Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Authentication and Authorisation in eduroam

Klaas Wierenga, AA Workshop TNC

Lyngby, 20th May 2007

Contents

- Intro eduroam- AA requirements- AA implementation- Authorisation- Summary

eduroam

The goal of eduroam

“open your laptop and be online”

or

• To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources

eduroam

University BUniversity A

SURFnet

Trusted 3d party

Access PointUser DB

Guestpiet@university_b.nl

• eduroam enables (federated) network access • A trusted 3d party exists that guarantees that both peers are

‘trustworthy’ and allowing for scalability

AA requirements

AA Requirements- “Reasonable security”

- Not trying to solve every problem of the universe- Uniquely identifying users at edge of network- Local choice of authentication method

- Data integrity- Good identity management- No tampering with data

- Compliancy with privacy regulations- No data “leakage”

- Verifiability- Monitoring- Logging

Source: JRA5 and TF-Mobility roaming requirements

AA implementation

Secure network access with 802.1X

datasignalling

RADIUS serverUniversity A

Internet

Authenticator(AP or switch) User

DB

jan@university_a.nl

StudentVLAN

GuestVLAN

EmployeeVLAN

Supplicant

• 802.1X

• (VLAN assigment)

eduroam

RADIUS serverUniversity B

RADIUS serverUniversity A

SURFnet

Central RADIUSProxy server

Authenticator(AP or switch) User

DBUser DB

Supplicant

Guestpiet@university_b.nl

StudentVLAN

GuestVLAN

EmployeeVLAN

datasignalling

• Trust based on RADIUS plus policy documents

• 802.1X• (VLAN assigment)

Tunneled authentication (PEAP/TTLS)

- Uses TLS/SSL tunnel to protect data- The TLS tunnel is set up using the server certificate,

thus authenticating the server and preventing man-in-the-middle attacks

- The user sends his credentials through the secure tunnel to the server, thus authenticating the user

- Can use dynamic session keys for ‘in the air’ encryption

© Alfa&Ariss

`

802.1X Client EAP RADIUS Server

TLS tunnel

User authenticationProtected by Tunnel

Server authentication

eduroam architecture- Security based on 802.1X (WEP/WPA/WPA2)

- Identity-based networking- Using the Extensible Authentication Protocol (EAP) to allow

for multiple authentication mechanisms- Mutual authentication (PEAP, TTLS, TLS)- Protection of credentials (tunneled authentication)- Layer 2

- Roaming based on RADIUS proxying- Remote Authentication Dial In User Service- Transport-protocol for authentication information- Using shared secrets between peers

- Trust fabric based on:- RADIUS hierarchy- Policy

- Authentication ≈ Authorisation- RADIUS-attribute filtering- VLAN assignment

RadSec/DNSROAM- Radius packet format- Transport: TCP (or SCTP) - Encryption: TLS (optional)

- TLS => PKI

- DNSROAM combines RadSec with DNS for dynamically locating the peer

- RadSec RFC is being worked on

Fully hierarchical

RadSec

RadSec

RADIUS

RadSec RadSec RadSec

RadSec RadSec

RadSec

Country-level

EU-level

EU hierarchy root

• First mixed mode• Later DNSROAM?

‘Real’ Authorisation?

DAMe- Deploying Authorization Mechanisms for Federated

Services in eduroam- DAME is a project that builds upon:

- eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard,

- Shibboleth and eduGAIN - NAS-SAML, a network access control approach for

AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards.

Gastpiet@university_b.nl

RADIUS serverUniversity B

RADIUS serverUniversity A

eduroam

Central RADIUSProxy server

Authenticator(AP or switch) User

DBUser DB

Supplicant

data

• User mobility controlled by assertions and policies expressed in SAML and XACML

XACML

Policy Decision Point

SAML

Source Attribute Authority

Signaling

1st: Extension of eduroam with authR

2nd: eduGAIN AuthN+AuthR backend

- Link between the AAA servers (now acting as Service Providers) and eduGAIN

3d: Universal Single Sign On

- Users will be authenticated once, during the network access control phase- The eduGAIN authentication would be bootstrapped from the NAS-SAML- New method for delivering authentication credentials and new security middleware- 4th goal: integrating applications, focusing on grids.

Summary

Summary- Eduroam provides reasonable security

- AuthZ is reasonable and is slowly being improved- AuthR is relatively weak but being worked upon

(that is we hope that the eduGAIN guys and girls with give it to us)

- Currently the main inhibitor is politics

Thank you!

More info: [email protected]