salsa-netauth salsa-fwna bof kevin miller duke university [email protected] internet2 member...
TRANSCRIPT
SALSA-NetAuthSALSA-NetAuthSALSA-FWNASALSA-FWNA
BoFBoF
Kevin Miller • Duke UniversityKevin Miller • Duke [email protected]@duke.edu
Internet2 Member MeetingInternet2 Member MeetingMay 2005May 2005
Federated Wireless NetAuthFederated Wireless NetAuthPremisePremise
Enable members of one institution to Enable members of one institution to authenticate to the wireless network authenticate to the wireless network at another institution using their at another institution using their home credentials.home credentials.– Reduce the need for guest IDsReduce the need for guest IDs– Simplify authentication when roamingSimplify authentication when roaming
Current ActivitiesCurrent Activities
1.1. Defining Use Cases for FWNADefining Use Cases for FWNA
2.2. Identify requirements for roaming Identify requirements for roaming implementationimplementation
Use CasesUse Cases
1.1. Roaming Between SitesRoaming Between Sitesa)a) Guest is a member of participating institutionGuest is a member of participating institutionb)b) Guest from a national labGuest from a national labc)c) Conference guest (local federation)Conference guest (local federation)d)d) ““Guest” is a sensor / probeGuest” is a sensor / probe
2.2. Roaming between departments within Roaming between departments within the same institutionthe same institution
3.3. Shared buildings – multiple organizations Shared buildings – multiple organizations in close proximity sharing a wireless in close proximity sharing a wireless infrastructureinfrastructure
4.4. ? ?? ?
Basic Use CaseBasic Use Case
Purpose: Academic VisitorPurpose: Academic VisitorActors: Client, AP, Authentication Actors: Client, AP, Authentication SystemSystemProcedureProcedure– Client associates with AP, initiates EAP Client associates with AP, initiates EAP
associationassociation– Client credentials are forwarded to Client credentials are forwarded to
home authentication servicehome authentication service– Home server indicates accept/declineHome server indicates accept/decline
Key RequirementsKey RequirementsSecuritySecurity– Clients must only need to trust the home server, and must Clients must only need to trust the home server, and must
authenticate itauthenticate it– Credentials must be encrypted between client and serverCredentials must be encrypted between client and server
AuthorizationAuthorization– Sites should be able to restrict network access by user ID or Sites should be able to restrict network access by user ID or
user attributesuser attributesAccountingAccounting– Record authenticated ID and network address for each user.Record authenticated ID and network address for each user.
UsabilityUsability– Users should receive an EAP Message if authorization fails.Users should receive an EAP Message if authorization fails.
????
SALSA-NetAuth Road MapSALSA-NetAuth Road Map
Version 0.9 published 25 April 05Version 0.9 published 25 April 05““Strategies” Document – Final Version PublishedStrategies” Document – Final Version Published– Taxonomy of some approaches for automating technical Taxonomy of some approaches for automating technical
policy enforcementpolicy enforcement
““Futures” DocumentsFutures” Documents– Architecture document: Draft 02 Published 25 April 05Architecture document: Draft 02 Published 25 April 05
A proposed architecture for integrating network policy A proposed architecture for integrating network policy enforcementenforcementDraft 03 Published SoonDraft 03 Published Soon
““Prerequisites” Document – On HoldPrerequisites” Document – On Hold– A reference to systems and services necessary to deploy A reference to systems and services necessary to deploy
NetAuth systemsNetAuth systems
SALSA-FWNA Subgroup – Group ActiveSALSA-FWNA Subgroup – Group Active– To investigate the visiting scholar problemTo investigate the visiting scholar problem
Strategies DocumentStrategies Document
Taxonomy of mechanisms for Taxonomy of mechanisms for automating network policy automating network policy enforcementenforcement– For example: NetReg, Perfigo, etc.For example: NetReg, Perfigo, etc.– Provides a starting point for discussions Provides a starting point for discussions
on improving the processon improving the process– References free and commercial References free and commercial
systemssystems
Lifecycle of Network AccessLifecycle of Network Access
Registration is the Registration is the initial stateinitial state
DetectionDetection
IsolationIsolation
NotificationNotification
RemediationRemediation
I solation
Notification Remediation
Detection
Future Architecture DocumentFuture Architecture Document
Developing a unified architecture for Developing a unified architecture for future systems based upon current future systems based upon current experiencesexperiences– ““Past performance is no guarantee of Past performance is no guarantee of
future results”future results”
Identified common features of Identified common features of existing policy enforcement systemsexisting policy enforcement systems
Architecture DocumentArchitecture Document
Policy Determination StatesPolicy Determination States– L2INITL2INIT– L2NEGOTIATIONL2NEGOTIATION– L3INITL3INIT– L3CONNECTL3CONNECT– L3SERVICEL3SERVICE
Final StatesFinal States– Offline: DisconnectedOffline: Disconnected– Compliant: Full AccessCompliant: Full Access– Non-Compliant: Restricted AccessNon-Compliant: Restricted Access
State TransitionsState Transitions
Any Policy Any Policy Determination Determination State can move to State can move to Final StateFinal State
Policy EvaluationPolicy Evaluation
Can be applied in Can be applied in any stateany state
Host can move Host can move from “final” state from “final” state to policy state due to policy state due to external actionto external action
Detection
Take Enforcement Action and return to Policy Decision
Remediation
Notification
Isolation
PolicyEnforcement
Applied
Network Transitions
to New State
Network Transitions to a fully compliant or non-compliant final
state.
Policy Action:None Required
Policy Action: Move to new state
Policy Action:EnforcementAction Required
External Event Occurs – Policy Decision Check
Required
Workflow Diagram
Policy Decision
Lookup to Policy
Repository
Detection
QuestionsQuestions
Is the state machine an appropriate Is the state machine an appropriate representation?representation?– Are the states correct?Are the states correct?
Is the policy evaluation component Is the policy evaluation component generic enough?generic enough?
? ?? ?