1 / 12

Federated Wireless NetAuth

Federated Wireless NetAuth. Kevin Miller • Duke University kevin.miller@duke.edu Internet2 Joint Techs Vancouver, BC July, 2005. Vision. Allow scholars to securely connect to wireless networks at visited institutions using home credentials

thiery
Download Presentation

Federated Wireless NetAuth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federated Wireless NetAuth Kevin Miller • Duke University kevin.miller@duke.edu Internet2 Joint Techs Vancouver, BC July, 2005

  2. Vision • Allow scholars to securely connect to wireless networks at visited institutions using home credentials • Enable visited sites to make attribute-based authz decisions about visitors • Extension of the eduroam service (currently .eu, .au)

  3. Use Cases • Member of an institution visiting another • Two collocated institutions sharing WiFi infrastructure • Members of one institution in residence at another (international campuses) • Authenticating alumni, prospects, parents, patients without providing “campus” IDs • …

  4. Other Benefits • Enable your users to authenticate with a single interface • Though UIs need improvement

  5. eduroam today

  6. eduroam today • Accepts VPN, Web middlebox, or 802.1x at the edge; some or all supported per visited site • Some confusion from lack of UI standardization • Security tradeoffs of web middlebox • No mechanism for exchanging user attributes • RADIUS servers connected in a hierarchy leading to two root servers • Not considered a production service

  7. eduroam.us • Beginning an operational experiment • Gain experience with key technology • Test new approaches for next generation architecture • Developing a list of goals & expectations for the experiment

  8. eduroam-ng • Ongoing work in each region to advance eduroam technically • Coordination in Eduroam Global Working Group (“GWG-Eduroam”) • Consensus among the regions in a number of areas • Authorization: Ability of visited site to obtain user attributes to use in access decision • Security: Protecting user credentials; secure transport to home institution • Privacy: Protect user information from disclosure except as allowed

  9. Still researching some areas… • “Direct connect” style of server connectivity as an alternative to hierarchical connection • NetAuth: What do visited sites need to do, and what additional communication is required to the home site? • Diagnostics: How do we determine the root cause of failures? • Physically locating service spots: Especially hot topic in .eu

  10. Architecture Proposal

  11. Interested in helping? • To date, mixed feedback • Many interesting use cases • “I would never allow someone else’s credentials to authenticate on my net” • Technical help is needed to develop eduroam-ng based upon concerns such as this

  12. Join the FWNA Group • Biweekly Conference Calls • Thursday 11am-12pm: July 28, Aug 11 • 866-411-0013, 0184827 • salsa-fwna @ internet2 list • “subscribe salsa-fwna” to sympa @ internet2 • security.internet2.edu/fwna

More Related