Workshop roaming services:eduroam / govroamBelnet – Nicolas Loriau

Brussels – November 2015

Agenda

Belnet - Workshop govroam21/04/23

• General

• Technical framework

• Demo

Roundtable

• Name and organization?

• Experiences with Belnet?

• Expectations for today’s workshop?

Belnet - Workshop govroam21/04/23

Overview of Belnet Services

Overview of Belnet Services

Standard Services« Plus » Services

On demand« Plus » ServicesAssociated cost

• Belnet Connectivity

• Internet Connectivity

• IPv4 and IPv6

• DNS Services

• NTP

• Monitoring

• Service desk 24/7

• Workshops

• Back-up Internet

connectivity

• RRN Connectivity

• eduroam

• Belnet R&E Federation

• Multipoint

• Belnet Leased Lines

• Multimedia Transport

Service

• govroam

• Domain Name Registration

• Digital Certificates

• Antispam Pro

• Belnet Cloud Storage

• Belnet Cloud computing

Net

wor

kS

ervi

ces

What is it?

• GOVernment ROAMing

• Simple and secure access to wifi network

• Belnet initiative based on eduroam technologies

• For governmental institutions, administrations, …

• http://www.govroam.be

Belnet - Workshop govroam21/04/23

• EDUcation ROAMing

• Simple and secure access to wifi network

• Terena project to provide students access to internet

• For research and education institutions

• http://www.eduroam.be

Why ?

• Increased Mobility: users can make use of Wifi infrastructure at other members

• Easy: users only need their home organization account to login

• Secure: centralized accounts, no local copies

• Cost effective: reduce 3G/4G cost when moving between offices

Belnet - Workshop govroam21/04/23

Technical framework

Technical infrastructure

Technical Framework– Principles

– Components

– Authentication flow

Demo– Objectives

– Test with Windows server 2012 and NPS

Belnet - Workshop govroam21/04/23

Principles

To install roaming services, you need:– Wi-Fi access points and controllers and/or 802.1x switches

– RADIUS server

– User database / LDAP / AD

Based on a hierarchy of RADIUS servers– Your only point of contact is Belnet

Belnet - Workshop govroam21/04/23

Principles

It is:– A trust-based relationship between members

– An agreement on roaming technologies

Chain of trust:– All direct peers must be known beforehand

– A shared secrets must be enabled “out-of-band”

– Agreement on authentication protocols & methods

Belnet - Workshop govroam21/04/23

PrinciplesHierarchy of authentication servers

Belnet - Workshop govroam21/04/23

AS

Institution-A.be

AS

Institution-B.be

Belgian Top-Level

AS

“Federation”

“Institution”

PrinciplesHierarchy of authentication servers eduroam

Belnet - Workshop govroam21/04/23

Components

Client / Supplicant– SW on end user's device which handles network

authentication

– Minimum requirements: WPA, EAP-TTLS, PEAP enabled

Belnet - Workshop govroam21/04/23

Components

Network Access Server / Authenticator / Service

Provider– IEEE 802.1X enabled switch or wireless access point which

provides Clients access to the (W)LAN

– Seperate VLAN for home and visiting end users

Belnet - Workshop govroam21/04/23

Components

Authentication Server / Identity Provider– Remote Authentication Dial In User Service compliant (RFC

2865/2866)

– NOT a user database

– Authenticates home end users against local user database

– Forwards requests of visiting end users

– Softwares:• Radiator• FreeRADIUS• Windows server with NPS (from 2008R2)• Others

Belnet - Workshop govroam21/04/23

Components

User identity source– LDAP/AD

– Local database / SQL

Belnet - Workshop govroam21/04/23

Protocols and Methods

EAP Framework– Extensible Authentication Protocol (RFC 5247)

– NOT a wire protocol nor an authentication mechanism

– Defines authentication data formats

– Negotiates which authentication method/type should be used

Belnet - Workshop govroam21/04/23

Protocols & Methods

EAP Methods/Types "How does EAP authenticate"– Uses EAP framework to remotely authenticate end user's credentials

to his home institute's Identity Provider

– 40+ different methods exit > use common secure ones!• Outer Authentication: EAP-TTLS (RFC 5281), PEAP• Inner Authentication: MSCHAPv2 (RFC 2759)

Belnet - Workshop govroam21/04/23

Protocols & Methods

EAP Encapsulation "How EAP can be

transported"– In order to transport EAP messages, they must be

encapsulated

– Between client and SP (802.1x) • EAP over LAN = “EAPOL”

– Between Sp & IdP, IdP & IdP• RADIUS

Belnet - Workshop govroam21/04/23

Security

Outer authentication– Goal : securely transport the EAP messages between peers

– Authenticate the server (to avoid MitM attacks)

– PEAP, EAP-TTLS

Inner authentication– Transmit unique user attributes (credentials)

– via MSCHAPv2

Belnet - Workshop govroam21/04/23

SecurityEAP, 802.1X and RADIUS must be secured

Belnet - Workshop govroam21/04/23

Service Provider

Institution-A.be

user@institution-B.be

Identity Provider

Institution-A.be

Client

802.1X

“EAPOL”

EAP

RADIUS

EAP

SecurityEAP, 802.1X and RADIUS must be secured

Choice of security mechanisms is important

Belnet - Workshop govroam21/04/23

Service Provider

Institution-A.be

user@institution-B.be

Identity Provider

Institution-A.be

Client

802.1X

“EAPOL”

EAP

RADIUS

EAP

(WPA2-AES) (EAP-TTLS)

(PEAP)

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (1/11)

1The User contacts theService Provider (SP)

(Wireless Access Point) of institution A (SSID = govroam)

1

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian Top-Level

Radius

user@institution-B.be

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (2/11)

2SP of institution A asks the user's identity.

Not yet the credentials!

1

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian Top-Level

Radius

user@institution-B.be

2

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (3/11)

3User identity is transmitted to Identity

Provider (IdP) (RADIUS server)of institution A

using EAP Access-Request message

1

3Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian Top-Level

Radius

user@institution-B.be

2

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (4/11)

4Based on the identity the IdP

of the institution A knows that user doesn'tbelong to its own user database and will transmit

the Access-Request to the Belgian RADIUS server.

1

3

4

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian Top-Level

Radius

user@institution-B.be

2

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (5/11)

user@institution-B.be

5Based on the realm part of the identity the

Belgian RADIUS server transmits the Access-Request

to the RADIUS server of institution B

1

3

45

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian Top-Level

Radius

2

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (6a/11)

6aNow the IdP of institution B

knows the User and a TLS tunnelis established between Userand RADIUS server using

EAP encapsulation mechanism (outer authentication)

1

3

45

6

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian Top-Level

Radius

user@institution-B.be

2

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (6b/11)

6bThe User checks during TLS establishment

the RADIUS server certificate of his institution.

1

3

45

6

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian Top-Level

Radius

user@institution-B.be

2

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (7/11)

7Now the User is authenticatedagainst its own institute's IdP,using traditional mechanisms

(challenges, certificates, token...)(Inner authentication)

1

3

45

67

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian Top-Level

Radius

user@institution-B.be

2

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (8/11)

user@institution-B.be

8If the User is correctly authenticated,the RADIUS server of institution B

sends an Access-Accept to the Belgian RADIUS server,

otherwise it sends an Access-Reject

1

3

45

67

8

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian Top-Level

Radius

2

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (9/11)

9Belgian RADIUS server sends the

Access-Accept to institution A

1

3

45

67

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

user@institution-B.be

Belgian Top-Level

Radius

8

2

9

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (10/11)

110

The IdP of institution A tells his SP to grant access

to the User and provide all information related to the local access policy

( vlan, IP address, ...)

3

45

67

8

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian Top-Level

Radius

user@institution-B.be

10

2

9

Authentication Flow

Belnet - Workshop govroam21/04/23

National Level (11/11)

user@institution-B.be

1 11User can now access

LAN and Internet

3

45

67

8

Service Provider

Identity Provider

Institution-A.be

Institution-A.be

Identity Provider

Institution-B.be

Belgian Top-Level

Radius

11

10

2

9

How to implement

41

Prerequisites (out of scope)

Wi-Fi access point that must:– be IEEE 802.1X compliant

– broadcast the SSID "eduroam" or “govroam” (govroamtest for this

session)

– offer IEEE 802.11b or better

– implement WPA/TKIP or better (Belnet strongly recommends WPA2-

AES!)

– Allow traffic on defined ports (please refer to govroam)

User database:– LDAP

– Active Directory

21/04/23 Belnet - Workshop govroam

42

Prerequisites (out of scope)

Server certificates

– Don't use a self-signed server certificate

– Successfully import server & chain certificate into Windows

– Use dcs.belnet.be to get a signed server certificate

Correct server time

– Important for the setup of TLS-tunnels

– Use Belnet's NTP server time.belnet.be to get the correct time

Firewalls & Ports

– UDP 1812

– UDP 1813

21/04/23 Belnet - Workshop govroam

Radiator Installation

W

hy “Radiator”?

– Belnet uses this product

– Easy & straightforward to deploy on Linux, Windows, ...

– Broad support for Identity & Access Management backends

– One of the first solutions which supported RadSec

21/04/23 Belnet - Workshop govroam

Freeradius Installation

W

hy “Freeradius”?

– Free

– Easy to deploy on Linux, Windows, ...

– Broad support for Identity & Access Management backends

– Now supports RadSec

21/04/23 Belnet - Workshop govroam

W2012 R2 with NPS

W

hy “NPS”?

– Best option in windows environment

– Easy to deploy on Windows, ...

– Easy link to AD

21/04/23 Belnet - Workshop govroam

W2012 R2 with NPS

Server set-up:– Windows 2012 server R2 with NPS

– Valid server certificate

21/04/23 Belnet - Workshop govroam

Hierarchy

21/04/23 Belnet - Workshop govroam

AS

belnet.be

AS

ta.belnet.be

Belgian Top-Level AS

“Federation”

“Institution”

50

Demo environement: Components overview

WAP + CTRL

21/04/23 Belnet - Workshop govroam

RADIUS (Windows NPS) Identity server (AD)

Belnet Radius

Radius server installation

21/04/23 Belnet - Workshop govroam

RADIUS (Windows NPS) Identity server (AD)

WAP + CTRL

Belnet Radius

Radius server installation: Configuring RADIUS client (wlan controller)

21/04/23 Belnet - Workshop govroam

WAP + CTRL

RADIUS LDAP/AD

Belnet Radius

Radius server installation: Configuring the remote RADIUS

21/04/23 Belnet - Workshop govroam

WAP + CTRL

RADIUS LDAP/AD

Belnet Radius

W2012 R2 with NPS

Server set-up:

21/04/23 Belnet - Workshop govroam

Radius server installation: Configuring proxy RADIUS

21/04/23 Belnet - Workshop govroam

WAP + CTRL

RADIUS LDAP/AD

Belnet Radius

W2012 R2 with NPS

Server set-up:

21/04/23 Belnet - Workshop govroam

Radius server installation: Link with LDAP

21/04/23 Belnet - Workshop govroam

WAP + CTRL

RADIUS LDAP/AD

Belnet Radius

W2012 R2 with NPS

Server set-up:

21/04/23 Belnet - Workshop govroam

W2012 R2 with NPS

Server set-up:

21/04/23 Belnet - Workshop govroam

60

Radius server installation: Configuring top level RADIUS

21/04/23 Belnet - Workshop govroam

WAP + CTRL

RADIUS LDAP/AD

Belnet Radius

61

Registration @ Belnet

21/04/23 Belnet - Workshop govroam

govroam web-interface– Facilitate the configuration of your govroam parameters

• RADIUS servers• Shared secrets• Test accounts

64

Authentication Flow 1local - local

A user from local institution ta.belnet.bewill send access request

to local “govroamtest” WLAN

VLAN access depends on USER login

Ta.belnet.beNPS + AD

Belgian Top-Level Radius

user@ta.belnet.be

wlan-ctrl

SSID = “govroamtest”

roaming1.belnet.beroaming2.belnet.be

21/04/23 Belnet - Workshop govroam

65

Authentication Flow 2remote - local

A remote user from Belnetwill send access request

to local “govroamtest” WLAN

ta.belnet.beRadius

Belgian Top-Level Radius

user@belnet.be

wlan-ctrl

SSID = “govroamtest”

radius.belnet.beldap.belnet.be

21/04/23 Belnet - Workshop govroam

roaming1.belnet.beroaming2.belnet.be

66

Authentication Flow 3local - remote

A local user from institution ta.belnet.bewill send access request

to remote Belnet's “govroam” WLAN

Ta.belnet.beRADIUS + LDAP

Belgian Top-Level Radius

user@ta.belnet.be

wlan-ctrl

SSID = “govroam”

Ldap belnet.be

roaming1.belnet.beroaming2.belnet.be

21/04/23 Belnet - Workshop govroam

Conclusion

Conclusion

Technical Framework

Demo

Belnet is there to help you

Q&A

Belnet - Workshop govroam21/04/23

What do you think?

Belnet - Workshop govroam21/04/23

Are you ready to join?

What would you need more to start?

Final roundtable

Thank you

Use case

Use case

To be added