340 likes | 489 Views
eduroam, security and authentication. Paul Dekkers. 5 th of April, Eurocamp, Ljubljana. Contents. 802.1x and wireless innovations Authentication protocols Types Authentication servers Examples Eduroam Infrastructure Conclusion. Entities in 802.1x setup.
E N D
eduroam, security and authentication Paul Dekkers 5th of April, Eurocamp, Ljubljana
Contents • 802.1x and wireless innovations • Authentication protocols • Types • Authentication servers • Examples • Eduroam Infrastructure • Conclusion
Entities in 802.1x setup Authentication before (W)LAN access… Supplicant Authenticator (AP or switch) RADIUS server institution User DB Guest VLAN LAN
Wireless technologies • Encryption with 802.11 • WEP (RC4 keys) • WPA (RC4 + TKIP) • WPA2 (AES encryption) • 802.11i (crème de la crème) Changes with low impact • 802.1x is basis for future standardsIn time: as common as DHCP • With 802.1x we can make a 64-bit WEP-key safe
EAP Extensible Authentication Protocol • Different EAP-types • EAP-types with SSL/TLS • “Mutual authentication” • Provide the encryption-keys • EAP is transported and proxied within RADIUS • The home-institution decides what type
Common EAP types • EAP-TLSStrong authentication with client-certificates • EAP-TTLSDIAMETER/RADIUS (e.g. u/p in PAP) in TLS tunnelcan be deployed with most u/p-type backends • EAP-PEAPMicrosoft implementation with u/p via MSCHAPv2usable in MS enviromentsCisco has a different implementation • EAP-FASTusername/password authentication the Cisco wayinstallation more complex, uses no SSL/TLS • EAP-SIMStrong authentication with SIM-card from phones • ... LEAP, EAP-MD5 are old and weak
EAP transport Secured tunnel Supplicant Authenticator (AP or switch) RADIUS server institution A RADIUS server institution B User DB User DB Guest user@institution-B.nl Internet guest VLAN regular VLAN Central RADIUS Proxy server
End-users Is the biggest security risk the end-user itself?
End-users Security considerations • In many cases username/password is good enoughCompare with POP3, IMAP, webmail, … • SSL client certificates are sometimes easier for users • Mutual authentication can be confusing:installers help!
RADIUS servers Well known servers: • Radiator • FreeRADIUS • IAS 2003 • Only advised with Microsoft clients and backend • Cisco ACS • Barely used, bad EAP compatibility
Radiator example Understandable monolithic linear configuration (saves time/mistakes!) LogDir /var/log/radius AuthPort 1812 AcctPort 1813 Trace 4 <Client 192.87.110.54> Secret … IdenticalClients 192.87.110.4 </Client> <AuthBy FILE> Identifier GiveItAName Filename %D/users </AuthBy> <Handler> AuthBy GiveItAName </Handler> <Handler> <AuthBy> #Identifier GiveItAName Filename %D/users </AuthBy> </Handler> or:
Radiator example Proxy non-local requests to the eduroam infrastructure: <Client obelix.a3.surf.net> Secret … Identifier SURFnet-proxy IdenticalClients idefix.a3.surf.net </Client> <Handler Client-Identifier=/^(?!SURFnet-proxy$)/> <AuthBy RADIUS> Host obelix.a3.surf.net Host idefix.a3.surf.net Secret … AuthPort 1812 AcctPort 1813 StripFromReply Tunnel-Type,Tunnel-Medium-Type,\ Tunnel-Private-Group-ID,TRPZ-VLAN-Name AddToReply TRPZ-VLAN-Name=GuestVLAN </AuthBy> AcctLogFileName %L/proxied-accounting </Handler>
Radiator example: EAP-TTLS <Handler Realm=surfnet.nl, TunnelledByTTLS=1> … </Handler> <Handler Realm=surfnet.nl, EAP-Message=/.+/> <AuthBy FILE> Filename %D/dummy EAPType TTLS # you can add: TLS, PEAP EAPTLS_CAFile %D/ca.pem EAPTLS_CertificateFile %D/server.crt EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/server.key EAPTLS_PrivateKeyPassword secret EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys SSLeayTrace 2 </AuthBy> </Handler> <Handler Realm=surfnet.nl, Request-Type=Accounting-Request> … </Handler>
Radiator example: tunneled PAP Using POP3… <Handler Realm=surfnet.nl, TunnelledByTTLS=1> RewriteUsername s/^([^@]+).*/$1/ <AuthBy POP3> Host mail.institution.nl NoDefault AuthMode APOP # or BEST, PASS UseSSL </AuthBy> </Handler>
Radiator example: tunneled PAP Using a (LDAP) directory server… <Handler Realm=surfnet.nl, TunnelledByTTLS=1> RewriteUsername s/^([^@]+).*/$1/ <AuthBy LDAP2> Host directory.surfnet.nl Version 3 BaseDN %0=%1,ou=Accounts,ou=Office,dc=surfnet,dc=nl Scope base UsernameAttr uid AuthAttrDef uid,X-UserID,request ServerChecksPassword </AuthBy> </Handler>
Radiator example: TTLS and PEAP Using a Windows backend (domain/AD)… <Handler Realm=surfnet.nl, TunnelledByPEAP=1> <AuthBy LSA> EAPType MSCHAPv2 </AuthBy> </Handler> <Handler Realm=surfnet.nl, TunnelledByTTLS=1> <AuthBy LSA> #Domain SURFNET #DefaultDomain SURFNET #Group Administrators #DomainController dc.surfnet.nl </AuthBy> </Handler> For AuthBy LSA Radiator requires ActivePerl 5.6 and to run on a Windows platform
Radiator under Windows AuthBy LSA requires Radiator under Windows. Running Radiator under Windows is not hard! • Get ActivePerl (from www.activeperl.com) • ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd • ppm install http://theoryx5.uwinnipeg.ca/ppmpackages/Net_SSLeay.pm.ppd • Get Radiator • Run perl Makefile.PL install Run LSA as service or change “Act as part of the operating system” policy.
eduroam infrastructure flexiblity of RADIUS works!
eduroam infrastructure grows rapidly!
current infrastructure RADIUS has its drawbacks • RADIUS packet is “visible” on every hop this is not bad with EAP… • Traffic between hops is poor this is not bad with EAP… • Static routing (based on a @realm) requires configuration at institution and research network • Schalable, but: more connections = • more configuration • more load on the top-level servers more…
current infrastructure UDP RADIUS transport “dead server”-detection hard if not properly configured…
Something better… • Disabling redundant hierarchy • Faster • More secure (few places that see the data) • More reliable(less “points of failure”) • Better security on the transport-layer (tcp/ssl?) • Flexible configuration (lookup-service?)
Options • DiameterRADIUS successor(Been around for quite some time…) • RadSecPart of Radiator • DNSROAM & RadSecExperimental part of Radiator
RadSec and DNSROAM • RADIUS packet in TCP of SCTP more reliable, dead peer detection • Secured with TLS/PKI (optional) offers options for limiting participation/federation: • by certificates signed by a specific CA • validated by attributes in the certificate (not yet) • DNSROAM uses DNS as lookup-service • dynamic routing based on the RADIUS realm • possible to deploy for just a part of the infrastructure
RadSec (image taken from Radiate / Test description and evaluation by Telematica Instituut)
RadSec Replacing RADIUS with RadSec
RadSec Replacing static connections with dynamic ones
RadSec en DNSROAM Completely dynamic Legacy connections remain possible (using a proxy)
Conclusion • Clients and Institutions won’t have to worry about wireless technology: 802.1x is the future… while WPA is becoming commodity WEP is fine too. • No radical improvements required for the current infrastructure at an institution. • EAP is flexible and fits almost every existing backend, the future will bring more EAP-types (like SSO).