330 likes | 435 Views
Supporting Wireless Mobility Through Flexible Architecture. John Douglass Sr. Systems Architect John.douglass@oit.gatech.edu. Steven McDaniel ResNet Manager Steven.mcdaniel@resnet.gatech.edu. ASK QUESTIONS!!. Overview. Why is mobility important? What were our guiding principles?
E N D
Supporting Wireless Mobility Through Flexible Architecture John DouglassSr. Systems Architect John.douglass@oit.gatech.edu Steven McDanielResNet Manager Steven.mcdaniel@resnet.gatech.edu
Overview • Why is mobility important? • What were our guiding principles? • LAWN Version 1.0 • The evolution of the wireless systems • Adding 802.1x (WPA-Enterprise) • The Foo of VLAN steering • Future opportunities and challenges
Why is Mobility Important? • Laptops are a requirement at Georgia Tech. • Cellular phones with wi-fi capabilities are more prolific now than ever • More and more devices (such as iPads, gaming devices, robots, lab devices, etc.) are getting into the hands of our users.
Guiding Principles • User based authentication. • Centralized deployment across campus • Layer 2 mobility that allows for campus roaming • No client agent – support as much as we can that runs the protocols required • Keep requirements for access reasonable
Evolution of the Beast (Pre 802.1x) • 2006 • Added Wired Network • Added 2nd Wireless Network • Device Login and Cookie Based Sessions to support mobile and other • http based API (GTLogin AP) • 2007 • Consolidated vendors to reduce the mix of radio types (compatibility issues) • Moved to a controller based system and converted APs to LWAPP
LAWN Login Page …and then…
2008 Evolution of the Beast (Pre 802.1x) • 2008 • LAWN bomb 1 (connection tracking) • LAWN bomb 2 (iptables routines) • Multiple Software Firewalls
2009 Evolution of the Beast (Pre 802.1x) 2009 • bonded etherchannel for uplinks • Added a 3rd wireless network • Isolation of services (web, DHCP, DB) • Process redistribution • WPA (802.1x) Pilot Begins (using sw firewal)
Why 802.1x? What’s the big deal? • Improved usability on mobile devices • Allowed us an advanced level of flexibility on VLAN assignment • Able to use hardware based firewalls • Removed impact of web based attack on wireless authentication • Improved service availability and recovery • Simplified our architecture and planning
Design Decisions for 802.1x • Had existing AD backed that we found every major client supported (EAP-PEAP-MSChapV2) • Need to support network blocking • Need to support user authorization • Need to support user feedback • User, mac, and/or source based VLAN steering
Moving Complexity to MySQL • Freeradius has a great base language (unlang) but did not have complex functions and is somewhat difficult to understand • MySQL is widely supported on campus • Freeradius is HIGHLY configurable (you can specify MySQL queries in the configuration) • Required data easily obtainable
MySQL Foo for VLAN Steering Delimiter | CREATE FUNCTION determineGroup(client_mac VARCHAR(17), client_username VARCHAR(64), client_ap VARCHAR(64)) RETURNS VARCHAR(64) BEGIN DECLARE returngroup VARCHAR(64); DECLARE clean_mac VARCHAR(17); DECLARE clean_ap VARCHAR(17); SET clean_mac = REPLACE(LOWER(client_mac),'-',':'); SET clean_ap = REPLACE(LOWER(SUBSTR(client_ap,1,17)),'-',':'); IF EXISTS(SELECT groupname FROM radusergroup WHERE (mac_address = clean_mac OR username = client_username) ORDER BY priority ASC LIMIT 1) THEN SELECT groupname INTO returngroup FROM radusergroup \ WHERE ((username = client_username OR mac_address = clean_mac) AND priority = 100) \ OR (username = client_username AND mac_address = clean_mac AND source_ap = clean_ap AND priority = 150) \ OR (mac_address = client_mac AND priority = 200) \ OR (username = client_username AND mac_address = clean_mac AND priority = 300) \ OR (username = client_username AND priority = 400) \ OR (username = 'DEFAULT') \ ORDER BY priority ASC LIMIT 1; IF returngroup IS NULL THEN IF EXISTS(SELECT uid FROM mage WHERE (uid = client_username AND login > 0) LIMIT 1) THEN SELECT determineGroupByHash(clean_mac, client_username) INTO returngroup; ELSE SET returngroup = 'NOTAUTHORIZED'; END IF; END IF; ELSE IF EXISTS(SELECT uid FROM mage WHERE (uid = client_username AND login > 0) LIMIT 1) THEN SELECT determineGroupByHash(clean_mac, client_username) INTO returngroup; ELSE SET returngroup = 'NOTAUTHORIZED'; END IF; END IF; RETURN returngroup; END|
MySQL Foo for VLAN Steering DELIMITER | CREATE FUNCTION simpleHash(hashthis VARCHAR(30), hashsize INT) RETURNS INT DETERMINISTIC BEGIN DECLARE hashval INT; DECLARE hashme VARCHAR(30); SET hashme = UPPER(hashthis); SET hashval = CONV(SUBSTR(md5(hashme),-8),16,10) % hashsize; RETURN hashval; END| DELIMITER ; DELIMITER | CREATE FUNCTION determineGroupByHash(client_mac VARCHAR(17), client_username VARCHAR(64)) RETURNS VARCHAR(64) DETERMINISTIC BEGIN DECLARE hashval INT; DECLARE hashsize INT; DECLARE chain_pref VARCHAR(32); DECLARE returngroup VARCHAR(64); DECLARE rownum INT; SET @rownum = -1; SET chain_pref = determinePreferredChain(client_mac, client_username); SELECT count(*) INTO hashsize FROM radhashgroup WHERE status = 'ACTIVE' AND chain = chain_pref; SET hashval = simpleHash(client_mac, hashsize); SELECT r1.groupname INTO returngroup FROM (SELECT @rownum:=@rownum+1 AS hash_value, groupname FROM radhashgroup WHERE status = 'ACTIVE' AND chain = chain_pref ORDER BY groupname ASC) as r1 WHERE hash_value = hashval; RETURN returngroup; END| DELIMITER ;
MySQL Foo for VLAN Steering DELIMITER | CREATE FUNCTION determinePreferredChain(client_mac VARCHAR(17), client_username VARCHAR(64)) RETURNS VARCHAR(64) DETERMINISTIC BEGIN DECLARE returnchain VARCHAR(64); IF EXISTS(SELECT chain FROM user_prefs WHERE (mac_address = client_mac AND username = client_username) LIMIT 1) THEN SELECT chain INTO returnchain FROM user_prefs WHERE (mac_address = client_mac AND username = client_username) LIMIT 1; ELSE SET returnchain = 'stateful'; END IF; RETURN returnchain; END| DELIMITER ; In $RADIUS/etc/raddb/sql/mysql/dialup.conf group_membership_query = "SELECT determineGroup('%{Calling-Station-Id}','%{SQL-User-Name}','%{Called-Station-Id}') as groupname";
MySQL Foo for VLAN Steering mysql> select * from mage; +---------------+-----------+-------+ | account_index | uid | login | +---------------+-----------+-------+ | 313171 | blinkie3 | 1 | | 12 | twx63 | 1 | | 23 | mandy | 0 | +---------------+-----------+-------+ mysql> select * fromradhashgroup; +----+-----------+---------------+---------+ | id | groupname | chain | status | +----+-----------+---------------+---------+ | 1 | vlan1296 | authenticated | STANDBY | | 2 | vlan1296 | stateful | STANDBY | | 4 | vlan0316 | stateful | ACTIVE | | 8 | vlan1332 | authenticated | ACTIVE | | 6 | vlan0808 | stateful | ACTIVE | | 7 | vlan1312 | stateful | ACTIVE | +----+-----------+---------------+---------+ mysql> select * from user_prefs; +----+----------+-------------------+---------------+ | id | username | mac_address | chain | +----+----------+-------------------+---------------+ | 3 | mandy | 55:b0:3a:67:55:9b | authenticated | +----+----------+-------------------+---------------+ mysql> select * from radusergroup order by priority; +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+ | id | username | mac_address | source_ap | groupname | priority | comment | +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+ | 375 | blinkie3 | | | vlan1296 | 100 | block_id:3423 | | 393 | mango678 | | | vlan1296 | 100 | block_id:3768 | | 506 | smcdaniel12 | 00:21:6a:78:8b:74 | | vlan1296 | 300 | testing for Steven McD | | 516 | jdouglass187 | | | vlan0316 | 400 | testing for johnd | +-----+-----------------+-------------------+-----------+-----------+----------+------------------------+
User Distribution on 802.1x WEP vs 802.1x VLAN Distribution
Significant Challenges for 802.1x • Not all clients support it (fallback = captive portal) • Configuration gotchas on all platforms • Difficult to put together accurate timeline of activity when debugging • AD integration (this adds a new dependency)
Future Opportunities and Challenges • Many consumer grade devices do not (and will not) support 802.1x (WPA-Enterprise) • Centralized steering with radius is not as dependent upon controller based or single vendor architecture • Acts as a new jumping off point for an 802.1x wired solution using similar/identical technologies
For More Information Evaluation (Be Kind but Honest!!) http://www.resnetsymposium.org/rspm/evaluation/ http://www.lawn.gatech.edu http://www.freeradius.org John.Douglass@oit.gatech.edu Steven.McDaniel@resnet.gatech.edu