802.11 Roaming and Shared Use Access Points - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

802.11 Roaming and Shared Use Access Points

Description:

Enables rapid deployment of IEEE 802.11 technology in hotels, airports, malls ... Multiple wireless ISPs often also want to server airport customers ... – PowerPoint PPT presentation

Number of Views:335
Avg rating:3.0/5.0
Slides: 34
Provided by: timm183
Category:
Tags: access | points | roaming | shared | use

less

Transcript and Presenter's Notes

Title: 802.11 Roaming and Shared Use Access Points


1
802.11 Roaming andShared Use Access Points
  • Warren Barkley
  • Tim Moore
  • Bernard Aboba
  • Microsoft

2
Outline
  • What is wireless roaming?
  • The IETF roaming architecture
  • IEEE 802.1X and roaming
  • Roaming models
  • Shared use APs

3
What Is Wireless Roaming?
  • Definition
  • The ability to use many wireless Internet Service
    Providers while maintaining a business
    relationship with only one
  • Requirements
  • 802.1X-enabled client with 802.11 wireless card
  • Roaming-capable authentication proxy and server
  • Roaming architecture developed in IETF ROAMOPS WG
  • RFC 2194, Roaming Implementations Review
  • RFC 2477, Roaming Evaluation Criteria
  • RFC 2486, Network Access Identifier
  • RFC 2607, Proxies and Policy Implementation

4
Wireless Global Roaming
802.11 and 802.1X Enabled Hotels
Global Access to 802.11 Wireless Connectivity
802.11 and 802.1X Enabled Hotels and Malls
  • Simple, Automatic Detection of 802.11
    Connectivity
  • Global login with corporate or ISP userIDs

5
Benefits of Wireless Roaming to the WISP
  • Increased sales
  • Increased attach rate of consumer services
  • Partner relations with enterprise
  • Reduction in costs
  • Elimination of redundant infrastructure buildouts
  • Reduced marketing costs
  • Simple administration, server mgmt. tools
  • Improved collection and billing
  • Reduced size of client store
  • Compensation for client support burden
  • Simplified account management
  • Improved collections and cash flow
  • Corporate clientele, automated pmt

6
Benefits of Wireless Roaming to the User
  • Ubiquitous 802.11 wireless support
  • Enables rapid deployment of IEEE 802.11
    technology in hotels, airports, malls
  • Users can obtain wireless access using their
    existing accounts
  • Simplicity
  • Automatic detection of wireless connectivity via
    media sense
  • Auto-detection of 802.11 SSID
  • Pre-configure userID/password pairs if desired
  • Easier to provide backup provider
  • RADIUS accounting data for auditing and
    chargeback
  • Reduced carrying costs
  • Leverage ISP capacity and aggregation
  • Shared support burden and ISP expertise
  • Improved flexibility
  • ISP capacity
  • Validation off RADIUS, LDAP, or ODBC back ends

7
The IETF Roaming Architecture
  • User identification
  • The Network Access Identifier (RFC 2486)
  • Enables users to identify their home providers
    (e.g. fred_at_bigco.com)
  • User authentication
  • Access method supported PPP, IEEE 802.1X, Mobile
    IP
  • Support for extended authentication methods via
    EAP (PPP, IEEE 802.1X, PIC)
  • RADIUS authentication
  • Enables local ISPs to grant access based on
    authentication by home RADIUS servers
  • RFC 2865, 2868, 2869, 3162
  • RADIUS accounting
  • Enables per-session usage accounting
  • RFC 2866, 2867
  • RADIUS proxy routing
  • RFC 2607
  • Enables authentication and accounting packets to
    be routed between the local ISP and the home
    server

8
Wireless Roaming
  • Access points may support multiple SSIDs
  • User sends authentication request to WISP
  • WISP routes authentication to home server
  • Single point of administration

ISP A RADIUS Proxy
RADIUS
AP 1
SSID A, B, C, etc.
RADIUS
Public 802.11 Wireless Networks
Home RADIUS Server
Internet
AP 2
BIGCO
IP
AP 3
Carrier networks
User Directory
802.11 Wireless Access Points
Remote user fred_at_bigco.com
9
User Authentication and Identification
  • Users identified via the Network Access
    Identifier defined in RFC 2486
  • Userid of the form user_at_domain
  • Example bernarda_at_cxn-redmond.microsoft.com
  • IEEE 802.1X enables use of NAI for identification
  • Enables user-based authentication and accounting
  • IEEE 802.1X enables EAP for authentication
  • Enables use of strong authentication OTP, smart
    cards, token cards, cryptographic calculators,
    etc.
  • Enables WEP dynamic session keys, encryption

10
What is EAP?
  • The Extensible Authentication Protocol (RFC 2284)
  • Provides a flexible link layer security framework
  • Simple encapsulation protocol
  • No dependency on IP
  • ACK/NAK, no windowing
  • No fragmentation support
  • Few link layer assumptions
  • Can run over any link layer (PPP, 802, etc.) or
    even IP (PIC)
  • Does not assume physically secure link
  • Methods provide security services
  • Assumes no re-ordering
  • Can run over lossy or lossless media
  • Retransmission responsibility of authenticator
    (not needed for 802.1X or 802.11)
  • EAP methods based on IETF standards
  • Transport Level Security (TLS) (supported in
    Windows 2000)
  • Secure Remote Password (SRP)
  • GSS_API (including Kerberos)

11
EAP Architecture
TLS
SRP
AKA SIM
Method Layer
EAP APIs
EAP
EAP Layer
NDIS APIs
Media Layer
PPP
802.3
802.5
802.11
12
What is RADIUS?
  • Remote Access Dial In User Service
  • Supports authentication, authorization, and
    accounting for network access
  • Physical ports (analog, ISDN, IEEE 802)
  • Virtual ports (tunnels, wireless)
  • Allows centralized administration and accounting
  • IETF status
  • Proposed standard
  • RFC 2865, RADIUS authentication/authorization
  • RFC 2618, 2619 RADIUS Authentication Client
    Server MIBs
  • RFC 3162, RADIUS for IPv6
  • Informational
  • RFC 2620, 2621 RADIUS Accounting Client Server
    MIBs
  • RFC 2866, RADIUS accounting
  • RFC 2867-8, RADIUS Tunneling support
  • RFC 2869, RADIUS extensions

13
802.1X Topologies
Enterprise or ISP Network
Semi-Public Network / Enterprise Edge
RADIUS
EAP Over RADIUS
EAP Over Wireless (EAPOW) EAP over LAN (EAPOL)
AuthenticationServer
PAE
Authenticator/EtherNAS (e.g. Access Point or
Bridge)
PAE
Supplicant
EtherCPE
Non-802.1X
Supplicant
14
IEEE 802.1X Conversation
Switch
Radius Server
Laptop computer
Ethernet
EAPOL
RADIUS
15
802.1X On 802.11
Wireless
Access Point
Radius Server
Ethernet
Laptop computer
802.11
RADIUS
802.11 Associate-Response
EAPOW
16
RADIUS Proxy Usage
  • RADIUS proxies used to route authentication and
    accounting requests back and forth to home
    servers
  • Proxies ease shared secret management
  • One shared secret between AP and RADIUS proxy
  • One shared secret between RADIUS proxy and each
    home server
  • No need for shared secrets between each AP and
    each home server
  • No need for per ESSID RADIUS shared secrets

17
RADIUS Proxy Routing
  • Routing alternatives
  • Routing by SSID attribute
  • Example all Access-Requests and Responses with
    SSIDProvider A are routed to Provider As proxy
  • Routing by User-Name attribute and NAI
  • User-name user_at_domain, domain used for routing
  • Manual proxy configuration
  • Routing handled via static routes
  • SSID or domain routes manually configured on
    proxy
  • Manually configured shared secrets
  • Dynamic configuration also possible
  • If a static route not available, SRV records can
    be used to locate RADIUS server based on the home
    domain
  • NAI domains correspond to DNS domains as
    described in RFC 2486
  • No relationship between SSIDs and DNS Domains
  • If no shared secret is configured, IPsec can be
    used to provide authentication and
    confidentiality on a hop-by-hop basis (RFC 3126)

18
Roaming Models
  • Bilateral relationships between WISPs
  • WISPs agree to provide access to each others
    customers
  • No centralized clearing house
  • WISPs exchange lists of served domains, maintain
    their own routing tables
  • Roaming consortia
  • Centralized clearinghouse
  • Enables many WISPs to provide accesss to each
    others users
  • Routing tables maintained by the clearinghouse
  • WISPs provide lists of served domains to the
    clearinghouse
  • Certificate-based roaming
  • Enables user authentication at the local proxy
  • Certificate hierarchy corresponds to roaming
    relationship path
  • Potentially simplifies roaming administration

19
Bilateral Roaming support
  • Limited SSIDs, configured manually based on
    bilateral relationships
  • First hop proxy (ISP A) routes based on SSID
  • Second hop proxy (ISP B) routes based on NAI realm

20
Roaming Consortia
  • Automated SSID config needed (many potential ISP
    B partners)
  • First hop proxy (ISP A) routes based on NAI
    realms and SSIDs
  • Second hop proxy (ISP B) routes based on NAI realm

21
Certificate-Based Roaming
  • ISP A RADIUS server can authenticate
    fred_at_bigco.com from the client certificate,
    assuming list of trusted roots
  • ISP A can issue its own certificates, or allow
    consortia to issue certs
  • No need for proxy routing
  • ISP A proxy can automate lookup and
    authentication of Bigco RADIUS server via DNS
    SRV, IPsec
  • ISP A needs to check Bigcos certificate
    revocation list

22
Why Are Shared Use APs Important?
  • Multiple providers are becoming the norm within
    airports
  • Airlines are installing 802.11 networks for use
    in baggage reconciliation and roving ticket
    counters
  • Multiple wireless ISPs often also want to server
    airport customers
  • Radio interference is an issue
  • In the US and Europe 802.11b networks can support
    only 3 non-overlapping channels
  • In France and Japan only one channel is available
  • Once the channels are utilized by existing APs,
    additional APs will interfere and reduce
    performance
  • 802.11 deployment in public spaces is expensive
  • In this economic environment, raising capital is
    difficult
  • The cost of providing wireless access is
    inversely proportional to infrastructure
    utilization
  • More economical to build infrastructure and share
    it among multiple providers, than to build
    overlapping infrastructure

23
Shared Use Scenarios
  • Airports
  • Same infrastructure shared by airlines and
    wireless ISPs
  • Separate VLANs for airline and wireless ISPs
  • Different authentication schemes may be in use
  • Wireless ISPs may use password authentication
  • Airlines may want more sophisticated
    authentication token card, smart card, etc.
  • Hot Spots
  • Multiple wireless ISPs sharing infrastructure in
    airports, hotels, cafes
  • Different authentication schemes may be in use
  • Password-based authentication for accounts at
    wireless ISP
  • More sophisticated authentication for wholesale
    wireless access to corporations token card,
    smart card, etc.
  • Separate VLANs for wireless ISPs sharing
    infrastructure
  • User authenticates to the home authentication
    server, which does not necessarily have knowledge
    of local network topology

24
Goals for Shared Use APs
  • Support for multiple SSIDs per AP
  • Allows wireless ISPs sharing infrastructure to
    each have an SSID
  • Alternative is for clients to associate to Any
    this is problematic
  • Enterprise clients can include corporate ESSID as
    well as wireless ISP ESSID within their wireless
    preferences
  • Support for multiple VLANs per AP
  • Need to enable separation between shared network
    users
  • Airport VLAN will not be accessible from wireless
    ISPs VLAN
  • Need to allow wireless ISPs to allocate addresses
    from separate address spaces
  • Addresses may be allocated by single or multiple
    DHCP servers
  • Roaming support
  • Need to allow end users to access wireless
    infrastructure at locations not operated by their
    home service provider

25
What is Needed for Shared Use APs?
  • Support for multiple SSIDs per AP
  • STAs use IEEE 802.1X for authentication
  • Network Access Identifier (NAI) used as userID as
    described in RFC 2486
  • Format is user_at_domain, where domain identifies
    the home server
  • SNMPv3 contexts used to support multiple virtual
    MIB instances
  • RADIUS used for authentication and accounting
  • RADIUS proxies used for roaming support as
    described in RFC 2607
  • RADIUS authentication and accounting packets
    routed between AP and Home Server by RADIUS
    proxies

26
802.11-1997 Use of SSID
  • SSID included as an Information Element (IE)
    within management frames
  • SSID may be between 0 and 32 octets
  • Zero length SSID indicates the broadcast SSID
  • Management frames including the SSID IE
  • Beacon
  • Probe Request
  • Probe Response
  • Association and Reassociation Request frames
  • Usage model
  • Passive scanning
  • STA discovers a single SSID IE within the Beacon
  • Active scanning
  • STA queries for each known SSID via Probe
    Request/Response
  • Enables STA to discover multiple SSIDs per AP
  • STA associates or reassociates with an AP
  • STA can only be associated with one AP at a time
  • Association and Reassociation Request frames
    contain a single SSID IE

27
Supporting Multiple SSIDs Per AP
  • Passive scanning
  • Can only discover a single SSID per AP
  • Multiple SSIDs in Beacon not explicitly
    prohibited by 802.11-1997
  • However, existing 802.11 NICs typically cannot
    handle multiple SSID information elements in a
    Beacon or Probe Response
  • Result only a single SSID can be included in
    Beacon and be discovered by STA in passive
    scanning
  • Active scanning
  • Can discover multiple SSIDs per AP
  • STA sends a Probe Request for each SSID it knows
    about
  • AP replies with Probe Response if the SSID is
    supported
  • Enables STA to discover multiple SSIDs per AP
  • Parameters included in Probe Response can be
    different for each SSID
  • Enables different capabilities, rates to be
    advertised for each SSID
  • Approach does not scale well for STAs with many
    known SSIDs
  • Association and Reassociation Requests contain
    only a single SSID Information Element
  • STAs choose the SSID they want to associate with,
    based on SSIDs discovered via passive and active
    scanning
  • STA can only be associated with a single AP (and
    SSID) at a time

28
Beacon Frame Format
29
Probe Response Frame Format
30
VLAN Usage
  • Static VLANs
  • APs manually configured to map SSIDs to VLANs
  • STAs indicate SSID in Association or
    Reassociation Request
  • APs tag packets with VLAN corresponding to SSID
  • Dynamic VLANs
  • AP includes SSID attribute in Access-Request
  • RADIUS server includes VLAN-Profile, SSID
    attribute in Access-Accept
  • APs map VLAN-Profile string to VLANID
  • Alternative RADIUS server can include VLANID
    attribute in Access-Accept
  • Unlikely in shared use networks, since server
    will typically not know network topology

31
RADIUS Attributes for Shared Use APs
  • SSID included in Called-Station-Id attribute
  • Provides information on the SSID that the STA
    associated with
  • SSID is string with length 2-34 octets
  • Called-Station-Id is a string of the form MAC
    AddressltSSIDgt
  • Included in Access-Request, Access-Response, and
    Accounting-Request
  • VLAN Profile (optional, best done as a VSA)
  • String with length lt253
  • Included in Access-Accept and Accounting-Request
  • Needed in situations where RADIUS server does not
    know the network topology of the shared use
    network, cannot supply the correct VLANID
  • However, RADIUS server can know that the
    Provider A VLAN is to be used.

32
SNMP in Shared Use Networks
  • Multiple providers may want to access to MIB
    information
  • Diagnostic information in IEEE 802.1X MIB
  • Accounting information in IEEE 802.1X MIB
  • In SNMP accounting, reliability is determined by
    the manager (accounting server), whereas in
    RADIUS, reliability is determined by the RADIUS
    client (AP)
  • Deployed approaches
  • SNMP proxy
  • Individual providers query the proxy
  • SNMP use in shared use networks discussed in RFC
    2975
  • Domain as index
  • Domain used as in index with tables
  • Can be supported in any version of SNMP
  • Requires support within the MIB not supported
    in 802.11 or 802.1X MIBs
  • Contexts
  • Enables maintenance of separate virtual tables
    for each context
  • SNMPv3 contextName used to distinguish virtual
    instances
  • Requires SNMPv3 support
  • Requires support within the SNMPv3 agent
  • Recommended approach for support of virtual
    tables per ESSID

33
Feedback?
Write a Comment
User Comments (0)
About PowerShow.com