Upload
amelia-atkins
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
Workshop roaming services:eduroam / govroamBelnet – Nicolas Loriau
Brussels – November 2015
Agenda
Belnet - Workshop govroam21/04/23
• General
• Technical framework
• Demo
Roundtable
• Name and organization?
• Experiences with Belnet?
• Expectations for today’s workshop?
Belnet - Workshop govroam21/04/23
Overview of Belnet Services
Overview of Belnet Services
Standard Services« Plus » Services
On demand« Plus » ServicesAssociated cost
• Belnet Connectivity
• Internet Connectivity
• IPv4 and IPv6
• DNS Services
• NTP
• Monitoring
• Service desk 24/7
• Workshops
• Back-up Internet
connectivity
• RRN Connectivity
• eduroam
• Belnet R&E Federation
• Multipoint
• Belnet Leased Lines
• Multimedia Transport
Service
• govroam
• Domain Name Registration
• Digital Certificates
• Antispam Pro
• Belnet Cloud Storage
• Belnet Cloud computing
Net
wor
kS
ervi
ces
What is it?
• GOVernment ROAMing
• Simple and secure access to wifi network
• Belnet initiative based on eduroam technologies
• For governmental institutions, administrations, …
• http://www.govroam.be
Belnet - Workshop govroam21/04/23
• EDUcation ROAMing
• Simple and secure access to wifi network
• Terena project to provide students access to internet
• For research and education institutions
• http://www.eduroam.be
Why ?
• Increased Mobility: users can make use of Wifi infrastructure at other members
• Easy: users only need their home organization account to login
• Secure: centralized accounts, no local copies
• Cost effective: reduce 3G/4G cost when moving between offices
Belnet - Workshop govroam21/04/23
Technical framework
Technical infrastructure
Technical Framework– Principles
– Components
– Authentication flow
Demo– Objectives
– Test with Windows server 2012 and NPS
Belnet - Workshop govroam21/04/23
Principles
To install roaming services, you need:– Wi-Fi access points and controllers and/or 802.1x switches
– RADIUS server
– User database / LDAP / AD
Based on a hierarchy of RADIUS servers– Your only point of contact is Belnet
Belnet - Workshop govroam21/04/23
Principles
It is:– A trust-based relationship between members
– An agreement on roaming technologies
Chain of trust:– All direct peers must be known beforehand
– A shared secrets must be enabled “out-of-band”
– Agreement on authentication protocols & methods
Belnet - Workshop govroam21/04/23
PrinciplesHierarchy of authentication servers
Belnet - Workshop govroam21/04/23
AS
Institution-A.be
AS
Institution-B.be
Belgian Top-Level
AS
“Federation”
“Institution”
PrinciplesHierarchy of authentication servers eduroam
Belnet - Workshop govroam21/04/23
Components
Client / Supplicant– SW on end user's device which handles network
authentication
– Minimum requirements: WPA, EAP-TTLS, PEAP enabled
Belnet - Workshop govroam21/04/23
Components
Network Access Server / Authenticator / Service
Provider– IEEE 802.1X enabled switch or wireless access point which
provides Clients access to the (W)LAN
– Seperate VLAN for home and visiting end users
Belnet - Workshop govroam21/04/23
Components
Authentication Server / Identity Provider– Remote Authentication Dial In User Service compliant (RFC
2865/2866)
– NOT a user database
– Authenticates home end users against local user database
– Forwards requests of visiting end users
– Softwares:• Radiator• FreeRADIUS• Windows server with NPS (from 2008R2)• Others
Belnet - Workshop govroam21/04/23
Components
User identity source– LDAP/AD
– Local database / SQL
Belnet - Workshop govroam21/04/23
Protocols and Methods
EAP Framework– Extensible Authentication Protocol (RFC 5247)
– NOT a wire protocol nor an authentication mechanism
– Defines authentication data formats
– Negotiates which authentication method/type should be used
Belnet - Workshop govroam21/04/23
Protocols & Methods
EAP Methods/Types "How does EAP authenticate"– Uses EAP framework to remotely authenticate end user's credentials
to his home institute's Identity Provider
– 40+ different methods exit > use common secure ones!• Outer Authentication: EAP-TTLS (RFC 5281), PEAP• Inner Authentication: MSCHAPv2 (RFC 2759)
Belnet - Workshop govroam21/04/23
Protocols & Methods
EAP Encapsulation "How EAP can be
transported"– In order to transport EAP messages, they must be
encapsulated
– Between client and SP (802.1x) • EAP over LAN = “EAPOL”
– Between Sp & IdP, IdP & IdP• RADIUS
Belnet - Workshop govroam21/04/23
Security
Outer authentication– Goal : securely transport the EAP messages between peers
– Authenticate the server (to avoid MitM attacks)
– PEAP, EAP-TTLS
Inner authentication– Transmit unique user attributes (credentials)
– via MSCHAPv2
Belnet - Workshop govroam21/04/23
SecurityEAP, 802.1X and RADIUS must be secured
Belnet - Workshop govroam21/04/23
Service Provider
Institution-A.be
Identity Provider
Institution-A.be
Client
802.1X
“EAPOL”
EAP
RADIUS
EAP
SecurityEAP, 802.1X and RADIUS must be secured
Choice of security mechanisms is important
Belnet - Workshop govroam21/04/23
Service Provider
Institution-A.be
Identity Provider
Institution-A.be
Client
802.1X
“EAPOL”
EAP
RADIUS
EAP
(WPA2-AES) (EAP-TTLS)
(PEAP)
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (1/11)
1The User contacts theService Provider (SP)
(Wireless Access Point) of institution A (SSID = govroam)
1
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (2/11)
2SP of institution A asks the user's identity.
Not yet the credentials!
1
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (3/11)
3User identity is transmitted to Identity
Provider (IdP) (RADIUS server)of institution A
using EAP Access-Request message
1
3Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (4/11)
4Based on the identity the IdP
of the institution A knows that user doesn'tbelong to its own user database and will transmit
the Access-Request to the Belgian RADIUS server.
1
3
4
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (5/11)
5Based on the realm part of the identity the
Belgian RADIUS server transmits the Access-Request
to the RADIUS server of institution B
1
3
45
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (6a/11)
6aNow the IdP of institution B
knows the User and a TLS tunnelis established between Userand RADIUS server using
EAP encapsulation mechanism (outer authentication)
1
3
45
6
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (6b/11)
6bThe User checks during TLS establishment
the RADIUS server certificate of his institution.
1
3
45
6
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (7/11)
7Now the User is authenticatedagainst its own institute's IdP,using traditional mechanisms
(challenges, certificates, token...)(Inner authentication)
1
3
45
67
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (8/11)
8If the User is correctly authenticated,the RADIUS server of institution B
sends an Access-Accept to the Belgian RADIUS server,
otherwise it sends an Access-Reject
1
3
45
67
8
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (9/11)
9Belgian RADIUS server sends the
Access-Accept to institution A
1
3
45
67
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
8
2
9
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (10/11)
110
The IdP of institution A tells his SP to grant access
to the User and provide all information related to the local access policy
( vlan, IP address, ...)
3
45
67
8
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
10
2
9
Authentication Flow
Belnet - Workshop govroam21/04/23
National Level (11/11)
1 11User can now access
LAN and Internet
3
45
67
8
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian Top-Level
Radius
11
10
2
9
How to implement
41
Prerequisites (out of scope)
Wi-Fi access point that must:– be IEEE 802.1X compliant
– broadcast the SSID "eduroam" or “govroam” (govroamtest for this
session)
– offer IEEE 802.11b or better
– implement WPA/TKIP or better (Belnet strongly recommends WPA2-
AES!)
– Allow traffic on defined ports (please refer to govroam)
User database:– LDAP
– Active Directory
21/04/23 Belnet - Workshop govroam
42
Prerequisites (out of scope)
Server certificates
– Don't use a self-signed server certificate
– Successfully import server & chain certificate into Windows
– Use dcs.belnet.be to get a signed server certificate
Correct server time
– Important for the setup of TLS-tunnels
– Use Belnet's NTP server time.belnet.be to get the correct time
Firewalls & Ports
– UDP 1812
– UDP 1813
21/04/23 Belnet - Workshop govroam
Radiator Installation
W
hy “Radiator”?
– Belnet uses this product
– Easy & straightforward to deploy on Linux, Windows, ...
– Broad support for Identity & Access Management backends
– One of the first solutions which supported RadSec
21/04/23 Belnet - Workshop govroam
Freeradius Installation
W
hy “Freeradius”?
– Free
– Easy to deploy on Linux, Windows, ...
– Broad support for Identity & Access Management backends
– Now supports RadSec
21/04/23 Belnet - Workshop govroam
W2012 R2 with NPS
W
hy “NPS”?
– Best option in windows environment
– Easy to deploy on Windows, ...
– Easy link to AD
21/04/23 Belnet - Workshop govroam
W2012 R2 with NPS
Server set-up:– Windows 2012 server R2 with NPS
– Valid server certificate
21/04/23 Belnet - Workshop govroam
Hierarchy
21/04/23 Belnet - Workshop govroam
AS
belnet.be
AS
ta.belnet.be
Belgian Top-Level AS
“Federation”
“Institution”
50
Demo environement: Components overview
WAP + CTRL
21/04/23 Belnet - Workshop govroam
RADIUS (Windows NPS) Identity server (AD)
Belnet Radius
Radius server installation
21/04/23 Belnet - Workshop govroam
RADIUS (Windows NPS) Identity server (AD)
WAP + CTRL
Belnet Radius
Radius server installation: Configuring RADIUS client (wlan controller)
21/04/23 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Belnet Radius
Radius server installation: Configuring the remote RADIUS
21/04/23 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Belnet Radius
W2012 R2 with NPS
Server set-up:
21/04/23 Belnet - Workshop govroam
Radius server installation: Configuring proxy RADIUS
21/04/23 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Belnet Radius
W2012 R2 with NPS
Server set-up:
21/04/23 Belnet - Workshop govroam
Radius server installation: Link with LDAP
21/04/23 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Belnet Radius
W2012 R2 with NPS
Server set-up:
21/04/23 Belnet - Workshop govroam
W2012 R2 with NPS
Server set-up:
21/04/23 Belnet - Workshop govroam
60
Radius server installation: Configuring top level RADIUS
21/04/23 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Belnet Radius
61
Registration @ Belnet
21/04/23 Belnet - Workshop govroam
govroam web-interface– Facilitate the configuration of your govroam parameters
• RADIUS servers• Shared secrets• Test accounts
64
Authentication Flow 1local - local
A user from local institution ta.belnet.bewill send access request
to local “govroamtest” WLAN
VLAN access depends on USER login
Ta.belnet.beNPS + AD
Belgian Top-Level Radius
wlan-ctrl
SSID = “govroamtest”
roaming1.belnet.beroaming2.belnet.be
21/04/23 Belnet - Workshop govroam
65
Authentication Flow 2remote - local
A remote user from Belnetwill send access request
to local “govroamtest” WLAN
ta.belnet.beRadius
Belgian Top-Level Radius
wlan-ctrl
SSID = “govroamtest”
radius.belnet.beldap.belnet.be
21/04/23 Belnet - Workshop govroam
roaming1.belnet.beroaming2.belnet.be
66
Authentication Flow 3local - remote
A local user from institution ta.belnet.bewill send access request
to remote Belnet's “govroam” WLAN
Ta.belnet.beRADIUS + LDAP
Belgian Top-Level Radius
wlan-ctrl
SSID = “govroam”
Ldap belnet.be
roaming1.belnet.beroaming2.belnet.be
21/04/23 Belnet - Workshop govroam
Conclusion
Conclusion
Technical Framework
Demo
Belnet is there to help you
Q&A
Belnet - Workshop govroam21/04/23
What do you think?
Belnet - Workshop govroam21/04/23
Are you ready to join?
What would you need more to start?
Final roundtable
Thank you
Use case
Use case
To be added