WLAN%20Roaming%20for%20the%20European%20Scientific%20Community:%20Lessons%20Learned

1
WLAN Roaming for the European Scientific
Community Lessons Learned

• Rodo?, June 9th, 2004
• Carsten Bormann ltcabo_at_tzi.degtNiels Pollem
  ltnp_at_tzi.degt
• reporting on the work of TERENA TF Mobility
• http//www.terena.nl/mobility/

2
Outline

• WLAN access control and security
• How does inter-domain roaming work
• Roaming on a European scale
• How to integrate solutions at the site level
• Conclusion

3
WLAN Security Requirements

• Confidentiality (Privacy)
• Nobody can understand foreign traffic
• Insider attacks as likely as outsiders'
• Accountability
• We can find out who did something
• Prerequisite Authentication

4
(2003) Security is rarely easy
5
(2004) solved ?
6
(2004) or maybe not? ?
7
WLAN Security Approaches

• AP-based Security AP is network boundary
• WEP (broken), WEP fixes, WPA,
• 802.1X (EAP variants RADIUS) 802.11i
• Network based Security deep security
• VPNs needed by mobile people anyway
• SSH, PPTP, IPsec
• Alternative Web-diverter (temporary MAC/IP
  address filtering)
• No confidentiality at all, though

8
.1X
Routers

Accessnetwork

world
Campusnetwork

Intranet X
RADIUS Server(s)
9
WLAN Access ControlWhy 802.1X is better

• 802.1X is taking over the world anyway
• The EAP/XYZ people are finally getting it right
• Only 5 more revisions before XYZ wins wide vendor
  support
• Available for more and more systems (Windows 2000
  up)
• Distribute hard crypto work to zillions of access
  points
• Block them as early as possible
• More control to visited site admin, too!
• Most of all It just works

10
VPN
VPN-Gateways

Dockingnetwork

world
Campusnetwork

Intranet X
DHCP, DNS, free Web
11
WLAN Access ControlWhy VPN is better

• Historically, more reason to trust L3 security
  than L2
• IPSec has lots of security analysis behind it
• Can use cheap/dumb APs
• Available for just about everything (Windows 98,
  PDA etc.)
• Easy to accommodate multiple security contexts
• Even with pre-2003 infrastructure
• Data is secure in the air and up to VPN gateway
• Most of all It just works

12
Web
AccessControl Device

Dockingnetwork

world
Campusnetwork

Web redirect
Intranet X
DHCP, DNS, free Web
13
WLAN Access ControlWhy Web-based filtering is
better

• No client software needed (everybody has a
  browser)
• Ties right into existing user/password schemes
• Can be made to work easily for guest users
• Its what the hotspots use, so guest users will
  know it already
• May be able to tie in with Greenspot etc.
• Privacy isnt that important anyway (use TLS and
  SSH)
• Accountability isnt that important anyway
• Most of all It just works

14
From Access Controlto Roaming
15
Roaming High-level requirements

• Objective
• Enable NREN users to use Internet (WLAN and
  wired) everywhere in Europe
• with minimal administrative overhead (per
  roaming)
• with good usability
• maintaining required security for all partners

16
Inter-domain 802.1X
Home
Visited
Supplicant
RADIUS server Institution B
RADIUS server Institution A
Authenticator (AP or switch)
User DB
User DB
Guest piet_at_institution_b.nl
Internet
Guest VLAN
Employee VLAN
Central RADIUS Proxy server
Student VLAN
e.g., _at_NREN
17
Web-based with RADIUS
18
VPN
Wbone VPN roaming solution to 4 universities /
colleges in state of Bremen.
SWITCHmobile VPN solution deployed at 14
universities and other sites across Switzerland.
Clients enter the Internet through home
network/gateway.
19
Wboneinterconnecting docking networks
extend to other sites ...
HS Brhv. 10.28.64/18
HfK
IPSec/PPTP/SSH
R Briteline
Linux
HS Bremen 172.25/16
Uni Bremen 172.21/16
AWI
20
Making roaming work on aEuropean scale
21
European RADIUS hierarchy
UNI-C
FUNET
DFN
SURFnet
UKERNA
CESnet
FCCN
CARnet
GRnet
RADIUS Proxy servers connecting to a European
level RADIUS proxy server
RedIRIS
22
The CASG
inetnum 193.174.167.0 - 193.174.167.255 netn
ame CASG-DFN descr
DFN-Verein descr Stresemannstrasse
78 descr 10963 Berlin country
DE admin-c MW238 tech-c
JR433 tech-c KL565 status ASSIGNED
PA mnt-by DFN-LIR-MNT changed
poldi_at_dfn.de 20040603 source RIPE

• Separate docking networks from controlled
  address space for gateways (CASG)
• Hosts on docking networks can freely interchange
  packets with hosts in the CASG
• Easy to accomplish with a couple of ACLs
• All VPN gateways get an additional CASG address
• Hmm, problem with some Cisco concentrators

23
The big bad Internet
CASG
24
CASG allocation

• Back-of-the-Envelope 1 address per 10000
  population
• E.g., .CH gets 600, Bremen gets 60
• Allocate to minimize routing fragmentation
• May have to use some tunneling/forwarding
• VPN gateway can have both local and CASG address

25
The CASG Pledge

• I will gladly accept any packet
• There is no such thing as a security incident on
  the CASG
• I will not put useful things in the CASG
• People should not be motivated to go there except
  to authenticate or use authenticated services
• I will help manage the prefix space to remain
  stable

26
How to integrate all theseat the site level?
27
Commonalities

• 802.1X
• Secure SSID
• RADIUS
• Web-based captive portal
• Open SSID
• RADIUS
• VPN-based
• Open SSID
• No RADIUS

RADIUSbackend

Docking net(open SSID)
28
How can I help...as a home institution

• Implement the other backend
• As a RADIUS-based site
• Implement a CASG VPN gateway (or subscribe to an
  NREN one)
• Provide the right RADIUS for all frontends
• As a VPN site
• Run a RADIUS server
• Help the users try and debug their roaming setup
  while at home (play visited site)

29
How can I help...as a visited institution

• Implement the other frontend
• As a docking network site
• Implement the other docking appraoch
• CASG access or Web-diverter
• Implement a 802.1X SSID (eduroam) in addition
  to open SSID
• As an 802.1X site
• Implement an open SSID with CASG access and
  Web-diverter
• Your local users will like it, too
• Maybe too much

30
Network layout with multiple SSIDs and VLAN
assignment
31
Network layout without multiple SSIDs and VLAN
assignment
32
Doing the plumbing
33
Default router in docking net

• Default route points to access control device
• ip route 0.0.0.0 0.0.0.0 172.21.3.11
• CASG routes point to CASG router
• ip route 193.174.167.0 255.255.255.0 172.21.3.250

34
CASG router

• ip access-list extended casg-out
• permit ip 193.174.167.0 0.0.0.255 any
• deny ip any any
• ip access-list extended casg-in
• permit ip any 193.174.167.0 0.0.0.255
• deny ip any any
• interface Vlan86
• ip address 172.21.3.250 255.255.0.0
• ip access-group casg-in in
• ip access-group casg-out out
• ip nat inside

35
What if docking net is RFC1918?

• Maximum compatibility with an address-based NAT
• ip access-list standard docking-addr
• permit 172.21.0.0 0.0.255.255
• !
• ip nat translation timeout 1800
• ip nat pool dn 134.102.216.1 134.102.216.250
  netmask 255.255.255.0
• ip nat inside source list docking-addr pool dn

36
So where are we?
37
Fun little issues

• 1/3 of Bremens 432 Cisco 340 APs can't do VLANs
• Ethernet interface hardware MTU issue
• Some client WLAN drivers are erratic in the
  presence of multi-SSID APs
• Can't give university IP addresses to roamers
• Too many university-only services are
  authenticated on IP address
• Address pool must be big enough for flash crowds
• CASG space is currently allocated on a national
  level
• So there will be a dozen updates before CASG is
  stable

38
Conclusions

• It is possible to create a fully interoperable
  solution
• Its not that hard
• especially when you use TF mobilitys deliverable
  H to guide you
• Re-evaluate solutions in a couple of years
• TF mobility is going for a second term to help
• Integration approach also provides an easy
  upgrade path
• E.g., add 802.1X to docking-only site

39
Conclusions
Go for it http//www.terena.nl/mobility/

• It is possible to create a fully interoperable
  solution
• Its not that hard
• especially when you use TF mobilitys deliverable
  H to guide you
• Re-evaluate solutions in a couple of years
• TF mobility is going for a second term to help
• Integration approach also provides an easy
  upgrade path
• E.g., add 802.1X to docking-only site