1 / 17

INFN Trip Project

INFN Trip Project. Mirko Corosu for TRIP WORKGROUP. HEPiX 2004 - Brookheaven. Aim of the project. Authentication and authorization of roaming users without any previous registration. The system should provide: IP access : To users LAN To local LAN Security

latif
Download Presentation

INFN Trip Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFN Trip Project Mirko Corosu for TRIP WORKGROUP HEPiX 2004 - Brookheaven

  2. Aim of the project • Authentication and authorization of roaming users without any previous registration. • The system should provide: • IP access : • To users LAN • To local LAN • Security • Compatibility to local infrastructure • Independence to user OS and hardware

  3. Authentication/authorization methods • We started to analyze two kind of methods: • Mac address authentication (layer 2) • Web captive portal (layer 3)

  4. Software components • Server side: • Red Hat 9 operating system • FreeRadius-1.0.1: open source radius authentication server • NoCat-0.82: web captive portal for wireless and wired network • Apache-1.3.27 + mod-SSL • Client side tested: • RedHat 9 and Fedora Core, Windows 2k/XP • Mozilla and Internet Explorer browser for web authentication

  5. Wireless access points • Cisco Aironet 1100 supports: • 802.1q protocol (VLAN tagging) • Multiple SSID • Mac address authentication • 802.1x authentication (EAP/TLS) • WEP encryption

  6. NoCat captive portal • Captive portal application written in PERL • Two elements: • Gateway: changes iptables rules on a Linux based gateway/firewall. • Authentication server: collection of PERL cgi’s which perform the web authentication of the user and tell the gateway to open or close firewall TCP ports. • There can be multiple gateway that interact with a single authentication server

  7. Web authentication Association request Association allowed IP address request IP address allowed NOCAT gw NAT/FW (iptable) WAN Apply iptables rule to open firewall Browser is redirect to NOCAT authentication page certificate or username /password MySQL (NOCAT) authentication confirmed Browser session NIS/K5/AFS Connection to requested page AFS (WAN) NOCAT auth HTTP radius (NOCAT) X.509 certificate (Mod-SSL) radius vs Local db radius vs PAM Private network NIS/K5/AFS/MySQL DHCP AFS/CA auth RADIUS

  8. Web authorization/authentication infrastructure • Features: • Supports different authentication mechanism (Linux PAM, X.509 Certificates, Radius, MySql, ldap) • Independence to client OS and hardware • Problems: • No encryption • Difficult to grant different privileges based on users credentials

  9. Mac address authentication • Features: • Useful to discriminate local users (registered mac address) from others • Possibility to use different VLAN • Problems: • No encryption • Doesn’t support other authentication/authorization method

  10. Solution • Try to integrate different authentication methods

  11. First step: use one machine WAN Private network NIS/K5/AFS/MySQL auth DHCP NOCAT gateway NAT/FW (iptable) AFS/CA auth NOCAT auth HTTP RADIUS

  12. Second step: MAC/Web authentication Association request MAC authentication via radius server LAN2 NOCAT MAC is present in database MAC not present in db; user is put in the NOCAT lan NOCAT + httpd iptables (NAT/FW) radiusd dhcpd radius check dhcpd database LAN1 Local users Filtered access to local network Full access to local network

  13. Feature of web/mac authentication • Supports different authentication methods • Indipendence to user OS/HW • Different access levels • One problem: • Connection not encrypted • Solution: 802.1x protocol

  14. 802.1x protocol • Features: • Encrypted connection • Supports different authentication method • Problems: • Problem on some OS’s and hardware

  15. Current project goals • Web + MAC address authentication infrastructure • Automatic installation of the authentication server

  16. Future development • 802.1x integration • Creation of a Radius server infrastructure to extend authentication mechanism to all INFN sections or • Put TRIP infrastructure in Kerberos 5 INFN framework • Test of other web captive portal (TINO)

  17. Documentation • Documentation and software can be found at http://trip.ge.infn.it/

More Related