Workshop roaming services: eduroam / govroam · Authentication Flow 1 local - local A user from...

Workshop roaming services:

eduroam / govroam Belnet – Nicolas Loriau

Brussels – March 2016

Overview of Belnet Services

Overview of Belnet Services

Standard Services « Plus » Services

On demand

« Plus » Services

Associated cost

• Belnet Connectivity

• Internet Connectivity

• IPv4 and IPv6

• DNS Services

• NTP

• Monitoring

• Service desk 24/7

• Workshops

• Back-up Internet

connectivity

• RRN Connectivity

• eduroam

• Belnet R&E Federation

• Multipoint

• Belnet Leased Lines

• Multimedia Transport

Service

• govroam

• Domain Name Registration

• Digital Certificates

• Antispam Pro

• Belnet Cloud Storage

• Belnet Cloud computing

Netw

ork

S

erv

ices

What is it?

• GOVernment ROAMing

• Simple and secure

access to wifi network

• Belnet initiative based on

eduroam technologies

• For governmental

institutions,

administrations, …

• http://www.govroam.be

Belnet - Workshop govroam 31/03/2016

• EDUcation ROAMing

• Simple and secure

access to wifi network

• Terena project to

provide students

access to internet

• For research and

education institutions

• http://www.eduroam.be

Why ?

• Increased Mobility:

users can make use of Wifi infrastructure at other members

• Easy:

users only need their home organization account to login

• Secure:

centralized accounts, no local copies

• Cost effective:

reduce 3G/4G cost when moving between offices


Technical framework

Technical infrastructure

Technical Framework

– Principles

– Components

– Authentication flow

Demo

– Objectives

– Test with Windows server 2012 and NPS


Principles

To install roaming services, you need:

– Wi-Fi access points and controllers and/or 802.1x switches

– RADIUS server

– User database / LDAP / AD

Based on a hierarchy of RADIUS servers

– Your only point of contact is Belnet


Principles

It is:

– A trust-based relationship between members

– An agreement on roaming technologies

Chain of trust:

– All direct peers must be known beforehand

– A shared secrets must be enabled “out-of-band”

– Agreement on authentication protocols & methods


Principles Hierarchy of authentication servers


AS

Institution-A.be

AS

Institution-B.be

Belgian

Top-Level AS

“Federation”

“Institution”

Principles Hierarchy of authentication servers eduroam


Components

Client / Supplicant

– SW on end user's device which handles network authentication

– Minimum requirements: WPA, EAP-TTLS, PEAP enabled


Components

Network Access Server / Authenticator / Service

Provider

– IEEE 802.1X enabled switch or wireless access point which

provides Clients access to the (W)LAN

– Seperate VLAN for home and visiting end users


Components

Authentication Server / Identity Provider

– Remote Authentication Dial In User Service compliant (RFC

2865/2866)

– NOT a user database

– Authenticates home end users against local user database

– Forwards requests of visiting end users

– Softwares:

• Radiator

• FreeRADIUS

• Windows server with NPS (from 2008R2)

• Others


Components

User identity source

– LDAP/AD

– Local database / SQL


Protocols and Methods

EAP Framework

– Extensible Authentication Protocol (RFC 5247)

– NOT a wire protocol nor an authentication mechanism

– Defines authentication data formats

– Negotiates which authentication method/type should be used


Protocols & Methods

EAP Methods/Types "How does EAP authenticate"

– Uses EAP framework to remotely authenticate end user's credentials to

his home institute's Identity Provider

– 40+ different methods exit > use common secure ones!

• Outer Authentication: EAP-TTLS (RFC 5281), PEAP

• Inner Authentication: MSCHAPv2 (RFC 2759)


Protocols & Methods

EAP Encapsulation "How EAP can be

transported"

– In order to transport EAP messages, they must be encapsulated

– Between client and SP (802.1x)

• EAP over LAN = “EAPOL”

– Between Sp & IdP, IdP & IdP

• RADIUS


Security

Outer authentication

– Goal : securely transport the EAP messages between peers

– Authenticate the server (to avoid MitM attacks)

– PEAP, EAP-TTLS

Inner authentication

– Transmit unique user attributes (credentials)

– via MSCHAPv2


Protocols & Methods


Security EAP, 802.1X and RADIUS must be secured


Service Provider

Institution-A.be

[email protected]

Identity Provider

Institution-A.be

Client

Security EAP, 802.1X and RADIUS must be secured

Choice of security mechanisms is important


Service Provider

Institution-A.be

[email protected]

Identity Provider

Institution-A.be

Client

Authentication Flow


National Level (1/11)

1 The User contacts the Service Provider (SP)

(Wireless Access Point) of institution A (SSID = govroam)

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian

Top-Level

Radius

[email protected]

Authentication Flow



2 SP of institution A asks the user's identity.

Not yet the credentials!

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian

Top-Level

Radius

[email protected]

2

Authentication Flow



3

User identity is transmitted to Identity

Provider (IdP) (RADIUS server)

of institution A

using EAP Access-Request message

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian

Top-Level

Radius

[email protected]

2

Authentication Flow



4 Based on the identity the IdP

of the institution A knows that user doesn't belong to its own user database and will transmit

the Access-Request to the Belgian RADIUS server.

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian

Top-Level

Radius

[email protected]

2

Authentication Flow



[email protected]

5 Based on the realm part of the identity the

Belgian RADIUS server transmits the Access-Request

to the RADIUS server of institution B

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian

Top-Level

Radius

2

Authentication Flow


National Level (6a/11)

6a Now the IdP of institution B

knows the User and a TLS tunnel is established between User and RADIUS server using

EAP encapsulation mechanism (outer authentication)

6

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian

Top-Level

Radius

[email protected]

2

Authentication Flow


National Level (6b/11)

6b The User checks during TLS establishment

the RADIUS server certificate of his institution.

6

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian

Top-Level

Radius

[email protected]

2

Authentication Flow



7 Now the User is authenticated against its own institute's IdP, using traditional mechanisms

(challenges, certificates, token...) (Inner authentication)

6 7

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian

Top-Level

Radius

[email protected]

2

Authentication Flow



[email protected]

8 If the User is correctly authenticated, the RADIUS server of institution B

sends an Access-Accept to the Belgian RADIUS server,

otherwise it sends an Access-Reject

6 7

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian

Top-Level

Radius

2

Authentication Flow



9 Belgian RADIUS server sends the

Access-Accept to institution A

6 7

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

[email protected]

Belgian

Top-Level

Radius

2

9

Authentication Flow



10 The IdP of institution A tells

his SP to grant access to the User and provide all information

related to the local access policy ( vlan, IP address, ...)

6 7

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian

Top-Level

Radius

[email protected]

10

2

9

Authentication Flow



[email protected]

11 User can now access

LAN and Internet

6 7

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian

Top-Level

Radius

10

2

9

How to implement

42

Prerequisites (out of scope)

Wi-Fi access point that must:

– be IEEE 802.1X compliant

– broadcast the SSID "eduroam" or “govroam” (govroamtest for

this session)

– offer IEEE 802.11b or better

– implement WPA/TKIP or better (Belnet strongly recommends

WPA2-AES!)

– Allow traffic on defined ports (please refer to govroam)

User database:

– LDAP

– Active Directory

31/03/2016 Belnet - Workshop govroam

43

Prerequisites (out of scope)

Server certificates

– Don't use a self-signed server certificate

– Successfully import server & chain certificate into Windows

– Use dcs.belnet.be to get a signed server certificate

Correct server time

– Important for the setup of TLS-tunnels

– Use Belnet's NTP server time.belnet.be to get the correct time

Firewalls & Ports

– UDP 1812

– UDP 1813


Radiator Installation

Why “Radiator”?

– Belnet uses this product

– Easy & straightforward to deploy on Linux, Windows, ...

– Broad support for Identity & Access Management backends

– One of the first solutions which supported RadSec


Freeradius Installation

Why “Freeradius”?

– Free

– Easy to deploy on Linux, Windows, ...

– Broad support for Identity & Access Management backends

– Now supports RadSec


W2012 R2 with NPS

Why “NPS”?

– Best option in windows environment

– Easy to deploy on Windows, ...

– Easy link to AD


W2012 R2 with NPS

Server set-up:

– Windows 2012 server R2 with NPS

– Valid server certificate


Hierarchy


AS

belnet.be

AS

ta.belnet.be

Belgian Top-Level AS

“Federation”

“Institution”

51

Components overview

WAP + CTRL


RADIUS (Windows NPS) Identity server (AD)

Belnet Radius

Radius server installation


RADIUS (Windows NPS) Identity server (AD)

WAP + CTRL

Belnet Radius

Radius server installation: Configuring RADIUS client (wlan controller)


WAP + CTRL

RADIUS LDAP/AD

Belnet Radius

Radius server installation: Configuring the remote RADIUS


WAP + CTRL

RADIUS LDAP/AD

Belnet Radius

W2012 R2 with NPS

Server set-up:


Radius server installation: Configuring proxy RADIUS


WAP + CTRL

RADIUS LDAP/AD

Belnet Radius

W2012 R2 with NPS

Server set-up:


Radius server installation: Link with LDAP


WAP + CTRL

RADIUS LDAP/AD

Belnet Radius

W2012 R2 with NPS

Server set-up:


61

Radius server installation: Configuring top level RADIUS


WAP + CTRL

RADIUS LDAP/AD

Belnet Radius

62

Registration @ Belnet


govroam web-interface

– Facilitate the configuration of your govroam parameters

• RADIUS servers

• Shared secrets

• Test accounts

Demo Environment

Use case:

– Internal wifi users in a specific VLAN (21)

– External wifi users in a separate VLAN (666)

We will generate/analyse 3 flows:

– A home user login locally (flow 1)

– An external user login locally (flow 2)

– A home user login from another organization (flow 3)


67

Demo environement: Network design


68

Authentication Flow 1 local - local

A user from local institution ta.belnet.be will send access request

to local “govroamtest” WLAN

VLAN access depends on USER login

Ta.belnet.be NPS + AD

Belgian Top-Level Radius

[email protected]

wlan-ctrl

SSID = “govroamtest”

roaming1.belnet.be roaming2.belnet.be


69

Authentication Flow 2 remote - local

A remote user from Belnet will send access request

to local “govroamtest” WLAN

ta.belnet.be Radius


[email protected]

wlan-ctrl

SSID = “govroamtest”

radius.belnet.be ldap.belnet.be



70

Authentication Flow 3 local - remote

A local user from institution ta.belnet.be will send access request

to remote Belnet's “govroam” WLAN

Ta.belnet.be RADIUS + LDAP


[email protected]

wlan-ctrl

SSID = “govroam”

Ldap belnet.be



mailto:[email protected]

Conclusion

Conclusion

Technical Framework

Demo

Belnet is there to help you

Q&A


What do you think?

Final roundtable

Are you ready to join?

What would you need more to start?


Thank you

Use case

Use case

To be added

Workshop roaming services: eduroam / govroam · Authentication Flow 1 local - local A user from...

Documents

Transcript of Workshop roaming services: eduroam / govroam · Authentication Flow 1 local - local A user from...