Workshop roaming services: eduroam / govroam · Authentication Flow 1 local - local A user from...
Transcript of Workshop roaming services: eduroam / govroam · Authentication Flow 1 local - local A user from...
Workshop roaming services:
eduroam / govroam Belnet – Nicolas Loriau
Brussels – March 2016
Overview of Belnet Services
Overview of Belnet Services
Standard Services « Plus » Services
On demand
« Plus » Services
Associated cost
• Belnet Connectivity
• Internet Connectivity
• IPv4 and IPv6
• DNS Services
• NTP
• Monitoring
• Service desk 24/7
• Workshops
• Back-up Internet
connectivity
• RRN Connectivity
• eduroam
• Belnet R&E Federation
• Multipoint
• Belnet Leased Lines
• Multimedia Transport
Service
• govroam
• Domain Name Registration
• Digital Certificates
• Antispam Pro
• Belnet Cloud Storage
• Belnet Cloud computing
Netw
ork
S
erv
ices
What is it?
• GOVernment ROAMing
• Simple and secure
access to wifi network
• Belnet initiative based on
eduroam technologies
• For governmental
institutions,
administrations, …
• http://www.govroam.be
Belnet - Workshop govroam 31/03/2016
• EDUcation ROAMing
• Simple and secure
access to wifi network
• Terena project to
provide students
access to internet
• For research and
education institutions
• http://www.eduroam.be
Why ?
• Increased Mobility:
users can make use of Wifi infrastructure at other members
• Easy:
users only need their home organization account to login
• Secure:
centralized accounts, no local copies
• Cost effective:
reduce 3G/4G cost when moving between offices
Belnet - Workshop govroam 31/03/2016
Technical framework
Technical infrastructure
Technical Framework
– Principles
– Components
– Authentication flow
Demo
– Objectives
– Test with Windows server 2012 and NPS
Belnet - Workshop govroam 31/03/2016
Principles
To install roaming services, you need:
– Wi-Fi access points and controllers and/or 802.1x switches
– RADIUS server
– User database / LDAP / AD
Based on a hierarchy of RADIUS servers
– Your only point of contact is Belnet
Belnet - Workshop govroam 31/03/2016
Principles
It is:
– A trust-based relationship between members
– An agreement on roaming technologies
Chain of trust:
– All direct peers must be known beforehand
– A shared secrets must be enabled “out-of-band”
– Agreement on authentication protocols & methods
Belnet - Workshop govroam 31/03/2016
Principles Hierarchy of authentication servers
Belnet - Workshop govroam 31/03/2016
AS
Institution-A.be
AS
Institution-B.be
Belgian
Top-Level AS
“Federation”
“Institution”
Principles Hierarchy of authentication servers eduroam
Belnet - Workshop govroam 31/03/2016
Components
Client / Supplicant
– SW on end user's device which handles network authentication
– Minimum requirements: WPA, EAP-TTLS, PEAP enabled
Belnet - Workshop govroam 31/03/2016
Components
Network Access Server / Authenticator / Service
Provider
– IEEE 802.1X enabled switch or wireless access point which
provides Clients access to the (W)LAN
– Seperate VLAN for home and visiting end users
Belnet - Workshop govroam 31/03/2016
Components
Authentication Server / Identity Provider
– Remote Authentication Dial In User Service compliant (RFC
2865/2866)
– NOT a user database
– Authenticates home end users against local user database
– Forwards requests of visiting end users
– Softwares:
• Radiator
• FreeRADIUS
• Windows server with NPS (from 2008R2)
• Others
Belnet - Workshop govroam 31/03/2016
Components
User identity source
– LDAP/AD
– Local database / SQL
Belnet - Workshop govroam 31/03/2016
Protocols and Methods
EAP Framework
– Extensible Authentication Protocol (RFC 5247)
– NOT a wire protocol nor an authentication mechanism
– Defines authentication data formats
– Negotiates which authentication method/type should be used
Belnet - Workshop govroam 31/03/2016
Protocols & Methods
EAP Methods/Types "How does EAP authenticate"
– Uses EAP framework to remotely authenticate end user's credentials to
his home institute's Identity Provider
– 40+ different methods exit > use common secure ones!
• Outer Authentication: EAP-TTLS (RFC 5281), PEAP
• Inner Authentication: MSCHAPv2 (RFC 2759)
Belnet - Workshop govroam 31/03/2016
Protocols & Methods
EAP Encapsulation "How EAP can be
transported"
– In order to transport EAP messages, they must be encapsulated
– Between client and SP (802.1x)
• EAP over LAN = “EAPOL”
– Between Sp & IdP, IdP & IdP
• RADIUS
Belnet - Workshop govroam 31/03/2016
Security
Outer authentication
– Goal : securely transport the EAP messages between peers
– Authenticate the server (to avoid MitM attacks)
– PEAP, EAP-TTLS
Inner authentication
– Transmit unique user attributes (credentials)
– via MSCHAPv2
Belnet - Workshop govroam 31/03/2016
Protocols & Methods
Belnet - Workshop govroam 31/03/2016
Security EAP, 802.1X and RADIUS must be secured
Belnet - Workshop govroam 31/03/2016
Service Provider
Institution-A.be
Identity Provider
Institution-A.be
Client
Security EAP, 802.1X and RADIUS must be secured
Choice of security mechanisms is important
Belnet - Workshop govroam 31/03/2016
Service Provider
Institution-A.be
Identity Provider
Institution-A.be
Client
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (1/11)
1 The User contacts the Service Provider (SP)
(Wireless Access Point) of institution A (SSID = govroam)
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (2/11)
2 SP of institution A asks the user's identity.
Not yet the credentials!
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (3/11)
3
User identity is transmitted to Identity
Provider (IdP) (RADIUS server)
of institution A
using EAP Access-Request message
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (4/11)
4 Based on the identity the IdP
of the institution A knows that user doesn't belong to its own user database and will transmit
the Access-Request to the Belgian RADIUS server.
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (5/11)
5 Based on the realm part of the identity the
Belgian RADIUS server transmits the Access-Request
to the RADIUS server of institution B
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (6a/11)
6a Now the IdP of institution B
knows the User and a TLS tunnel is established between User and RADIUS server using
EAP encapsulation mechanism (outer authentication)
6
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (6b/11)
6b The User checks during TLS establishment
the RADIUS server certificate of his institution.
6
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (7/11)
7 Now the User is authenticated against its own institute's IdP, using traditional mechanisms
(challenges, certificates, token...) (Inner authentication)
6 7
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (8/11)
8 If the User is correctly authenticated, the RADIUS server of institution B
sends an Access-Accept to the Belgian RADIUS server,
otherwise it sends an Access-Reject
6 7
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
2
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (9/11)
9 Belgian RADIUS server sends the
Access-Accept to institution A
6 7
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
2
9
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (10/11)
10 The IdP of institution A tells
his SP to grant access to the User and provide all information
related to the local access policy ( vlan, IP address, ...)
6 7
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
10
2
9
Authentication Flow
Belnet - Workshop govroam 31/03/2016
National Level (11/11)
11 User can now access
LAN and Internet
6 7
Service Provider
Identity Provider
Institution-A.be
Institution-A.be
Identity Provider
Institution-B.be
Belgian
Top-Level
Radius
10
2
9
How to implement
42
Prerequisites (out of scope)
Wi-Fi access point that must:
– be IEEE 802.1X compliant
– broadcast the SSID "eduroam" or “govroam” (govroamtest for
this session)
– offer IEEE 802.11b or better
– implement WPA/TKIP or better (Belnet strongly recommends
WPA2-AES!)
– Allow traffic on defined ports (please refer to govroam)
User database:
– LDAP
– Active Directory
31/03/2016 Belnet - Workshop govroam
43
Prerequisites (out of scope)
Server certificates
– Don't use a self-signed server certificate
– Successfully import server & chain certificate into Windows
– Use dcs.belnet.be to get a signed server certificate
Correct server time
– Important for the setup of TLS-tunnels
– Use Belnet's NTP server time.belnet.be to get the correct time
Firewalls & Ports
– UDP 1812
– UDP 1813
31/03/2016 Belnet - Workshop govroam
Radiator Installation
Why “Radiator”?
– Belnet uses this product
– Easy & straightforward to deploy on Linux, Windows, ...
– Broad support for Identity & Access Management backends
– One of the first solutions which supported RadSec
31/03/2016 Belnet - Workshop govroam
Freeradius Installation
Why “Freeradius”?
– Free
– Easy to deploy on Linux, Windows, ...
– Broad support for Identity & Access Management backends
– Now supports RadSec
31/03/2016 Belnet - Workshop govroam
W2012 R2 with NPS
Why “NPS”?
– Best option in windows environment
– Easy to deploy on Windows, ...
– Easy link to AD
31/03/2016 Belnet - Workshop govroam
W2012 R2 with NPS
Server set-up:
– Windows 2012 server R2 with NPS
– Valid server certificate
31/03/2016 Belnet - Workshop govroam
Hierarchy
31/03/2016 Belnet - Workshop govroam
AS
belnet.be
AS
ta.belnet.be
Belgian Top-Level AS
“Federation”
“Institution”
51
Components overview
WAP + CTRL
31/03/2016 Belnet - Workshop govroam
RADIUS (Windows NPS) Identity server (AD)
Belnet Radius
Radius server installation
31/03/2016 Belnet - Workshop govroam
RADIUS (Windows NPS) Identity server (AD)
WAP + CTRL
Belnet Radius
Radius server installation: Configuring RADIUS client (wlan controller)
31/03/2016 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Belnet Radius
Radius server installation: Configuring the remote RADIUS
31/03/2016 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Belnet Radius
W2012 R2 with NPS
Server set-up:
31/03/2016 Belnet - Workshop govroam
Radius server installation: Configuring proxy RADIUS
31/03/2016 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Belnet Radius
W2012 R2 with NPS
Server set-up:
31/03/2016 Belnet - Workshop govroam
Radius server installation: Link with LDAP
31/03/2016 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Belnet Radius
W2012 R2 with NPS
Server set-up:
31/03/2016 Belnet - Workshop govroam
W2012 R2 with NPS
Server set-up:
31/03/2016 Belnet - Workshop govroam
61
Radius server installation: Configuring top level RADIUS
31/03/2016 Belnet - Workshop govroam
WAP + CTRL
RADIUS LDAP/AD
Belnet Radius
62
Registration @ Belnet
31/03/2016 Belnet - Workshop govroam
govroam web-interface
– Facilitate the configuration of your govroam parameters
• RADIUS servers
• Shared secrets
• Test accounts
Demo
Demo Environment
Use case:
– Internal wifi users in a specific VLAN (21)
– External wifi users in a separate VLAN (666)
We will generate/analyse 3 flows:
– A home user login locally (flow 1)
– An external user login locally (flow 2)
– A home user login from another organization (flow 3)
Belnet - Workshop govroam 31/03/2016
67
Demo environement: Network design
31/03/2016 Belnet - Workshop govroam
68
Authentication Flow 1 local - local
A user from local institution ta.belnet.be will send access request
to local “govroamtest” WLAN
VLAN access depends on USER login
Ta.belnet.be NPS + AD
Belgian Top-Level Radius
wlan-ctrl
SSID = “govroamtest”
roaming1.belnet.be roaming2.belnet.be
31/03/2016 Belnet - Workshop govroam
69
Authentication Flow 2 remote - local
A remote user from Belnet will send access request
to local “govroamtest” WLAN
ta.belnet.be Radius
Belgian Top-Level Radius
wlan-ctrl
SSID = “govroamtest”
radius.belnet.be ldap.belnet.be
31/03/2016 Belnet - Workshop govroam
roaming1.belnet.be roaming2.belnet.be
70
Authentication Flow 3 local - remote
A local user from institution ta.belnet.be will send access request
to remote Belnet's “govroam” WLAN
Ta.belnet.be RADIUS + LDAP
Belgian Top-Level Radius
wlan-ctrl
SSID = “govroam”
Ldap belnet.be
roaming1.belnet.be roaming2.belnet.be
31/03/2016 Belnet - Workshop govroam
Conclusion
Conclusion
Technical Framework
Demo
Belnet is there to help you
Q&A
Belnet - Workshop govroam 31/03/2016
What do you think?
Final roundtable
Are you ready to join?
What would you need more to start?
Belnet - Workshop govroam 31/03/2016
Thank you
Use case
Use case
To be added