Joint Research Activity 5 Task Force Mobility Network authentication with IEEE 802.1X Network Roaming with eduroam Stefan Winter <stefan.winter@restena.lu> TREFpunkt 13, Örebro, Sweden 12 Oct 2005 1 Réseau Téléinformatique de l'Education Nationale et de la Recherche
Overview ➢ IEEE 802.1X ➢ Differences to other network admission techniques ➢ Message flow in IEEE 802.1X ➢ Communication on first hop: EAP ➢ Further communication: RADIUS (et al.) ➢ End-to-end security ➢ NAS-side: configuration examples ➢ Client-side: supplicant overview ➢ eduroam ➢ RADIUS hierarchies (general) ➢ The eduroam hierarchy ➢ Policies, Participants ➢ Future development (TF-Mobility and JRA5) ➢ How to join 2 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X Overview / Differences to other techniques ➢ VPN uses ISO/OSI layer 4 ... (higher layers) (encapsulates payload in 4 Transport UDP or TCP packets) 3 Network ➢ Web-redirection uses layer Link 2 3 (after authentication, IP Physical 1 address gets unrestricted access) ➢ IEEE 802.1X Goals: ➢ LAN admission control on ISO/OSI layer 2 – no IP traffic involved ➢ End-to-end security between user device and authentication server ➢ Does not enforce a particular authentication mechanism ➢ Can impose constraints after authentication and thus provide different service levels on per-user basis 3 Réseau Téléinformatique de l'Education Nationale et de la Recherche
performs IEEE 802.1X authentication the “big picture” insists on authentication grants access when ok wants access to internet authentication credentials travel end-to-end internet 4 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X Message flow ➢ The standard denotes three roles for devices: ➢ Supplicant : the end-user device that wants to enter the network ➢ Authenticator : the device to which the supplicant is directly connected (Switch, Router or Access Point) ➢ Authentication Server : device that can verify the authenticity of the user and/or his supplicant EAP RADIUS ( supplicant ) ( authenticator ) (authentication server) 5 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X Communication at first hop: EAP ➢ EAP (Extensible Authentication Protocol) is a container protocol that can carry arbitrary authentication protocols (most well-known for its use in PPP) ➢ Supplicant can encapsulate his desired protocol in EAP and send the auth data to the authenticator ➢ Data is sent directly on layer 2; therefore, the term EAPoL (EAP over LAN) is used ➢ Authentication will only succeed if authentication method is accepted by authentication server(!) ➢ When using an auth protocol that encrypts user data, content is opaque to authenticator ➢ Q: how does authenticator know of success? 6 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X Communication at first hop: EAP (2) ➢ A: gets meta-info from authentication server t r a t S - L o P A E E ( authenticator ) A P o L d a e t a n ( supplicant ) c a p s u l a t e d E A P o L d a t a (authentication server) d e t a u l s p a c n e a t a d L o P A s s E e c c u o S - f L n o - i P A a t E e m + ] y e K - L o P A E [ [ ] Derive keys for dynamic encryption 7 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X Communication behind authenticator ➢ Authenticator is part of network infrastructure, has IP address ➢ Can transfer EAP payload in other protocols to authentication server at arbitrary place ➢ Protocols suited for that purpose: ➢ TACACS+ (Cisco, deprecated) ➢ Diameter (in development) ➢ RADIUS (most commonly used) ➢ server to use must be configured in authenticator (examples for IOS follow) ➢ authentication server evaluates encapsulated EAP payload -or- delegates decision to other authentication servers ➢ Delegation done via “routing hints” as part of user names (this is where eduroam comes in) 8 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X Communication behind authenticator - RADIUS ➢ Connection between authenticator and authentication server based on IP address + shared secret (a static trust relationship) ➢ RADIUS authentication server validates identity (note: it can easily re-use existing user databases like LDAP, AD, SQL databases, even plain text files) ➢ Upon successful authentication, a RADIUS packet “Access-Accept” is sent, which can be seen by authenticator ➢ This packet may contain further information: maximum session time, VLAN for the user, bandwidth restrictions etc. ➢ Authenticator evaluates this packet, sets connection parameters and sends the EAP success message to the supplicant 9 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X Protocols within EAP ➢ Common protocols within EAP: ➢ EAP-TLS: both supplicant and server validate their identity with certificates ➢ EAP-TTLS: server presents certificate, establishes TLS tunnel → supplicant uses username+password (PAP) ➢ PEAP-MSCHAPv2: similar to EAP-TTLS, but additionally encrypts username+password ➢ These protocols provide mutual authentication RADIUS server User Server for university.se authentication authentication tunnel using strong cryptography john.doe@university.se 10 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X Protocols within EAP ➢ TLS and TTLS support more privacy for the user: outer vs. inner identity RADIUS packet User-Name = anonymous@dep1.uni.au EAP payload User-Name = han.solo@dep1.uni.au Password = falcon ➢ By checking server certificate, the supplicant can verify to whom he is going to send his credentials ➢ “checking” in this sense means that both the certificate must be valid and the Common Name is really the expected one ➢ This requires either well-educated users for proper client configuration or means of enforcing the right configuration 11 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X End-to-end security ➢ Encapsulating EAP in RADIUS in conjunction with TLS ensures that no intermediate hop can look into traffic ➢ Supplicant needs to verify the last hop (authentication server): ➢ Is server certificate valid? ➢ Is it derived from the root CA in charge? ➢ Consult an (offline copy of) CRLs? ➢ Is the server name (CN) the expected one? (this needs to be user-configured unlike in HTTPS...) ➢ Users need to be well educated to configure their supplicant software properly ➢ A possible future: provide a “branded” client that has fixed settings, so users can connect easily 12 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X NAS-side configuration aaa new-model ! aaa group server radius rad_eap server 1.2.3.4 auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap ! radius-server host 1.2.3.4 auth-port 1812 acct-port 1813 key 7 1234....7890 ! dot11 ssid eduroam vlan 12345 authentication open eap eap_methods authentication network-eap eap_methods accounting default guest-mode ! interface Dot11Radio0 encryption vlan 12345 mode ciphers wep128 ssid eduroam 13 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X Client side: supplicant overview 14 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X Client side: supplicant overview (2) ➢ SecureW2 (Windows) ➢ Separates outer and inner identity, features pre- distributed profiles for easier configuration) ➢ ➢ ➢ MacOS has a built-in supplicant as well (no screenshots, sorry) ➢ Command-line applications: ➢ Xsupplicant (Linux) ➢ wpa_supplicant (Linux, Windows) ➢ Commercial supplicants available as well (Example: Funk Odyssey) 15 Réseau Téléinformatique de l'Education Nationale et de la Recherche
IEEE 802.1X Resources ➢ The standard: http://standards.ieee.org/getieee802/download/802.1X-2004.pdf ➢ Supplicants: ➢ SecureW2: http://www.securew2.com./ ➢ XSupplicant: http://www.open1x.org./ ➢ wpa_supplicant: http://hostap.epitest.fi/wpa_supplicant./ ➢ Funk Odyssey: http://www.funk.com/radius/wlan/wlan_c_radius.asp ➢ RADIUS servers: ➢ FreeRADIUS (Open Source): http://www.freeradius.org. ➢ Radiator (commercial product): http://www.open.com.au./radiator/index.html 16 Réseau Téléinformatique de l'Education Nationale et de la Recherche
eduroam The “big picture” ➢ Researchers all across Europe (ideally: the world) should be able to use each other's networks ➢ Currently realised with a hierarchy of RADIUS servers for distributed authentication 17 Réseau Téléinformatique de l'Education Nationale et de la Recherche
eduroam The current RADIUS hierarchy global root .de .lu .nl .au . ... org1.lu org2.lu uni.au dep1.uni.au dep2.uni.au authenticator1 authenticator2 han.solo@dep1.uni.au 18 Réseau Téléinformatique de l'Education Nationale et de la Recherche
Recommend
More recommend