhereService is the name of the service e.g. FTP, LDAP
Proto is the protocol either tcp or udp
Name is the domain name
TTL is the DNS time to live for the record
Class is the DNS class i.e. IN for Internet
SRV is the RR record type
Priority is the priority of the host, used when there are several SRVs
Weight is a weighting to be used for hosts of equal priority
Port is the port number of the Service on the host
Target is the domain name of the host running the Service
PERMIS• Policy driven, Role Based Access Control (RBAC) Privilege
Management Infrastructure (PMI)• Built on standards, Open source code in Java• PERMIS uses policies written in XML
– Policies allow for centralised control of what we authorize– Policies come from management, easily written using PERMIS
Policy Editor– Policy can be stored inside an X.509 Attribute Certificate to stop
them being tampered with• Flexible, supports multiple credential formats (SAML
attribute assertions and X.509 ACs) and storage locations, and can be easily extended to additional ones
• User credentials can be stored inside X.509 Attribute Certificates or signed SAML attribute assertions to stop them being tampered with
• Implements ISO 10181-3 Access Control Framework and has an XACML PDP interface
PERMIS Authorisation System
LDAP
• Lightweight Directory Access Protocol• LDAP Databases used for storing information
(as attributes) about university employees, organizational units etc.
• Used for holding authentication and authorisation attributes
• But one problem - LDAP Servers are rarely accessible from outside an organization to avoid spamming and protect privacy of people and organization– we should use a HTTP based protocol with security
properties e.g. SAML or WebDAV
SAML
• OASIS Security Assertions Markup Language• Used to carry authentication, authorisation and
attribute assertions about users between web services
• As part of Shibboleth protocol, universities are now starting to release LDAP attributes of users to outside web services, encoded as SAML attribute assertions
• We can use SAML to carry user attribute assertions for EduRoam authorisation
WebDAV
• A set of extensions to the HTTP protocol for managing web based resources
• Allows us to define directory structures on which we can read and write files, and define access rights to them
• As it uses port 80 it is not affected by firewalls
• Ideal for storing user attributes as digitally signed Attribute Certificate files
EduPERSON
• EduPERSON is an LDAP schema which contains standardised information (attributes) that can describe people who are part of the Academic world– Defines attributes that can describe person’s role in
the University and other information– eduPersonAffiliation attribute specifies the affiliation a
person has with an institution. Permissible values are: faculty, student, staff, alum, member, affiliate, employee and library-walk-in
What is needed
• Each site needs to implement either a WebDav Repository to store their User Attribute Certificates or a SAML AA (with backend LDAP) to return SAML attribute assertions
• DNS SRV records to point to their WebDav/SAML server address and port
• Freeradius + Jradius + PERMIS
E.g. Use of SRV Records, WebDAV repository, X.509 ACs and EduPerson schema
DNS tree
dc=ukdc=acdc=myuni
uid=abc12
WebDAV server running on port 80 atsysx.myuni.ac.uk
holding signed eduPersonAffiliationattribute of [email protected]
_webdavcerts_tcp
acukroot
sysx
IN SRV 86400 0 0 80 sysx.myuni.ac.uk
eduPersonAffiliation=student+SN=123456.ace
myuni
E.g. Use of SRV Records, SAML AA with backend LDAP using EduPerson schema
DNS tree
SAML AA running on port 80 at sysx.myuni.ac.uk
_samlaa_tcp
acukroot
sysx
IN SRV 86400 0 0 80 sysx.myuni.ac.uk
myuni
dc=ukdc=acdc=myuni
uid=abc12
eduPersonAffiliation=student
LDAPServer
sysxBackend LDAP server holding eduPersonAffiliationattribute of [email protected]
RADIUS SERVER
RADIUS SERVER
JRADIUS SERVER -Written in Java
FREERADIUS
Information Sent
Freeradius session Attributes, RADIUS packets
Updated Information
Updated Freeradius attributes and RADIUS packets, including updated Access Decision
PERMIS
Integrating JRadius and PERMIS• Build a PERMIS Context Handler which is called by JRadius,
then it calls the standard PERMIS Java API• At initialisation, the Context Handler loads the local PERMIS
authorisation policy into the PERMIS CVS/PDP• Take the username of incoming request
([email protected])• Extract the user’s realm (someuni.edu) and convert to DNS
name• Query DNS SRV records of the realm to determine where the
WebDav or SAML server is that stores the credentials• Pass the location of repository and user’s DN to PERMIS
CVS and it will pull user’s attributes• Make repeated calls to PERMIS PDP to ask whether the user
is authorized to access known VLANs, in order of priority• When access is granted add the chosen VLAN to Radius
packet, otherwise add nothing
Authz SystemLocate Local and Remote WebDav
Server using DNS SRV records and/or configuration info
JRADIUS Server
Handler A Handler B
PERMIS Context Handler
PERMIS
Context Handler config
file
PERMIS Decision Information:User Attributes, Action (Access),Target (VLAN)
Get
Cre
ds
Req
uest
Dec
isio
n R
eque
st
Load config file
Local WebDav Server
Remote WebDav Server
Pull Role AC
Pull Role AC
Config File:Local WebDav, Local Realm, PERMIS Config Info,DNS SRV Info,VLAN IDs
Freeradius attributes
and packets
Updated Freeradius attributes and packets
Authorization Decision
JRADIUS Server
Freeradius Server
Updated Freeradius attributes and packets
If we are using VLANS, we include VLAN information inside the updated RADIUS packets
Access Point
Student VLAN
Staff VLAN
Guest VLAN
Access Accept + VLAN ID
Testing
• Testing so far included a local user scenario, 5 VLANS including VLANS for guests, staff, students
• Performance results are encouraging.• Total time for Radius Client to receive authn and
authz response was <3 seconds for local user and <4 seconds for remote user– using LAN configuration for all components, so this
excludes network delays for large distances
Conclusion• Using this solution is non destructive
– It can complement the current network setup and can be used at desired access points only
• It can be slowly migrated in. If a remote site does not implement this solution, it reverts to current authn only solution
• Solution can be as flexible as needed– Offer minimal authorization services only to local users– Offer sophisticated authorization services for both local and remote
users– Can use SAML AAs, WebDAV repositories, LDAP servers
• Easily deployable at other institutions• (lack of) Global PKI problem
– Root Certification Authority for all Academic institutions does not exist so checking signatures on all signed attribute assertions from all institutions is an issue
– Terena is hopefully solving this problem through TACAR?
Questions?
