michal procházka, jan oppolzer [email protected]@ics.muni.cz, [email protected]...
TRANSCRIPT
![Page 2: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/2.jpg)
Michal Procházka
• Senior researcher at Masaryk University• Member of AAI department at CESNET• Member of AAI TF: ELIXIR, EGI• Participating in GEANT GN4p1 projects• More than 8 years experiences in IT security
and AAI
![Page 3: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/3.jpg)
Jan Oppolzer
• Head of eduID.cz federation operator • Deputy of AAI department at CESNET• eduGAIN steering group delegate• Shibbolethv3 expert
![Page 4: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/4.jpg)
Goal of the training
At the end of the dayUnderstand how eduroam worksWhat are the benefitsHow to setup eduroam in your country
and institutions
Ask questions
![Page 5: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/5.jpg)
Outline
SurveyWhat is it?How it works?eudoram and NRENeduroam and organizationRequirementsProduction
![Page 6: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/6.jpg)
Survey
How many NRENs?How many organizations?How many linux administrators?
![Page 7: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/7.jpg)
What is it?
Global identity federationProvides network access
Mainly over the WiFi
![Page 8: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/8.jpg)
Benefits
Easy roamingEvery user is idenfied
Useful for auditing and loggingHelps in case of security incident
Communication is encryptededuroam requires encrypted communication between
client and AP
![Page 9: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/9.jpg)
Video
https://www.youtube.com/watch?v=0VYp8wZG43k
![Page 10: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/10.jpg)
How it works?
![Page 11: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/11.jpg)
RADIUS server
University ABC
RADIUS server
University 123
RoamingOperator
Central RADIUS
Proxy server
WiFi
Access Point User DB
User DB
VisitorVLAN
StudentVLAN
EmployeeVLAN
data
signaling
From eduroam: The Value of WLAN measurements for the R&E Community presentation
![Page 12: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/12.jpg)
Terms
RO – Roaming OperatorETLRS – European Top-level RADIUS ServersFLRS – Federation Level RADIUS ServerIdP – eduroam Identity ProviderSP – eduroam Service ProviderNAS – Network Access ElementF-Ticks – Federated Ticker System
![Page 13: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/13.jpg)
Infrastructure
Top level RADIUS server (ETLRS)National RADIUS Proxy (FLRS)Institutional RADIUS (IdP and/or SP)Identity management system (IdM)Access Points, switches (NAS)Clients (Supplicant)Monitoring (F-Ticks)
![Page 14: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/14.jpg)
Protocols and security
802.1xSupplicant to AP communication
RADIUS protocolNAS to IdP communication
EAP protocolSupplicant to IdP communicationPAP, CHAP, TLS, TTLS, MS-CHAPv2, …
TLS protocolSecuring FLRS to ETLRS as well as IdP to FLRS communication
![Page 15: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/15.jpg)
Diagram from http://mrncciew.com
![Page 16: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/16.jpg)
Authentication Protocols
PAP – Password Authentication ProtocolCHAP – Challenge-response Authentication ProtocolTLS – Transport Layer Security – X.509 authNTTLS – Tunneled TLS with e.g. PAP
![Page 17: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/17.jpg)
eduroam and NREN
National point to the global eduroamRunning FLRSProxying requests from SPs to IdPs and ETLRSMonitoring infrastructure for IdPs
![Page 18: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/18.jpg)
Requirements
Digital certificate accepted by eduroam PMAHost with public IP address
Ideally two for HA or failover configurationWeb serverOptionally mailing list system
![Page 19: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/19.jpg)
Software for FLRS
radsecproxyProxying RADIUS requestsSupports TLS
(r)syslogLoggingMonitoringeduroam monitoring
![Page 20: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/20.jpg)
Process
Incoming request is routed toNational IdPRouted up to the ETLRS
FLRS does not modify RADIUS packetsOnly filtering is applied (e.g. remove
VLANs)
![Page 21: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/21.jpg)
F-ticks
Federated Ticker SystemUsed to monitor FLRS RADIUS serversLeverage syslog
Example of the message:F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=LU# CSI=%{Calling-Station-Id}#RESULT=OK#
Solves also privacy issuesREALM can be exchanged with undisclosedSecond part of the MAC can be hashed
![Page 22: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/22.jpg)
Communication channels
Web pagesProvide information for users and SPsMust be on eduroam.TLD domain
Mailing listGlobal eduroam mailing listMailing list for national SPs
![Page 23: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/23.jpg)
eduroam and institution
Processing user authenticationConnection to the local IdMUser supportUsually operates as a SP
![Page 24: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/24.jpg)
Technical Terms
IdP – eduroam identity providerSupplicantNAS – Network Access Service
AP – Access Pointswitch
![Page 25: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/25.jpg)
Identity provider
Providing user authenticationIdP selects authentication methodProper user registration
Ideally connected to the organization IdMIdP must be able to identify the user in
person
![Page 26: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/26.jpg)
Supplicant
Software initiating user authentication (EAP)Creating secured tunnel to the IdPTransferring user credentials to the IdP via selected authN methodSecuring data transfer from machine to AP
Included in Windows, Mac OS, Linux, Android, IOS, …
![Page 27: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/27.jpg)
NAS
WiFi Access Point/switchMust support 802.1xCommunicating with home IdP using RADIUS protocolShares secret with home IdPWiFi security: WPA2/AESOpen ports
see 6.3.3 in eduroam Service Definition
![Page 28: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/28.jpg)
Requirements
Digital certificate accepted by FLRSAccess to the IdM system (user authN)Host with public IP address
Ideally two hosts for HA or failoverOptionally have the access points
![Page 29: Michal Procházka, Jan Oppolzer michalp@ics.muni.czmichalp@ics.muni.cz, jan.oppolzer@cesnet.cz CESNET](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649e905503460f94b94be2/html5/thumbnails/29.jpg)
Communication channels
Web pages and contact mail for usersLinked from eduroam.TLDContaining information how to join to
eduroamProvides information about local
restrictionsFiltered portsNAT/IP ranges