implementation of federated authentication€¦ · proxy radius infrastructure ldap directory...
TRANSCRIPT
© Politecnico di Torino 2-3-4 March 2005EuroCAMP
PolitoPolitoWiWi--FiFiGroupGroup
Implementation of Implementation of federated federated authenticationauthentication
Cesar PachecoCesar Pacheco
Politecnico di TorinoPolitecnico di Torino
Polito WiPolito Wi--Fi Case study Fi Case study
© Politecnico di Torino EuroCAMP 2-3-4 March 2005
PolitoPolitoWiWi--FiFiGroupGroup
Working Working GroupGroupThe Polito Wi-Fi members come from Departments of Politecnico, ISPs, Research Institute and ICT companiesCe.S.I.T. (ICT Project and mangement resources)
Group coordinator Marcello Maggiora, Cesar Pacheco, Antonio LantieriDAUIN (Control and Computer Engineering)
Antonio LioyDELEN (Electronics)
TLC Group - Fabio NeriGESD (Student Support Services)
Enrico VenutoISMB (Istituto Superiore Mario Boella – Research Institute)
Daniele Mazzocchi, Daniele BreviTelecom Italia
Marco BoassoHewlett-Packard – external supportCisco Systems – external support
© Politecnico di Torino EuroCAMP 2-3-4 March 2005
PolitoPolitoWiWi--FiFiGroupGroup
OverviewOverview
Politecnico di Torino CampusPolito Wi-Fi projectPolitecnico User databasesAuthentication methodsWLAN Network InfrastructureCisco ACS ImplementationProxy Radius InfrastructureProxy Radius configuration for Eduroam and Telecom Italia roaming
© Politecnico di Torino EuroCAMP 2-3-4 March 2005
PolitoPolitoWiWi--FiFiGroupGroup
Politecnico di TorinoPolitecnico di Torino CampusCampus
725 teachers, 600 technical and administrative employees27,000 students1000 courses for 70,000 hours/year of classes17 campuses in Piemonte10,000 fixed network points
© Politecnico di Torino EuroCAMP 2-3-4 March 2005
PolitoPolitoWiWi--FiFiGroupGroup
Torino: 10AlessandriaAostaBiellaChivassoIvreaVercelliMondovì
Politecnico di Torino Politecnico di Torino CampusesCampuses
17
© Politecnico di Torino EuroCAMP 2-3-4 March 2005
PolitoPolitoWiWi--FiFiGroupGroup
Polito WiPolito Wi--Fi projectFi project
The Polito WiFi Project at Politecnico di Torino started in 2003 as an initiative to implement a scalable WLAN network for the geographically dispersed campus ofPolitecnico di Torino.Features:
Centralized management of the covered radio areasCentralized authentication Centralized access control.
© Politecnico di Torino EuroCAMP 2-3-4 March 2005
PolitoPolitoWiWi--FiFiGroupGroup
PolitecnicoPolitecnico User databasesUser databases
Politecnico Student DatabaseHP Enterprise Directory Server (X.500)40,000 [email protected]
Personal and Teacher DatabaseStalker Communigate Pro V 4.18 (LDAP Directory)3,000 [email protected]
© Politecnico di Torino EuroCAMP 2-3-4 March 2005
PolitoPolitoWiWi--FiFiGroupGroup
Authentication methodsAuthentication methods
Likewired polito
UsersHigh-Low
ClientCertificate
ServerCertificate
Lab. test802.1x
EAP/TLS-WPA
Likewired polito
UsersHighHighLow in
MS-PEAP
ClientPassword
ServerCertificate
Field test802.1xWPA-TKIP
Likewired polito
UsersHighHighHighClient
PasswordEnabledAll areasTunnel VPN
InternetBrowsing
Secure Apps
Not atnetwork
levelHighHigh
ClientPassword
ServerCertificate
EnabledAll areas
Open HTTPSSSL3
DataProt.
PasswordProt.
UsernameProt.
Autent.Mutual
Suggestedactivities
Security level (air)StatusAuth.
Models
SECURITY
© Politecnico di Torino EuroCAMP 2-3-4 March 2005
PolitoPolitoWiWi--FiFiGroupGroup
WLAN Network InfrastructureWLAN Network Infrastructure
UTILSTAT
DUPLEXSPEED
SYSTEMRPS
LINE PWR
CATALYST 3550IN LINE P OWER
2
1
3
4
5
6
7
8
9
10
11
12
1
2
15
16
17
18
19
20
21
22
23
24
13
14
POE Switch
ACS Radius Server
Radio Management
DHCP Server
InternetInternetVPN Concentrator
WLAN
802.1x
WLAN Open
Athen Backbone
Access Point 802.11 a/b/g
SSID1SSID2
Firewall
Captive Portal
Informative Portal
© Politecnico di Torino EuroCAMP 2-3-4 March 2005
PolitoPolitoWiWi--FiFiGroupGroup
Cisco ACS ImplementationCisco ACS Implementation
For students databaseODBC connection to X.500Supports MS-CHAP authentication methods like PEAP-EAP-MSCHAPLimitations for digital certificates comparison
For teachers and employeesBind LDAP v3 to LDAP DirectorySAN or binary comparison for digital certificatesLimitations for MS-CHAP authentication methods like PEAP-EAP-MSCHAP
© Politecnico di Torino EuroCAMP 2-3-4 March 2005
PolitoPolitoWiWi--FiFiGroupGroup
Proxy Radius InfrastructureProxy Radius Infrastructure
LDAP Directory
Central Proxy Radius(handler for polito.it)
X.500
Students Radius
Proxy radius
InternetInternet
Athen Backbone
Proxy radius
ODBC
Bind LDAP v3
Oracle
Garr
Edu-Roam
TelecomItalia
© Politecnico di Torino EuroCAMP 2-3-4 March 2005
PolitoPolitoWiWi--FiFiGroupGroup
Proxy Radius Proxy Radius ConfigurationConfiguration
Radius Servers shared secret (Polito-Garr)
Proxy Distribution Tablepolito.it domains local proxywifiarea.it – Telecom Italiaother domains – Garr - Eduroam
© Politecnico di Torino 2-3-4 March 2005EuroCAMP
PolitoPolitoWiWi--FiFiGroupGroup
Questions Questions TimeTimePolito Polito WiWi--FiFi
http://http://wifiwifi.polito..polito.itit