csd-team 13 oasis v.2. introduction oasis v.1 isps share access network security choice for...
TRANSCRIPT
CSD-Team 13
Oasis v.2
Introduction
Oasis v.1 ISPs share access network Security Choice for end-users Compatible with legacy systems Problems with the current solution
Current Solutions
Access based on MAC-address, easy to crack
No encryption over the wireless link No easy-to-use interface to add ISPs
Our Solution
Takes advantage of the latest technologiesEverything that supports 802.1X (Win XP,
Linux, Mac OS X)Highest security provided by hardware
Supports legacy hardware/softwareEverything that supports PPTP
Our Solution
Easy-to-use interface to add ISPs Few requirements for ISPs Easy-to-use for end-user
Oasis
ISP1 ISP2 ISP3
AP
Network OP
web-based
Radius-FreeRadius Database-SQL VLAN Monitor-Cacti Management server
Oasis Server
Oasis
ISP1 ISP2 ISP3
AP
Network OP
web-based
SupplicantSupplicant
Oasis
ISP1 ISP2 ISP3
AP
Network OP
web-based
Supplicant
Identifies ISPWhich server?Which VLAN?
Oasis
ISP1 ISP2 ISP3
AP
Network OP
web-based
Supplicant
RADIUS server
ISP
userYes
Yes VLAN
Oasis
ISP1 ISP2 ISP3
AP
Network OP
web-based
Client
Fall back server
PPTP
802.1X
Fallback VLAN
Front-end to RRDToolFront-end to RRDTool
SNMP supportSNMP support
Store data into MySQL DBStore data into MySQL DB
Done in PHPDone in PHP
Integrating into OASIS v.2Integrating into OASIS v.2 ScriptsScripts
Testing @ KistaIP
Tested both native and fallback Tested with different platforms Tested with switches and access points
Current KistaIP
VLANs used to seperate the ISPs. Short lease time IP address User chooses the ISP via web page. Switched to VLAN depends on selection
Native setup
Fallback setup
Problems faced
DHCP plugin to look for a DHCP server. DNS information doesn’t receive from ISP. Default route and Routing tables. Access points need additional features. Certificate Issues
Accomplishments
Management Server using XMLRPCConfiguration of FreeRADIUS
Management Interface Fallback Server
Transparent for ISPs Cacti integration Successful test with two ”fake” ISPs
Problems and limitations
Complicated setup Hardware configuration
Adding ISP requires reconfiguration of switches/access points
Fallback is limited by hardware supportFor wireless, needs multiple BSSIDs or multiple
APsFor wired, needs ”unauth vlan”
Future work
Packaging Certificates Automatic hardware configuration Local services
Team Members:
Ang Ma
Lucas Díez
Pratheepan Gunaratnam
Mikael Pettersson
Sasikumar Purushothaman
Thanks!
And Questions?