WLAN Roaming for the European Scientific Community: Lessons Learned

, June 9th, 2004

Carsten Bormann <cabo@tzi.de>Niels Pollem <np@tzi.de>

reporting on the work of TERENA TF Mobility

2

Outline

WLAN access control and security How does inter-domain roaming work Roaming on a European scale How to integrate solutions at the site level Conclusion

3

WLAN Security: Requirements

Confidentiality (Privacy):

Nobody can understand foreign traffic

Insider attacks as likely as outsiders'

Accountability:

We can find out who did something

Prerequisite: Authentication

4

WLAN Security: Approaches

AP-based Security: AP is network boundaryWEP (broken), WEP fixes, WPA, …802.1X (EAP variants + RADIUS) + 802.11i

Network based Security: deep securityVPNs needed by mobile people anyway

SSH, PPTP, IPsec

Alternative: Web-diverter (temporary MAC/IP address filtering) No confidentiality at all, though

5

Intranet X

Accessnetwork

Campusnetwork

world

Routers

RADIUS Server(s)

.1X

6

WLAN Access Control:Why 802.1X is better 802.1X is taking over the world anyway The EAP/XYZ people are finally getting it right

Only 5 more revisions before XYZ wins wide vendor support

Available for more and more systems (Windows 2000 up) Distribute hard crypto work to zillions of access points Block them as early as possible

More control to visited site admin, too!

Most of all: It just works™

7

Intranet X

Dockingnetwork

Campusnetwork

world

VPN-Gateways

DHCP, DNS, free Web

VPN

8

WLAN Access Control:Why VPN is better Historically, more reason to trust L3 security than L2

IPSec has lots of security analysis behind it Can use cheap/dumb APs

Available for just about everything (Windows 98, PDA etc.) Easy to accommodate multiple security contexts

Even with pre-2003 infrastructureData is secure in the air and up to VPN gateway

Most of all: It just works™

9

Intranet X

Dockingnetwork

Campusnetwork

world

AccessControl Device

DHCP, DNS, free Web

Web redire

ct

Web

10

WLAN Access Control:Why Web-based filtering is better No client software needed (everybody has a browser) Ties right into existing user/password schemes Can be made to work easily for guest users

It’s what the hotspots use, so guest users will know it alreadyMay be able to tie in with Greenspot etc.

Privacy isn’t that important anyway (use TLS and SSH) Accountability isn’t that important anyway

Most of all: It just works™

From Access Controlto Roaming

12

Roaming: High-level requirements

Objective:

Enable NREN users to use Internet (WLAN and wired) everywhere in Europe

with minimal administrative overhead (per roaming) with good usability maintaining required security for all partners

13

Inter-domain 802.1X

RADIUS server

Institution B

RADIUS server

Institution A

Internet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

Guest

piet@institution_b.nl

StudentVLAN

GuestVLAN

EmployeeVLAN

HomeVisited

e.g., @NREN

14

Web-based with RADIUS

15

Intranet X

Dockingnetwork

Campus Network

G-WiN

VPN-Gateways

DHCP, DNS, free Web

Intranet X

Dockingnetwork

Campus Network

G-WiN

VPN-Gateways

DHCP, DNS, free Web

VPN

SWITCHmobile – VPN solution deployed at 7 universities across Switzerland.

Wbone – VPN roaming solution to 4 universities / colleges in state of Bremen.

Clients enter the Internet through home network/gateway.

16

Wboneinterconnecting docking networks

RBriteline

Uni Bremen172.21/16

HS Bremen172.25/16

HfK

HS Brhv.10.28.64/18

IPSec

Cisco

IPSec/PPTP/SSH

Linux

IPSec

Cisco

PPTP

Linux

IPSec

Cisco

PPTP

Linux

PPTP

Linux

PPTP

Linux

AWI

extend to other sites ...

Making roaming work on aEuropean scale

18

FCCN

RADIUS Proxy servers connecting to a European level RADIUS proxy server

UKERNA

SURFnet

FUNET

DFN

CARnet

European RADIUS hierarchy

CESnet

RedIRIS

UNI-C

GRnet

19

The CASG

Separate docking networks from controlled address space for gateways (CASG)

Hosts on docking networks can freely interchange packets with hosts in the CASGEasy to accomplish with a couple of ACLs

All VPN gateways get an additional CASG addressHmm, problem with some Cisco concentrators

inetnum: 193.174.167.0 - 193.174.167.255netname: CASG-DFNdescr: DFN-Vereindescr: Stresemannstrasse 78descr: 10963 Berlincountry: DEadmin-c: MW238tech-c: JR433tech-c: KL565status: ASSIGNED PAmnt-by: DFN-LIR-MNTchanged: poldi@dfn.de 20040603source: RIPE

20

Intranet X

Dockingnetwork

Campus NetworkG-WiN

VPN-Gateways

DHCP, DNS, free Web

Accesscontroller

Intranet X

Dockingnetwork

Campus NetworkG-WiN

VPN-Gateways

DHCP, DNS, free Web

Accesscontroller

Intranet X

Dockingnetwork

Campus NetworkG-WiN

VPN-Gateways

DHCP, DNS, free Web

Accesscontroller

The big bad

Internet

CASG

21

CASG allocation

Back-of-the-Envelope: 1 address per 10000 populationE.g., .CH gets ~600, Bremen gets ~60

Allocate to minimize routing fragmentationMay have to use some tunneling/forwarding

VPN gateway can have both local and CASG address

22

The CASG Pledge

I will gladly accept any packetThere is no such thing as a security incident on the CASG

I will not put useful things in the CASGPeople should not be motivated to go there except to authenticate

or use authenticated services

I will help manage the prefix space to remain stable

How to integrate all theseat the site level?

24

Commonalities

802.1XSecure SSIDRADIUS

Web-based captive portalOpen SSIDRADIUS

VPN-basedOpen SSIDNo RADIUS

}Docking net(open SSID)

RADIUSbackend

}

25

How can I help...as a home institution

Implement the other backend: As a RADIUS-based site

Implement a CASG VPN gateway (or subscribe to an NREN one)Provide the right RADIUS for all frontends

As a VPN siteRun a RADIUS server

Help the users try and debug their roaming setup while at home (play visited site)

26

How can I help...as a visited institution

Implement the other frontend: As a docking network site

Implement the other docking appraoch: CASG access or Web-diverter

Implement a 802.1X SSID (“eduroam”) in addition to open SSID As an 802.1X site

Implement an open SSID with CASG access and Web-diverter

Your local users will like it, tooMaybe too much…

27

Network layout with multiple SSID’s and VLAN assignment

28

Network layout without multiple SSID’s and VLAN assignment

Doing the plumbing

30

Default router in docking net

Default route points to access control device:

ip route 0.0.0.0 0.0.0.0 172.21.3.11

CASG routes point to CASG router

ip route 193.174.167.0 255.255.255.0 172.21.3.250

31

CASG router

ip access-list extended casg-out

permit ip 193.174.167.0 0.0.0.255 any

deny ip any any

ip access-list extended casg-in

permit ip any 193.174.167.0 0.0.0.255

deny ip any any

interface Vlan86 ip address 172.21.3.250 255.255.0.0 ip access-group casg-in in

ip access-group casg-out out

ip nat inside

32

What if docking net is RFC1918?

Maximum compatibility with an address-based NAT:

ip access-list standard docking-addr

permit 172.21.0.0 0.0.255.255!

ip nat translation timeout 1800

ip nat pool dn 134.102.216.1 134.102.216.250 netmask 255.255.255.0ip nat inside source list docking-addr pool dn

So where are we?

34

Fun little issues

1/3 of Bremen‘s 432 Cisco 340 APs can't do VLANsEthernet interface hardware MTU issue

Some client WLAN drivers are erratic in the presence of multi-SSID APs

Can't give university IP addresses to roamersToo many university-only services are “authenticated” on IP addressAddress pool must be big enough for flash crowds

CASG space is currently allocated on a national levelSo there will be a dozen updates before CASG is stable

35

Conclusions

It is possible to create a fully interoperable solution It’s not that hard

especially when you use TF mobility’s deliverable H to guide you

Re-evaluate solutions in a couple of yearsTF mobility is going for a second term to help

Integration approach also provides an easy upgrade pathE.g., add 802.1X to docking-only siteGo for it