WLAN%20Roaming%20for%20the%20European%20Scientific%20Community:%20Lessons%20Learned

1
WLAN Roaming for the European Scientific
Community Lessons Learned

• Rodo?, June 9th, 2004
• Carsten Bormann ltcabo_at_tzi.degtNiels Pollem
  ltnp_at_tzi.degt
• reporting on the work of TERENA TF Mobility

2
Outline

• WLAN access control and security
• How does inter-domain roaming work
• Roaming on a European scale
• How to integrate solutions at the site level
• Conclusion

3
WLAN Security Requirements

• Confidentiality (Privacy)
• Nobody can understand foreign traffic
• Insider attacks as likely as outsiders'
• Accountability
• We can find out who did something
• Prerequisite Authentication

4
WLAN Security Approaches

• AP-based Security AP is network boundary
• WEP (broken), WEP fixes, WPA,
• 802.1X (EAP variants RADIUS) 802.11i
• Network based Security deep security
• VPNs needed by mobile people anyway
• SSH, PPTP, IPsec
• Alternative Web-diverter (temporary MAC/IP
  address filtering)
• No confidentiality at all, though

5
.1X
Routers

Accessnetwork

world
Campusnetwork

Intranet X
RADIUS Server(s)
6
WLAN Access ControlWhy 802.1X is better

• 802.1X is taking over the world anyway
• The EAP/XYZ people are finally getting it right
• Only 5 more revisions before XYZ wins wide vendor
  support
• Available for more and more systems (Windows 2000
  up)
• Distribute hard crypto work to zillions of access
  points
• Block them as early as possible
• More control to visited site admin, too!
• Most of all It just works

7
VPN
VPN-Gateways

Dockingnetwork

world
Campusnetwork

Intranet X
DHCP, DNS, free Web
8
WLAN Access ControlWhy VPN is better

• Historically, more reason to trust L3 security
  than L2
• IPSec has lots of security analysis behind it
• Can use cheap/dumb APs
• Available for just about everything (Windows 98,
  PDA etc.)
• Easy to accommodate multiple security contexts
• Even with pre-2003 infrastructure
• Data is secure in the air and up to VPN gateway
• Most of all It just works

9
Web
AccessControl Device

Dockingnetwork

world
Campusnetwork

Web redirect
Intranet X
DHCP, DNS, free Web
10
WLAN Access ControlWhy Web-based filtering is
better

• No client software needed (everybody has a
  browser)
• Ties right into existing user/password schemes
• Can be made to work easily for guest users
• Its what the hotspots use, so guest users will
  know it already
• May be able to tie in with Greenspot etc.
• Privacy isnt that important anyway (use TLS and
  SSH)
• Accountability isnt that important anyway
• Most of all It just works

11
From Access Controlto Roaming
12
Roaming High-level requirements

• Objective
• Enable NREN users to use Internet (WLAN and
  wired) everywhere in Europe
• with minimal administrative overhead (per
  roaming)
• with good usability
• maintaining required security for all partners

13
Inter-domain 802.1X
Home
Visited
Supplicant
RADIUS server Institution B
RADIUS server Institution A
Authenticator (AP or switch)
User DB
User DB
Guest piet_at_institution_b.nl
Internet
Guest VLAN
Employee VLAN
Central RADIUS Proxy server
Student VLAN
e.g., _at_NREN
14
Web-based with RADIUS
15
VPN
Wbone VPN roaming solution to 4 universities /
colleges in state of Bremen.
SWITCHmobile VPN solution deployed at 7
universities across Switzerland.
Clients enter the Internet through home
network/gateway.
16
Wboneinterconnecting docking networks
extend to other sites ...
HS Brhv. 10.28.64/18
HfK
IPSec/PPTP/SSH
R Briteline
Linux
HS Bremen 172.25/16
Uni Bremen 172.21/16
AWI
17
Making roaming work on aEuropean scale
18
European RADIUS hierarchy
UNI-C
FUNET
DFN
SURFnet
UKERNA
CESnet
FCCN
CARnet
GRnet
RADIUS Proxy servers connecting to a European
level RADIUS proxy server
RedIRIS
19
The CASG
inetnum 193.174.167.0 - 193.174.167.255 netn
ame CASG-DFN descr
DFN-Verein descr Stresemannstrasse
78 descr 10963 Berlin country
DE admin-c MW238 tech-c
JR433 tech-c KL565 status ASSIGNED
PA mnt-by DFN-LIR-MNT changed
poldi_at_dfn.de 20040603 source RIPE

• Separate docking networks from controlled
  address space for gateways (CASG)
• Hosts on docking networks can freely interchange
  packets with hosts in the CASG
• Easy to accomplish with a couple of ACLs
• All VPN gateways get an additional CASG address
• Hmm, problem with some Cisco concentrators

20
The big bad Internet
CASG
21
CASG allocation

• Back-of-the-Envelope 1 address per 10000
  population
• E.g., .CH gets 600, Bremen gets 60
• Allocate to minimize routing fragmentation
• May have to use some tunneling/forwarding
• VPN gateway can have both local and CASG address

22
The CASG Pledge

• I will gladly accept any packet
• There is no such thing as a security incident on
  the CASG
• I will not put useful things in the CASG
• People should not be motivated to go there except
  to authenticate or use authenticated services
• I will help manage the prefix space to remain
  stable

23
How to integrate all theseat the site level?
24
Commonalities

• 802.1X
• Secure SSID
• RADIUS
• Web-based captive portal
• Open SSID
• RADIUS
• VPN-based
• Open SSID
• No RADIUS

RADIUSbackend

Docking net(open SSID)
25
How can I help...as a home institution

• Implement the other backend
• As a RADIUS-based site
• Implement a CASG VPN gateway (or subscribe to an
  NREN one)
• Provide the right RADIUS for all frontends
• As a VPN site
• Run a RADIUS server
• Help the users try and debug their roaming setup
  while at home (play visited site)

26
How can I help...as a visited institution

• Implement the other frontend
• As a docking network site
• Implement the other docking appraoch
• CASG access or Web-diverter
• Implement a 802.1X SSID (eduroam) in addition
  to open SSID
• As an 802.1X site
• Implement an open SSID with CASG access and
  Web-diverter
• Your local users will like it, too
• Maybe too much

27
Network layout with multiple SSIDs and VLAN
assignment
28
Network layout without multiple SSIDs and VLAN
assignment
29
Doing the plumbing
30
Default router in docking net

• Default route points to access control device
• ip route 0.0.0.0 0.0.0.0 172.21.3.11
• CASG routes point to CASG router
• ip route 193.174.167.0 255.255.255.0 172.21.3.250

31
CASG router

• ip access-list extended casg-out
• permit ip 193.174.167.0 0.0.0.255 any
• deny ip any any
• ip access-list extended casg-in
• permit ip any 193.174.167.0 0.0.0.255
• deny ip any any
• interface Vlan86
• ip address 172.21.3.250 255.255.0.0
• ip access-group casg-in in
• ip access-group casg-out out
• ip nat inside

32
What if docking net is RFC1918?

• Maximum compatibility with an address-based NAT
• ip access-list standard docking-addr
• permit 172.21.0.0 0.0.255.255
• !
• ip nat translation timeout 1800
• ip nat pool dn 134.102.216.1 134.102.216.250
  netmask 255.255.255.0
• ip nat inside source list docking-addr pool dn

33
So where are we?
34
Fun little issues

• 1/3 of Bremens 432 Cisco 340 APs can't do VLANs
• Ethernet interface hardware MTU issue
• Some client WLAN drivers are erratic in the
  presence of multi-SSID APs
• Can't give university IP addresses to roamers
• Too many university-only services are
  authenticated on IP address
• Address pool must be big enough for flash crowds
• CASG space is currently allocated on a national
  level
• So there will be a dozen updates before CASG is
  stable

35
Conclusions
Go for it

• It is possible to create a fully interoperable
  solution
• Its not that hard
• especially when you use TF mobilitys deliverable
  H to guide you
• Re-evaluate solutions in a couple of years
• TF mobility is going for a second term to help
• Integration approach also provides an easy
  upgrade path
• E.g., add 802.1X to docking-only site