joint research activity 5 task force mobility
play

Joint Research Activity 5 Task Force Mobility Network - PowerPoint PPT Presentation

Aug 02, 2023 •162 likes •459 views

Joint Research Activity 5 Task Force Mobility Network authentication with IEEE 802.1X Network Roaming with eduroam Stefan Winter <stefan.winter@restena.lu> TREFpunkt 13, rebro, Sweden 12 Oct 2005 1 Rseau Tlinformatique de

  1. Joint Research Activity 5 Task Force Mobility Network authentication with IEEE 802.1X Network Roaming with eduroam Stefan Winter <stefan.winter@restena.lu> TREFpunkt 13, Örebro, Sweden 12 Oct 2005 1 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  2. Overview ➢ IEEE 802.1X ➢ Differences to other network admission techniques ➢ Message flow in IEEE 802.1X ➢ Communication on first hop: EAP ➢ Further communication: RADIUS (et al.) ➢ End-to-end security ➢ NAS-side: configuration examples ➢ Client-side: supplicant overview ➢ eduroam ➢ RADIUS hierarchies (general) ➢ The eduroam hierarchy ➢ Policies, Participants ➢ Future development (TF-Mobility and JRA5) ➢ How to join 2 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  3. IEEE 802.1X Overview / Differences to other techniques ➢ VPN uses ISO/OSI layer 4 ... (higher layers) (encapsulates payload in 4 Transport UDP or TCP packets) 3 Network ➢ Web-redirection uses layer Link 2 3 (after authentication, IP Physical 1 address gets unrestricted access) ➢ IEEE 802.1X Goals: ➢ LAN admission control on ISO/OSI layer 2 – no IP traffic involved ➢ End-to-end security between user device and authentication server ➢ Does not enforce a particular authentication mechanism ➢ Can impose constraints after authentication and thus provide different service levels on per-user basis 3 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  4. performs IEEE 802.1X authentication the “big picture” insists on authentication grants access when ok wants access to internet authentication credentials travel end-to-end internet 4 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  5. IEEE 802.1X Message flow ➢ The standard denotes three roles for devices: ➢ Supplicant : the end-user device that wants to enter the network ➢ Authenticator : the device to which the supplicant is directly connected (Switch, Router or Access Point) ➢ Authentication Server : device that can verify the authenticity of the user and/or his supplicant EAP RADIUS ( supplicant ) ( authenticator ) (authentication server) 5 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  6. IEEE 802.1X Communication at first hop: EAP ➢ EAP (Extensible Authentication Protocol) is a container protocol that can carry arbitrary authentication protocols (most well-known for its use in PPP) ➢ Supplicant can encapsulate his desired protocol in EAP and send the auth data to the authenticator ➢ Data is sent directly on layer 2; therefore, the term EAPoL (EAP over LAN) is used ➢ Authentication will only succeed if authentication method is accepted by authentication server(!) ➢ When using an auth protocol that encrypts user data, content is opaque to authenticator ➢ Q: how does authenticator know of success? 6 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  7. IEEE 802.1X Communication at first hop: EAP (2) ➢ A: gets meta-info from authentication server t r a t S - L o P A E E ( authenticator ) A P o L d a e t a n ( supplicant ) c a p s u l a t e d E A P o L d a t a (authentication server) d e t a u l s p a c n e a t a d L o P A s s E e c c u o S - f L n o - i P A a t E e m + ] y e K - L o P A E [ [ ] Derive keys for dynamic encryption 7 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  8. IEEE 802.1X Communication behind authenticator ➢ Authenticator is part of network infrastructure, has IP address ➢ Can transfer EAP payload in other protocols to authentication server at arbitrary place ➢ Protocols suited for that purpose: ➢ TACACS+ (Cisco, deprecated) ➢ Diameter (in development) ➢ RADIUS (most commonly used) ➢ server to use must be configured in authenticator (examples for IOS follow) ➢ authentication server evaluates encapsulated EAP payload -or- delegates decision to other authentication servers ➢ Delegation done via “routing hints” as part of user names (this is where eduroam comes in) 8 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  9. IEEE 802.1X Communication behind authenticator - RADIUS ➢ Connection between authenticator and authentication server based on IP address + shared secret (a static trust relationship) ➢ RADIUS authentication server validates identity (note: it can easily re-use existing user databases like LDAP, AD, SQL databases, even plain text files) ➢ Upon successful authentication, a RADIUS packet “Access-Accept” is sent, which can be seen by authenticator ➢ This packet may contain further information: maximum session time, VLAN for the user, bandwidth restrictions etc. ➢ Authenticator evaluates this packet, sets connection parameters and sends the EAP success message to the supplicant 9 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  10. IEEE 802.1X Protocols within EAP ➢ Common protocols within EAP: ➢ EAP-TLS: both supplicant and server validate their identity with certificates ➢ EAP-TTLS: server presents certificate, establishes TLS tunnel → supplicant uses username+password (PAP) ➢ PEAP-MSCHAPv2: similar to EAP-TTLS, but additionally encrypts username+password ➢ These protocols provide mutual authentication RADIUS server User Server for university.se authentication authentication tunnel using strong cryptography john.doe@university.se 10 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  11. IEEE 802.1X Protocols within EAP ➢ TLS and TTLS support more privacy for the user: outer vs. inner identity RADIUS packet User-Name = anonymous@dep1.uni.au EAP payload User-Name = han.solo@dep1.uni.au Password = falcon ➢ By checking server certificate, the supplicant can verify to whom he is going to send his credentials ➢ “checking” in this sense means that both the certificate must be valid and the Common Name is really the expected one ➢ This requires either well-educated users for proper client configuration or means of enforcing the right configuration 11 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  12. IEEE 802.1X End-to-end security ➢ Encapsulating EAP in RADIUS in conjunction with TLS ensures that no intermediate hop can look into traffic ➢ Supplicant needs to verify the last hop (authentication server): ➢ Is server certificate valid? ➢ Is it derived from the root CA in charge? ➢ Consult an (offline copy of) CRLs? ➢ Is the server name (CN) the expected one? (this needs to be user-configured unlike in HTTPS...) ➢ Users need to be well educated to configure their supplicant software properly ➢ A possible future: provide a “branded” client that has fixed settings, so users can connect easily 12 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  13. IEEE 802.1X NAS-side configuration aaa new-model ! aaa group server radius rad_eap server 1.2.3.4 auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap ! radius-server host 1.2.3.4 auth-port 1812 acct-port 1813 key 7 1234....7890 ! dot11 ssid eduroam vlan 12345 authentication open eap eap_methods authentication network-eap eap_methods accounting default guest-mode ! interface Dot11Radio0 encryption vlan 12345 mode ciphers wep128 ssid eduroam 13 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  14. IEEE 802.1X Client side: supplicant overview 14 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  15. IEEE 802.1X Client side: supplicant overview (2) ➢ SecureW2 (Windows) ➢ Separates outer and inner identity, features pre- distributed profiles for easier configuration) ➢ ➢ ➢ MacOS has a built-in supplicant as well (no screenshots, sorry) ➢ Command-line applications: ➢ Xsupplicant (Linux) ➢ wpa_supplicant (Linux, Windows) ➢ Commercial supplicants available as well (Example: Funk Odyssey) 15 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  16. IEEE 802.1X Resources ➢ The standard: http://standards.ieee.org/getieee802/download/802.1X-2004.pdf ➢ Supplicants: ➢ SecureW2: http://www.securew2.com./ ➢ XSupplicant: http://www.open1x.org./ ➢ wpa_supplicant: http://hostap.epitest.fi/wpa_supplicant./ ➢ Funk Odyssey: http://www.funk.com/radius/wlan/wlan_c_radius.asp ➢ RADIUS servers: ➢ FreeRADIUS (Open Source): http://www.freeradius.org. ➢ Radiator (commercial product): http://www.open.com.au./radiator/index.html 16 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  17. eduroam The “big picture” ➢ Researchers all across Europe (ideally: the world) should be able to use each other's networks ➢ Currently realised with a hierarchy of RADIUS servers for distributed authentication 17 Réseau Téléinformatique de l'Education Nationale et de la Recherche

  18. eduroam The current RADIUS hierarchy global root .de .lu .nl .au . ... org1.lu org2.lu uni.au dep1.uni.au dep2.uni.au authenticator1 authenticator2 han.solo@dep1.uni.au 18 Réseau Téléinformatique de l'Education Nationale et de la Recherche

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Joint Task Force on Joint Task Force on Strategic Oversight Strategic Oversight Final Report

Joint Task Force on Joint Task Force on Strategic Oversight Strategic Oversight Final Report

Joint Task Force on Joint Task Force on Strategic Oversight Strategic Oversight Final Report Final Report May 5, 2016 May 5, 2016 JTFSO Membership Carol Barr, Vice Provost for Undergraduate and Con7nuing Educa7on Sonan Barre;, President

488 views • 12 slides
VISD Designing Our Future DECEMBER 3, 2019 JOINT TASK FORCE AGENDA What (Content) How

VISD Designing Our Future DECEMBER 3, 2019 JOINT TASK FORCE AGENDA What (Content) How

VISD Designing Our Future DECEMBER 3, 2019 JOINT TASK FORCE AGENDA What (Content) How (Process) Who Time Joint Task Force Overview Welcome, Agenda, House Rules, Charge Dr. Susanne Carroll 4:00-4:10 Influence of the Task Force Work

495 views • 46 slides
Moving to Our Future: Pricing Options for Equitable Mobility Task Force Meeting #2 February 10,

Moving to Our Future: Pricing Options for Equitable Mobility Task Force Meeting #2 February 10,

Moving to Our Future: Pricing Options for Equitable Mobility Task Force Meeting #2 February 10, 2020 Agenda Time Agenda item 6:00 p.m. Welcome and opening remarks 6:05 p.m. Public comment 6:20 p.m. Task Force Charter, Working Agreement

667 views • 38 slides
Moving to Our Future: Pricing Options for Equitable Mobility Task Force Meeting #6 July 13, 2020

Moving to Our Future: Pricing Options for Equitable Mobility Task Force Meeting #6 July 13, 2020

Moving to Our Future: Pricing Options for Equitable Mobility Task Force Meeting #6 July 13, 2020 Zoom orientation Tonight, we're using a new Zoom format! General guidelines for Task Force members: Mute when you're not speaking Hold

829 views • 52 slides
Undergraduate Research Task Force Enhancing the undergraduate experience through research and

Undergraduate Research Task Force Enhancing the undergraduate experience through research and

Undergraduate Research Task Force Enhancing the undergraduate experience through research and creative endeavors Peter K. Dorhout, Dean Chair, UGRTF September, 2012 Undergraduate Research Task Force Report Membership David Andrus,

336 views • 16 slides
Exploration Task Force meeting Task Force Purpose Statement Maintaining UKCS Exploration and

Exploration Task Force meeting Task Force Purpose Statement Maintaining UKCS Exploration and

Q1 2020 Exploration Task Force meeting Task Force Purpose Statement Maintaining UKCS Exploration and Appraisal activity, making the most of the UKs own energy resources in support of the transition towards a net zero carbon future and

801 views • 54 slides
Promoting Functional Mobility Independence and Activity in Mobility Older Adults Activity

Promoting Functional Mobility Independence and Activity in Mobility Older Adults Activity

Promoting Functional Mobility Independence and Activity in Mobility Older Adults Activity Function Falls Individual Anna H. Chodos, MD, MPH Assistant Professor Function Activity Division of Geriatrics UCSF Mobility Mobility is

453 views • 18 slides
ODOT Road User Fee Task Force April 12, 2019 Mobility Solutions Rhyan Schaub, Director, Fare

ODOT Road User Fee Task Force April 12, 2019 Mobility Solutions Rhyan Schaub, Director, Fare

ODOT Road User Fee Task Force April 12, 2019 Mobility Solutions Rhyan Schaub, Director, Fare Revenue &amp; Administrative Services Bibiana McHugh, Manager, Mobility &amp; Location-Based Services 1 Mobility Solutions Putting Customers

386 views • 19 slides
Zero Traffic Fatalities Task Force Workshop #3 October 22, 2019 10:00 am 4:00 pm Task

Zero Traffic Fatalities Task Force Workshop #3 October 22, 2019 10:00 am 4:00 pm Task

Zero Traffic Fatalities Task Force Workshop #3 October 22, 2019 10:00 am 4:00 pm Task Force Introductions Name Organization Welcome Elissa Konove CalSTA Undersecretary and Task Force Chair Progr gres ess to Da Date e Task Force

580 views • 38 slides
Animal Task Force General introduction The Animal Task Force (since 2011) A European

Animal Task Force General introduction The Animal Task Force (since 2011) A European

Animal Task Force General introduction The Animal Task Force (since 2011) A European Public-Private Platform (PPP): research, farmers &amp; industries organizations Promoting a sustainable and competitive animal production sector in

316 views • 16 slides
Task Force Student Mobility Members: Ana Isabel Ferreira (Portugal) Grald Zimmermann (Basel)

Task Force Student Mobility Members: Ana Isabel Ferreira (Portugal) Grald Zimmermann (Basel)

Task Force Student Mobility Members: Ana Isabel Ferreira (Portugal) Grald Zimmermann (Basel) Anika Odenbach (Germany) Rita Vienazindiene (Vilnius) Marleen van der Ven (Utrecht) Petra Rabitsch (Graz) Sandra Rebel (Strasbourg) Anglique

331 views • 6 slides
Bond Task Force Draft Bond Task Force Recommendations Tuesday, February 27 , 2018 Bond Task

Bond Task Force Draft Bond Task Force Recommendations Tuesday, February 27 , 2018 Bond Task

Bond Task Force Draft Bond Task Force Recommendations Tuesday, February 27 , 2018 Bond Task Force Bond Task Force Background Bond Task Force Background: Why the Task Force was formed Ferndale School District putting a facilities bond

574 views • 25 slides
Welcome Task Force Meeting #5 Government in the Sunshine Law - Video Task Force Meeting #5

Welcome Task Force Meeting #5 Government in the Sunshine Law - Video Task Force Meeting #5

Welcome Task Force Meeting #5 Government in the Sunshine Law - Video Task Force Meeting #5 Corridor Utility Needs and Opportunities Panel Discussion Task Force Meeting #5 Floridas Safety Depends On You! FDOTs MISSION The FDOT

906 views • 66 slides
Denver Moves: Transit Task Force Meeting #7 August 3, 2017 1. Welcome &amp; Introductions

Denver Moves: Transit Task Force Meeting #7 August 3, 2017 1. Welcome &amp; Introductions

Insert transit picture Denver Moves: Transit Task Force Meeting #7 August 3, 2017 1. Welcome &amp; Introductions Opening remarks and housekeeping Task Force and audience introductions Denvers Mobility Action Plan Upcoming

883 views • 76 slides
Mobility Data Solutions AV Task Force: Subcommittee on Land Use ABOUT Our vision is to empower

Mobility Data Solutions AV Task Force: Subcommittee on Land Use ABOUT Our vision is to empower

Mobility Data Solutions AV Task Force: Subcommittee on Land Use ABOUT Our vision is to empower cities to manage all aspects of transportation and create equitable, safe, and accessible outcomes. ABOUT We help cities plan and manage their

137 views • 12 slides
Joint Task Force on Resource Allocation Co-chairs: Elizabeth Chilton (Assoc. Vice Chancellor for

Joint Task Force on Resource Allocation Co-chairs: Elizabeth Chilton (Assoc. Vice Chancellor for

Joint Task Force on Resource Allocation Co-chairs: Elizabeth Chilton (Assoc. Vice Chancellor for Research &amp; Engagement); Jennifer Normanly (Department Head, Biochemistry and Molecular Biology) Final Report and Recommendations May 5,

563 views • 7 slides
Dynamical boundaries in a variety of mechanical systems ShaneD.Ross

Dynamical boundaries in a variety of mechanical systems ShaneD.Ross

Dynamical boundaries in a variety of mechanical systems ShaneD.Ross EngineeringScienceandMechanics,VirginiaTech VirginiaTechWakeForestUniv.SchoolofBiomedicalEng.andSciences

814 views • 78 slides
Contact Stresses and Deformations ME EN 7960 Precision Machine Design Topic 7 ME EN 7960

Contact Stresses and Deformations ME EN 7960 Precision Machine Design Topic 7 ME EN 7960

Contact Stresses and Deformations ME EN 7960 Precision Machine Design Topic 7 ME EN 7960 Precision Machine Design Contact Stresses and Deformations 7-1 Curved Surfaces in Contact The theoretical contact area of two spheres is a

209 views • 10 slides
15-780: Grad AI Lecture 15: Planning Geoff Gordon (this lecture) Tuomas Sandholm TAs Erik

15-780: Grad AI Lecture 15: Planning Geoff Gordon (this lecture) Tuomas Sandholm TAs Erik

15-780: Grad AI Lecture 15: Planning Geoff Gordon (this lecture) Tuomas Sandholm TAs Erik Zawadzki, Abe Othman Review Planning algorithms reduce to FOL (complications) or use subset of FOL (e.g., STRIPS) linear planner: add op to

1.17k views • 105 slides
Skeletons CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Winter 2019 Matrix

Skeletons CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Winter 2019 Matrix

Skeletons CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Winter 2019 Matrix Review Coordinate Systems Right handed coordinate system y x z 3D Models Lets say we have a 3D model that has an array of position vectors

1.01k views • 82 slides
TYPHOON ASSEMBLY AND INSTALLATION INSTRUCTIONS CORPORATE HEADQUARTERS WESTERN SALES AND

TYPHOON ASSEMBLY AND INSTALLATION INSTRUCTIONS CORPORATE HEADQUARTERS WESTERN SALES AND

TYPHOON ASSEMBLY AND INSTALLATION INSTRUCTIONS CORPORATE HEADQUARTERS WESTERN SALES AND MANUFACTURING PLANT P.O. Box 400 1017 SW Berg Parkway Canby, Oregon 97013 Phone: (503) 266-2231 Fax: (503) 266-4334

196 views • 15 slides
Sensor Data Sharing System for Global IP-USN Eui-Nam Huh, PhD Dept. of Computer Engineering

Sensor Data Sharing System for Global IP-USN Eui-Nam Huh, PhD Dept. of Computer Engineering

Sensor Data Sharing System for Global IP-USN Eui-Nam Huh, PhD Dept. of Computer Engineering Kyung Hee University Korea 2 Background(1/2) 21 Century IT : Revolution of Object to Object Intelligent Network The Internet of

1.22k views • 33 slides
Scriptable Asynchronous Multi-Copy Algorithms in NAMD via Charm++ Partitions James Phillips

Scriptable Asynchronous Multi-Copy Algorithms in NAMD via Charm++ Partitions James Phillips

Scriptable Asynchronous Multi-Copy Algorithms in NAMD via Charm++ Partitions James Phillips Beckman Institute, University of Illinois http://www.ks.uiuc.edu/Research/namd/ Biomedical Technology Research Center for Macromolecular Modeling and

482 views • 33 slides
Disclosures for All paroxysmal AF Ablation? E Gerstenfeld MD Edward P Gerstenfeld MD

Disclosures for All paroxysmal AF Ablation? E Gerstenfeld MD Edward P Gerstenfeld MD

9/7/2012 Should Balloon Technologies be Used Disclosures for All paroxysmal AF Ablation? E Gerstenfeld MD Edward P Gerstenfeld MD Associate Professor of Medicine Research grant, honoraria: St Jude Medical University of California,

144 views • 11 slides

More recommend