120 likes | 234 Views
Federated Wireless NetAuth. Kevin Miller • Duke University kevin.miller@duke.edu Internet2 Joint Techs Vancouver, BC July, 2005. Vision. Allow scholars to securely connect to wireless networks at visited institutions using home credentials
E N D
Federated Wireless NetAuth Kevin Miller • Duke University kevin.miller@duke.edu Internet2 Joint Techs Vancouver, BC July, 2005
Vision • Allow scholars to securely connect to wireless networks at visited institutions using home credentials • Enable visited sites to make attribute-based authz decisions about visitors • Extension of the eduroam service (currently .eu, .au)
Use Cases • Member of an institution visiting another • Two collocated institutions sharing WiFi infrastructure • Members of one institution in residence at another (international campuses) • Authenticating alumni, prospects, parents, patients without providing “campus” IDs • …
Other Benefits • Enable your users to authenticate with a single interface • Though UIs need improvement
eduroam today • Accepts VPN, Web middlebox, or 802.1x at the edge; some or all supported per visited site • Some confusion from lack of UI standardization • Security tradeoffs of web middlebox • No mechanism for exchanging user attributes • RADIUS servers connected in a hierarchy leading to two root servers • Not considered a production service
eduroam.us • Beginning an operational experiment • Gain experience with key technology • Test new approaches for next generation architecture • Developing a list of goals & expectations for the experiment
eduroam-ng • Ongoing work in each region to advance eduroam technically • Coordination in Eduroam Global Working Group (“GWG-Eduroam”) • Consensus among the regions in a number of areas • Authorization: Ability of visited site to obtain user attributes to use in access decision • Security: Protecting user credentials; secure transport to home institution • Privacy: Protect user information from disclosure except as allowed
Still researching some areas… • “Direct connect” style of server connectivity as an alternative to hierarchical connection • NetAuth: What do visited sites need to do, and what additional communication is required to the home site? • Diagnostics: How do we determine the root cause of failures? • Physically locating service spots: Especially hot topic in .eu
Interested in helping? • To date, mixed feedback • Many interesting use cases • “I would never allow someone else’s credentials to authenticate on my net” • Technical help is needed to develop eduroam-ng based upon concerns such as this
Join the FWNA Group • Biweekly Conference Calls • Thursday 11am-12pm: July 28, Aug 11 • 866-411-0013, 0184827 • salsa-fwna @ internet2 list • “subscribe salsa-fwna” to sympa @ internet2 • security.internet2.edu/fwna