SALSA-NetAuthSALSA-NetAuthSALSA-FWNASALSA-FWNA

BoFBoF

Kevin Miller • Duke UniversityKevin Miller • Duke Universitykevin.miller@duke.edukevin.miller@duke.edu

Internet2 Member MeetingInternet2 Member MeetingMay 2005May 2005

Federated Wireless NetAuthFederated Wireless NetAuthPremisePremise

Enable members of one institution to Enable members of one institution to authenticate to the wireless network authenticate to the wireless network at another institution using their at another institution using their home credentials.home credentials.– Reduce the need for guest IDsReduce the need for guest IDs– Simplify authentication when roamingSimplify authentication when roaming

Current ActivitiesCurrent Activities

1.1. Defining Use Cases for FWNADefining Use Cases for FWNA

2.2. Identify requirements for roaming Identify requirements for roaming implementationimplementation

Use CasesUse Cases

1.1. Roaming Between SitesRoaming Between Sitesa)a) Guest is a member of participating institutionGuest is a member of participating institutionb)b) Guest from a national labGuest from a national labc)c) Conference guest (local federation)Conference guest (local federation)d)d) ““Guest” is a sensor / probeGuest” is a sensor / probe

2.2. Roaming between departments within Roaming between departments within the same institutionthe same institution

3.3. Shared buildings – multiple organizations Shared buildings – multiple organizations in close proximity sharing a wireless in close proximity sharing a wireless infrastructureinfrastructure

4.4. ? ?? ?

Basic Use CaseBasic Use Case

Purpose: Academic VisitorPurpose: Academic VisitorActors: Client, AP, Authentication Actors: Client, AP, Authentication SystemSystemProcedureProcedure– Client associates with AP, initiates EAP Client associates with AP, initiates EAP

associationassociation– Client credentials are forwarded to Client credentials are forwarded to

home authentication servicehome authentication service– Home server indicates accept/declineHome server indicates accept/decline

Key RequirementsKey RequirementsSecuritySecurity– Clients must only need to trust the home server, and must Clients must only need to trust the home server, and must

authenticate itauthenticate it– Credentials must be encrypted between client and serverCredentials must be encrypted between client and server

AuthorizationAuthorization– Sites should be able to restrict network access by user ID or Sites should be able to restrict network access by user ID or

user attributesuser attributesAccountingAccounting– Record authenticated ID and network address for each user.Record authenticated ID and network address for each user.

UsabilityUsability– Users should receive an EAP Message if authorization fails.Users should receive an EAP Message if authorization fails.

????

SALSA-NetAuth Road MapSALSA-NetAuth Road Map

Version 0.9 published 25 April 05Version 0.9 published 25 April 05““Strategies” Document – Final Version PublishedStrategies” Document – Final Version Published– Taxonomy of some approaches for automating technical Taxonomy of some approaches for automating technical

policy enforcementpolicy enforcement

““Futures” DocumentsFutures” Documents– Architecture document: Draft 02 Published 25 April 05Architecture document: Draft 02 Published 25 April 05

A proposed architecture for integrating network policy A proposed architecture for integrating network policy enforcementenforcementDraft 03 Published SoonDraft 03 Published Soon

““Prerequisites” Document – On HoldPrerequisites” Document – On Hold– A reference to systems and services necessary to deploy A reference to systems and services necessary to deploy

NetAuth systemsNetAuth systems

SALSA-FWNA Subgroup – Group ActiveSALSA-FWNA Subgroup – Group Active– To investigate the visiting scholar problemTo investigate the visiting scholar problem

Strategies DocumentStrategies Document

Taxonomy of mechanisms for Taxonomy of mechanisms for automating network policy automating network policy enforcementenforcement– For example: NetReg, Perfigo, etc.For example: NetReg, Perfigo, etc.– Provides a starting point for discussions Provides a starting point for discussions

on improving the processon improving the process– References free and commercial References free and commercial

systemssystems

Lifecycle of Network AccessLifecycle of Network Access

Registration is the Registration is the initial stateinitial state

DetectionDetection

IsolationIsolation

NotificationNotification

RemediationRemediation

I solation

Notification Remediation

Detection

Future Architecture DocumentFuture Architecture Document

Developing a unified architecture for Developing a unified architecture for future systems based upon current future systems based upon current experiencesexperiences– ““Past performance is no guarantee of Past performance is no guarantee of

future results”future results”

Identified common features of Identified common features of existing policy enforcement systemsexisting policy enforcement systems

Architecture DocumentArchitecture Document

Policy Determination StatesPolicy Determination States– L2INITL2INIT– L2NEGOTIATIONL2NEGOTIATION– L3INITL3INIT– L3CONNECTL3CONNECT– L3SERVICEL3SERVICE

Final StatesFinal States– Offline: DisconnectedOffline: Disconnected– Compliant: Full AccessCompliant: Full Access– Non-Compliant: Restricted AccessNon-Compliant: Restricted Access

State TransitionsState Transitions

Any Policy Any Policy Determination Determination State can move to State can move to Final StateFinal State

Policy EvaluationPolicy Evaluation

Can be applied in Can be applied in any stateany state

Host can move Host can move from “final” state from “final” state to policy state due to policy state due to external actionto external action

Detection

Take Enforcement Action and return to Policy Decision

Remediation

Notification

Isolation

PolicyEnforcement

Applied

Network Transitions

to New State

Network Transitions to a fully compliant or non-compliant final

state.

Policy Action:None Required

Policy Action: Move to new state

Policy Action:EnforcementAction Required

External Event Occurs – Policy Decision Check

Required

Workflow Diagram

Policy Decision

Lookup to Policy

Repository

Detection

QuestionsQuestions

Is the state machine an appropriate Is the state machine an appropriate representation?representation?– Are the states correct?Are the states correct?

Is the policy evaluation component Is the policy evaluation component generic enough?generic enough?

? ?? ?