1 / 33

Supporting Wireless Mobility Through Flexible Architecture

Supporting Wireless Mobility Through Flexible Architecture. John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu. Steven McDaniel ResNet Manager Steven.mcdaniel@resnet.gatech.edu. ASK QUESTIONS!!. Overview. Why is mobility important? What were our guiding principles?

aimee
Download Presentation

Supporting Wireless Mobility Through Flexible Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Supporting Wireless Mobility Through Flexible Architecture John DouglassSr. Systems Architect John.douglass@oit.gatech.edu Steven McDanielResNet Manager Steven.mcdaniel@resnet.gatech.edu

  2. ASK QUESTIONS!!

  3. Overview • Why is mobility important? • What were our guiding principles? • LAWN Version 1.0 • The evolution of the wireless systems • Adding 802.1x (WPA-Enterprise) • The Foo of VLAN steering • Future opportunities and challenges

  4. Why is Mobility Important? • Laptops are a requirement at Georgia Tech. • Cellular phones with wi-fi capabilities are more prolific now than ever • More and more devices (such as iPads, gaming devices, robots, lab devices, etc.) are getting into the hands of our users.

  5. Guiding Principles • User based authentication. • Centralized deployment across campus • Layer 2 mobility that allows for campus roaming • No client agent – support as much as we can that runs the protocols required • Keep requirements for access reasonable

  6. (2001-2005) LAWN Version 1.0

  7. How Wireless Grew into a Monster

  8. (2001-2005) LAWN Version 1.0

  9. Evolution of the Beast (Pre 802.1x) • 2006 • Added Wired Network • Added 2nd Wireless Network • Device Login and Cookie Based Sessions to support mobile and other • http based API (GTLogin AP) • 2007 • Consolidated vendors to reduce the mix of radio types (compatibility issues) • Moved to a controller based system and converted APs to LWAPP

  10. (2006-2007) LAWN Version 2.0

  11. 2008 Default VLAN (2 networks)

  12. LAWN Login Page …and then…

  13. And then…

  14. How Wireless Grew into a Monster

  15. 2008 Evolution of the Beast (Pre 802.1x) • 2008 • LAWN bomb 1 (connection tracking) • LAWN bomb 2 (iptables routines) • Multiple Software Firewalls

  16. (2008) LAWN Version 3.0

  17. 2009 Evolution of the Beast (Pre 802.1x) 2009 • bonded etherchannel for uplinks • Added a 3rd wireless network • Isolation of services (web, DHCP, DB) • Process redistribution • WPA (802.1x) Pilot Begins (using sw firewal)

  18. 2009 Default VLAN (3 networks)

  19. Why 802.1x? What’s the big deal? • Improved usability on mobile devices • Allowed us an advanced level of flexibility on VLAN assignment • Able to use hardware based firewalls • Removed impact of web based attack on wireless authentication • Improved service availability and recovery • Simplified our architecture and planning

  20. Design Decisions for 802.1x • Had existing AD backed that we found every major client supported (EAP-PEAP-MSChapV2) • Need to support network blocking • Need to support user authorization • Need to support user feedback • User, mac, and/or source based VLAN steering

  21. Number of Devices per Freshman

  22. (2009) LAWN Version 4.0

  23. Moving Complexity to MySQL • Freeradius has a great base language (unlang) but did not have complex functions and is somewhat difficult to understand • MySQL is widely supported on campus • Freeradius is HIGHLY configurable (you can specify MySQL queries in the configuration) • Required data easily obtainable

  24. Radius Based VLAN Assignment

  25. MySQL Foo for VLAN Steering Delimiter | CREATE FUNCTION determineGroup(client_mac VARCHAR(17), client_username VARCHAR(64), client_ap VARCHAR(64)) RETURNS VARCHAR(64) BEGIN DECLARE returngroup VARCHAR(64); DECLARE clean_mac VARCHAR(17); DECLARE clean_ap VARCHAR(17); SET clean_mac = REPLACE(LOWER(client_mac),'-',':'); SET clean_ap = REPLACE(LOWER(SUBSTR(client_ap,1,17)),'-',':'); IF EXISTS(SELECT groupname FROM radusergroup WHERE (mac_address = clean_mac OR username = client_username) ORDER BY priority ASC LIMIT 1) THEN SELECT groupname INTO returngroup FROM radusergroup \ WHERE ((username = client_username OR mac_address = clean_mac) AND priority = 100) \ OR (username = client_username AND mac_address = clean_mac AND source_ap = clean_ap AND priority = 150) \ OR (mac_address = client_mac AND priority = 200) \ OR (username = client_username AND mac_address = clean_mac AND priority = 300) \ OR (username = client_username AND priority = 400) \ OR (username = 'DEFAULT') \ ORDER BY priority ASC LIMIT 1; IF returngroup IS NULL THEN IF EXISTS(SELECT uid FROM mage WHERE (uid = client_username AND login > 0) LIMIT 1) THEN SELECT determineGroupByHash(clean_mac, client_username) INTO returngroup; ELSE SET returngroup = 'NOTAUTHORIZED'; END IF; END IF; ELSE IF EXISTS(SELECT uid FROM mage WHERE (uid = client_username AND login > 0) LIMIT 1) THEN SELECT determineGroupByHash(clean_mac, client_username) INTO returngroup; ELSE SET returngroup = 'NOTAUTHORIZED'; END IF; END IF; RETURN returngroup; END|

  26. MySQL Foo for VLAN Steering DELIMITER | CREATE FUNCTION simpleHash(hashthis VARCHAR(30), hashsize INT) RETURNS INT DETERMINISTIC BEGIN DECLARE hashval INT; DECLARE hashme VARCHAR(30); SET hashme = UPPER(hashthis); SET hashval = CONV(SUBSTR(md5(hashme),-8),16,10) % hashsize; RETURN hashval; END| DELIMITER ; DELIMITER | CREATE FUNCTION determineGroupByHash(client_mac VARCHAR(17), client_username VARCHAR(64)) RETURNS VARCHAR(64) DETERMINISTIC BEGIN DECLARE hashval INT; DECLARE hashsize INT; DECLARE chain_pref VARCHAR(32); DECLARE returngroup VARCHAR(64); DECLARE rownum INT; SET @rownum = -1; SET chain_pref = determinePreferredChain(client_mac, client_username); SELECT count(*) INTO hashsize FROM radhashgroup WHERE status = 'ACTIVE' AND chain = chain_pref; SET hashval = simpleHash(client_mac, hashsize); SELECT r1.groupname INTO returngroup FROM (SELECT @rownum:=@rownum+1 AS hash_value, groupname FROM radhashgroup WHERE status = 'ACTIVE' AND chain = chain_pref ORDER BY groupname ASC) as r1 WHERE hash_value = hashval; RETURN returngroup; END| DELIMITER ;

  27. MySQL Foo for VLAN Steering DELIMITER | CREATE FUNCTION determinePreferredChain(client_mac VARCHAR(17), client_username VARCHAR(64)) RETURNS VARCHAR(64) DETERMINISTIC BEGIN DECLARE returnchain VARCHAR(64); IF EXISTS(SELECT chain FROM user_prefs WHERE (mac_address = client_mac AND username = client_username) LIMIT 1) THEN SELECT chain INTO returnchain FROM user_prefs WHERE (mac_address = client_mac AND username = client_username) LIMIT 1; ELSE SET returnchain = 'stateful'; END IF; RETURN returnchain; END| DELIMITER ; In $RADIUS/etc/raddb/sql/mysql/dialup.conf group_membership_query = "SELECT determineGroup('%{Calling-Station-Id}','%{SQL-User-Name}','%{Called-Station-Id}') as groupname";

  28. MySQL Foo for VLAN Steering mysql> select * from mage; +---------------+-----------+-------+ | account_index | uid | login | +---------------+-----------+-------+ | 313171 | blinkie3 | 1 | | 12 | twx63 | 1 | | 23 | mandy | 0 | +---------------+-----------+-------+ mysql> select * fromradhashgroup; +----+-----------+---------------+---------+ | id | groupname | chain | status | +----+-----------+---------------+---------+ | 1 | vlan1296 | authenticated | STANDBY | | 2 | vlan1296 | stateful | STANDBY | | 4 | vlan0316 | stateful | ACTIVE | | 8 | vlan1332 | authenticated | ACTIVE | | 6 | vlan0808 | stateful | ACTIVE | | 7 | vlan1312 | stateful | ACTIVE | +----+-----------+---------------+---------+ mysql> select * from user_prefs; +----+----------+-------------------+---------------+ | id | username | mac_address | chain | +----+----------+-------------------+---------------+ | 3 | mandy | 55:b0:3a:67:55:9b | authenticated | +----+----------+-------------------+---------------+ mysql> select * from radusergroup order by priority; +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+ | id | username | mac_address | source_ap | groupname | priority | comment | +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+ | 375 | blinkie3 | | | vlan1296 | 100 | block_id:3423 | | 393 | mango678 | | | vlan1296 | 100 | block_id:3768 | | 506 | smcdaniel12 | 00:21:6a:78:8b:74 | | vlan1296 | 300 | testing for Steven McD | | 516 | jdouglass187 | | | vlan0316 | 400 | testing for johnd | +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+

  29. (2011) LAWN Version 4.4

  30. User Distribution on 802.1x WEP vs 802.1x VLAN Distribution

  31. Significant Challenges for 802.1x • Not all clients support it (fallback = captive portal) • Configuration gotchas on all platforms • Difficult to put together accurate timeline of activity when debugging • AD integration (this adds a new dependency)

  32. Future Opportunities and Challenges • Many consumer grade devices do not (and will not) support 802.1x (WPA-Enterprise) • Centralized steering with radius is not as dependent upon controller based or single vendor architecture • Acts as a new jumping off point for an 802.1x wired solution using similar/identical technologies

  33. For More Information Evaluation (Be Kind but Honest!!) http://www.resnetsymposium.org/rspm/evaluation/ http://www.lawn.gatech.edu http://www.freeradius.org John.Douglass@oit.gatech.edu Steven.McDaniel@resnet.gatech.edu

More Related