Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

Deliverable H: the interoperability testbed designKlaas Wierenga

SURFnet

<[email protected]>

2

Web-based with RADIUS

Internet

Docking Network

AccessControl Device

AAAServer

WWW-browser

1.

2.

3.

4.

5.

RADIUS based Web interface authentication at the University of Tampere

The Finnish are scaling their solution by using a hierarchy of RADIUS proxy servers for their national infrastructure

3

Intranet X

Dockingnetwork

Campus Network

G-WiN

VPN-Gateways

DHCP, DNS, free Web

Intranet X

Dockingnetwork

Campus Network

G-WiN

VPN-Gateways

DHCP, DNS, free Web

VPN

SWITCHmobile – VPN solution deployed at 7 universities across Switzerland.

Wbone – VPN roaming solution to 4 universities / colleges in state of Bremen.

A "virtual campus" initiative in Lisbon, and been testing and developing a VPN & PKI infrastructure.

PPPoE – University of Bristol

4

Cross-domain 802.1X with VLAN assignment

RADIUS server

Institution B

RADIUS server

Institution A

Internet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

Guest

piet@institution_b.nl

StudentVLAN

GuestVLAN

EmployeeVLAN

Authentication at home institution, 802.1X , TTLS (SecureW2), (proxy) RADIUS. One time passwords are also transmitted via SMS to guest users.

A RADIUS Hierarchy is proposed to scale this to a European wide solution.

5

Current status• Characteristics identified as

– 802.1X - “The future”, easy to scale, secure but cutting edge, thus expensive.

– VPN - Widely available, expensive, secure & hard to scale.– Web based – cheap, widely available, easy to scale, but not

secure.

• Preliminary selection for inter-NREN roaming – in draft, conclusions are

– No national solution meets all the requirements.– The group has chosen not to consider the following

– Local VPN access.– PKI– An architecture that supports the various national solutions

is needed, a three stream approach is recommended…

6

Controlled Address Space for VPN Gateways• Design and work plan documentation underway.• Interoperability tests of VPN to RADIUS proxy hierarchy agreed.• Further work to follow.

7

FCCN

RADIUS Proxy servers connecting to a European level RADIUS proxy server

UKERNA

SURFnet

FUNET

DFN

CARnet

Radius proxy hierarchie

CESnet

RedIRIS

UNI-C

GRnet

8

Integration?

• 802.1X– Secure SSID– RADIUS

• Web-based captive portal– Open SSID– RADIUS

• PKI-based– Open SSID– No RADIUS

9

Network layout with multiple SSID’s and VLAN assignment

10

Network layout without multiple SSID’s and VLAN assignment

11

Layer 2 design of the interoperability testbed

AP 1 2 0 0

C ap tiv e p o r ta l( ac tin g as a r o u ter )

G u es t u s in g W E B- ac c es s( S S I D : ed u r o am - g u es t)

S w itc h

R AD I US s er v er1 9 2 .8 7 .1 0 8 .6 7

v lan 1 0 8

tru n k w ith

v lan 1 0 8 , 1 0 9 , 1 1 7 , 1 6 3

vlan 1 6 3

G u es t u s in g 8 0 2 .1 x - g u es t- ac c es s( S S I D : ed u r o am )

vlan 1 1 7

tr u n k w ithv lan 1 6 3 , 1 1 7

G u es t u s in g W E B- ac c es sv ia d o t1 x - g u es t- VL AN

G u es t u s in g 8 0 2 .1 xp r o x ied c r ed en tia ls

vlan 1 1 7vlan 1 6 3

12

Conclusions

• It is possible to create an interoperable solution

• It’s not that hard – especially when you use delievrable H to guide you

• Future will show if and how these solutions will continue to be in existence

• Del. H provides also a easy upgrade path