Title: WLAN%20Roaming%20for%20the%20European%20Scientific%20Community:%20Lessons%20Learned
1WLAN Roaming for the European Scientific
Community Lessons Learned
- Rodo?, June 9th, 2004
- Carsten Bormann ltcabo_at_tzi.degtNiels Pollem
ltnp_at_tzi.degt - reporting on the work of TERENA TF Mobility
2Outline
- WLAN access control and security
- How does inter-domain roaming work
- Roaming on a European scale
- How to integrate solutions at the site level
- Conclusion
3WLAN Security Requirements
- Confidentiality (Privacy)
- Nobody can understand foreign traffic
- Insider attacks as likely as outsiders'
- Accountability
- We can find out who did something
- Prerequisite Authentication
4WLAN Security Approaches
- AP-based Security AP is network boundary
- WEP (broken), WEP fixes, WPA,
- 802.1X (EAP variants RADIUS) 802.11i
- Network based Security deep security
- VPNs needed by mobile people anyway
- SSH, PPTP, IPsec
- Alternative Web-diverter (temporary MAC/IP
address filtering) - No confidentiality at all, though
5.1X
Routers
Accessnetwork
world
Campusnetwork
Intranet X
RADIUS Server(s)
6WLAN Access ControlWhy 802.1X is better
- 802.1X is taking over the world anyway
- The EAP/XYZ people are finally getting it right
- Only 5 more revisions before XYZ wins wide vendor
support - Available for more and more systems (Windows 2000
up) - Distribute hard crypto work to zillions of access
points - Block them as early as possible
- More control to visited site admin, too!
- Most of all It just works
7VPN
VPN-Gateways
Dockingnetwork
world
Campusnetwork
Intranet X
DHCP, DNS, free Web
8WLAN Access ControlWhy VPN is better
- Historically, more reason to trust L3 security
than L2 - IPSec has lots of security analysis behind it
- Can use cheap/dumb APs
- Available for just about everything (Windows 98,
PDA etc.) - Easy to accommodate multiple security contexts
- Even with pre-2003 infrastructure
- Data is secure in the air and up to VPN gateway
- Most of all It just works
9Web
AccessControl Device
Dockingnetwork
world
Campusnetwork
Web redirect
Intranet X
DHCP, DNS, free Web
10WLAN Access ControlWhy Web-based filtering is
better
- No client software needed (everybody has a
browser) - Ties right into existing user/password schemes
- Can be made to work easily for guest users
- Its what the hotspots use, so guest users will
know it already - May be able to tie in with Greenspot etc.
- Privacy isnt that important anyway (use TLS and
SSH) - Accountability isnt that important anyway
- Most of all It just works
11From Access Controlto Roaming
12Roaming High-level requirements
- Objective
- Enable NREN users to use Internet (WLAN and
wired) everywhere in Europe - with minimal administrative overhead (per
roaming) - with good usability
- maintaining required security for all partners
13Inter-domain 802.1X
Home
Visited
Supplicant
RADIUS server Institution B
RADIUS server Institution A
Authenticator (AP or switch)
User DB
User DB
Guest piet_at_institution_b.nl
Internet
Guest VLAN
Employee VLAN
Central RADIUS Proxy server
Student VLAN
e.g., _at_NREN
14Web-based with RADIUS
15VPN
Wbone VPN roaming solution to 4 universities /
colleges in state of Bremen.
SWITCHmobile VPN solution deployed at 7
universities across Switzerland.
Clients enter the Internet through home
network/gateway.
16Wboneinterconnecting docking networks
extend to other sites ...
HS Brhv. 10.28.64/18
HfK
IPSec/PPTP/SSH
R Briteline
Linux
HS Bremen 172.25/16
Uni Bremen 172.21/16
AWI
17Making roaming work on aEuropean scale
18European RADIUS hierarchy
UNI-C
FUNET
DFN
SURFnet
UKERNA
CESnet
FCCN
CARnet
GRnet
RADIUS Proxy servers connecting to a European
level RADIUS proxy server
RedIRIS
19The CASG
inetnum 193.174.167.0 - 193.174.167.255 netn
ame CASG-DFN descr
DFN-Verein descr Stresemannstrasse
78 descr 10963 Berlin country
DE admin-c MW238 tech-c
JR433 tech-c KL565 status ASSIGNED
PA mnt-by DFN-LIR-MNT changed
poldi_at_dfn.de 20040603 source RIPE
- Separate docking networks from controlled
address space for gateways (CASG) - Hosts on docking networks can freely interchange
packets with hosts in the CASG - Easy to accomplish with a couple of ACLs
- All VPN gateways get an additional CASG address
- Hmm, problem with some Cisco concentrators
20The big bad Internet
CASG
21CASG allocation
- Back-of-the-Envelope 1 address per 10000
population - E.g., .CH gets 600, Bremen gets 60
- Allocate to minimize routing fragmentation
- May have to use some tunneling/forwarding
- VPN gateway can have both local and CASG address
22The CASG Pledge
- I will gladly accept any packet
- There is no such thing as a security incident on
the CASG - I will not put useful things in the CASG
- People should not be motivated to go there except
to authenticate or use authenticated services - I will help manage the prefix space to remain
stable
23How to integrate all theseat the site level?
24Commonalities
- 802.1X
- Secure SSID
- RADIUS
- Web-based captive portal
- Open SSID
- RADIUS
- VPN-based
- Open SSID
- No RADIUS
RADIUSbackend
Docking net(open SSID)
25How can I help...as a home institution
- Implement the other backend
- As a RADIUS-based site
- Implement a CASG VPN gateway (or subscribe to an
NREN one) - Provide the right RADIUS for all frontends
- As a VPN site
- Run a RADIUS server
- Help the users try and debug their roaming setup
while at home (play visited site)
26How can I help...as a visited institution
- Implement the other frontend
- As a docking network site
- Implement the other docking appraoch
- CASG access or Web-diverter
- Implement a 802.1X SSID (eduroam) in addition
to open SSID - As an 802.1X site
- Implement an open SSID with CASG access and
Web-diverter - Your local users will like it, too
- Maybe too much
27Network layout with multiple SSIDs and VLAN
assignment
28Network layout without multiple SSIDs and VLAN
assignment
29Doing the plumbing
30Default router in docking net
- Default route points to access control device
- ip route 0.0.0.0 0.0.0.0 172.21.3.11
- CASG routes point to CASG router
- ip route 193.174.167.0 255.255.255.0 172.21.3.250
31CASG router
- ip access-list extended casg-out
- permit ip 193.174.167.0 0.0.0.255 any
- deny ip any any
- ip access-list extended casg-in
- permit ip any 193.174.167.0 0.0.0.255
- deny ip any any
- interface Vlan86
- ip address 172.21.3.250 255.255.0.0
- ip access-group casg-in in
- ip access-group casg-out out
- ip nat inside
32What if docking net is RFC1918?
- Maximum compatibility with an address-based NAT
- ip access-list standard docking-addr
- permit 172.21.0.0 0.0.255.255
- !
- ip nat translation timeout 1800
- ip nat pool dn 134.102.216.1 134.102.216.250
netmask 255.255.255.0 - ip nat inside source list docking-addr pool dn
33So where are we?
34Fun little issues
- 1/3 of Bremens 432 Cisco 340 APs can't do VLANs
- Ethernet interface hardware MTU issue
- Some client WLAN drivers are erratic in the
presence of multi-SSID APs - Can't give university IP addresses to roamers
- Too many university-only services are
authenticated on IP address - Address pool must be big enough for flash crowds
- CASG space is currently allocated on a national
level - So there will be a dozen updates before CASG is
stable
35Conclusions
Go for it
- It is possible to create a fully interoperable
solution - Its not that hard
- especially when you use TF mobilitys deliverable
H to guide you - Re-evaluate solutions in a couple of years
- TF mobility is going for a second term to help
- Integration approach also provides an easy
upgrade path - E.g., add 802.1X to docking-only site