Title: 802.11 Roaming and Shared Use Access Points
1802.11 Roaming andShared Use Access Points
- Warren Barkley
- Tim Moore
- Bernard Aboba
- Microsoft
2Outline
- What is wireless roaming?
- The IETF roaming architecture
- IEEE 802.1X and roaming
- Roaming models
- Shared use APs
3What Is Wireless Roaming?
- Definition
- The ability to use many wireless Internet Service
Providers while maintaining a business
relationship with only one - Requirements
- 802.1X-enabled client with 802.11 wireless card
- Roaming-capable authentication proxy and server
- Roaming architecture developed in IETF ROAMOPS WG
- RFC 2194, Roaming Implementations Review
- RFC 2477, Roaming Evaluation Criteria
- RFC 2486, Network Access Identifier
- RFC 2607, Proxies and Policy Implementation
4Wireless Global Roaming
802.11 and 802.1X Enabled Hotels
Global Access to 802.11 Wireless Connectivity
802.11 and 802.1X Enabled Hotels and Malls
- Simple, Automatic Detection of 802.11
Connectivity - Global login with corporate or ISP userIDs
5Benefits of Wireless Roaming to the WISP
- Increased sales
- Increased attach rate of consumer services
- Partner relations with enterprise
- Reduction in costs
- Elimination of redundant infrastructure buildouts
- Reduced marketing costs
- Simple administration, server mgmt. tools
- Improved collection and billing
- Reduced size of client store
- Compensation for client support burden
- Simplified account management
- Improved collections and cash flow
- Corporate clientele, automated pmt
6Benefits of Wireless Roaming to the User
- Ubiquitous 802.11 wireless support
- Enables rapid deployment of IEEE 802.11
technology in hotels, airports, malls - Users can obtain wireless access using their
existing accounts - Simplicity
- Automatic detection of wireless connectivity via
media sense - Auto-detection of 802.11 SSID
- Pre-configure userID/password pairs if desired
- Easier to provide backup provider
- RADIUS accounting data for auditing and
chargeback - Reduced carrying costs
- Leverage ISP capacity and aggregation
- Shared support burden and ISP expertise
- Improved flexibility
- ISP capacity
- Validation off RADIUS, LDAP, or ODBC back ends
7The IETF Roaming Architecture
- User identification
- The Network Access Identifier (RFC 2486)
- Enables users to identify their home providers
(e.g. fred_at_bigco.com) - User authentication
- Access method supported PPP, IEEE 802.1X, Mobile
IP - Support for extended authentication methods via
EAP (PPP, IEEE 802.1X, PIC) - RADIUS authentication
- Enables local ISPs to grant access based on
authentication by home RADIUS servers - RFC 2865, 2868, 2869, 3162
- RADIUS accounting
- Enables per-session usage accounting
- RFC 2866, 2867
- RADIUS proxy routing
- RFC 2607
- Enables authentication and accounting packets to
be routed between the local ISP and the home
server
8Wireless Roaming
- Access points may support multiple SSIDs
- User sends authentication request to WISP
- WISP routes authentication to home server
- Single point of administration
ISP A RADIUS Proxy
RADIUS
AP 1
SSID A, B, C, etc.
RADIUS
Public 802.11 Wireless Networks
Home RADIUS Server
Internet
AP 2
BIGCO
IP
AP 3
Carrier networks
User Directory
802.11 Wireless Access Points
Remote user fred_at_bigco.com
9User Authentication and Identification
- Users identified via the Network Access
Identifier defined in RFC 2486 - Userid of the form user_at_domain
- Example bernarda_at_cxn-redmond.microsoft.com
- IEEE 802.1X enables use of NAI for identification
- Enables user-based authentication and accounting
- IEEE 802.1X enables EAP for authentication
- Enables use of strong authentication OTP, smart
cards, token cards, cryptographic calculators,
etc. - Enables WEP dynamic session keys, encryption
10What is EAP?
- The Extensible Authentication Protocol (RFC 2284)
- Provides a flexible link layer security framework
- Simple encapsulation protocol
- No dependency on IP
- ACK/NAK, no windowing
- No fragmentation support
- Few link layer assumptions
- Can run over any link layer (PPP, 802, etc.) or
even IP (PIC) - Does not assume physically secure link
- Methods provide security services
- Assumes no re-ordering
- Can run over lossy or lossless media
- Retransmission responsibility of authenticator
(not needed for 802.1X or 802.11) - EAP methods based on IETF standards
- Transport Level Security (TLS) (supported in
Windows 2000) - Secure Remote Password (SRP)
- GSS_API (including Kerberos)
11EAP Architecture
TLS
SRP
AKA SIM
Method Layer
EAP APIs
EAP
EAP Layer
NDIS APIs
Media Layer
PPP
802.3
802.5
802.11
12What is RADIUS?
- Remote Access Dial In User Service
- Supports authentication, authorization, and
accounting for network access - Physical ports (analog, ISDN, IEEE 802)
- Virtual ports (tunnels, wireless)
- Allows centralized administration and accounting
- IETF status
- Proposed standard
- RFC 2865, RADIUS authentication/authorization
- RFC 2618, 2619 RADIUS Authentication Client
Server MIBs - RFC 3162, RADIUS for IPv6
- Informational
- RFC 2620, 2621 RADIUS Accounting Client Server
MIBs - RFC 2866, RADIUS accounting
- RFC 2867-8, RADIUS Tunneling support
- RFC 2869, RADIUS extensions
13802.1X Topologies
Enterprise or ISP Network
Semi-Public Network / Enterprise Edge
RADIUS
EAP Over RADIUS
EAP Over Wireless (EAPOW) EAP over LAN (EAPOL)
AuthenticationServer
PAE
Authenticator/EtherNAS (e.g. Access Point or
Bridge)
PAE
Supplicant
EtherCPE
Non-802.1X
Supplicant
14IEEE 802.1X Conversation
Switch
Radius Server
Laptop computer
Ethernet
EAPOL
RADIUS
15802.1X On 802.11
Wireless
Access Point
Radius Server
Ethernet
Laptop computer
802.11
RADIUS
802.11 Associate-Response
EAPOW
16RADIUS Proxy Usage
- RADIUS proxies used to route authentication and
accounting requests back and forth to home
servers - Proxies ease shared secret management
- One shared secret between AP and RADIUS proxy
- One shared secret between RADIUS proxy and each
home server - No need for shared secrets between each AP and
each home server - No need for per ESSID RADIUS shared secrets
17RADIUS Proxy Routing
- Routing alternatives
- Routing by SSID attribute
- Example all Access-Requests and Responses with
SSIDProvider A are routed to Provider As proxy - Routing by User-Name attribute and NAI
- User-name user_at_domain, domain used for routing
- Manual proxy configuration
- Routing handled via static routes
- SSID or domain routes manually configured on
proxy - Manually configured shared secrets
- Dynamic configuration also possible
- If a static route not available, SRV records can
be used to locate RADIUS server based on the home
domain - NAI domains correspond to DNS domains as
described in RFC 2486 - No relationship between SSIDs and DNS Domains
- If no shared secret is configured, IPsec can be
used to provide authentication and
confidentiality on a hop-by-hop basis (RFC 3126)
18Roaming Models
- Bilateral relationships between WISPs
- WISPs agree to provide access to each others
customers - No centralized clearing house
- WISPs exchange lists of served domains, maintain
their own routing tables - Roaming consortia
- Centralized clearinghouse
- Enables many WISPs to provide accesss to each
others users - Routing tables maintained by the clearinghouse
- WISPs provide lists of served domains to the
clearinghouse - Certificate-based roaming
- Enables user authentication at the local proxy
- Certificate hierarchy corresponds to roaming
relationship path - Potentially simplifies roaming administration
19Bilateral Roaming support
- Limited SSIDs, configured manually based on
bilateral relationships - First hop proxy (ISP A) routes based on SSID
- Second hop proxy (ISP B) routes based on NAI realm
20Roaming Consortia
- Automated SSID config needed (many potential ISP
B partners) - First hop proxy (ISP A) routes based on NAI
realms and SSIDs - Second hop proxy (ISP B) routes based on NAI realm
21Certificate-Based Roaming
- ISP A RADIUS server can authenticate
fred_at_bigco.com from the client certificate,
assuming list of trusted roots - ISP A can issue its own certificates, or allow
consortia to issue certs - No need for proxy routing
- ISP A proxy can automate lookup and
authentication of Bigco RADIUS server via DNS
SRV, IPsec - ISP A needs to check Bigcos certificate
revocation list
22Why Are Shared Use APs Important?
- Multiple providers are becoming the norm within
airports - Airlines are installing 802.11 networks for use
in baggage reconciliation and roving ticket
counters - Multiple wireless ISPs often also want to server
airport customers - Radio interference is an issue
- In the US and Europe 802.11b networks can support
only 3 non-overlapping channels - In France and Japan only one channel is available
- Once the channels are utilized by existing APs,
additional APs will interfere and reduce
performance - 802.11 deployment in public spaces is expensive
- In this economic environment, raising capital is
difficult - The cost of providing wireless access is
inversely proportional to infrastructure
utilization - More economical to build infrastructure and share
it among multiple providers, than to build
overlapping infrastructure
23Shared Use Scenarios
- Airports
- Same infrastructure shared by airlines and
wireless ISPs - Separate VLANs for airline and wireless ISPs
- Different authentication schemes may be in use
- Wireless ISPs may use password authentication
- Airlines may want more sophisticated
authentication token card, smart card, etc. - Hot Spots
- Multiple wireless ISPs sharing infrastructure in
airports, hotels, cafes - Different authentication schemes may be in use
- Password-based authentication for accounts at
wireless ISP - More sophisticated authentication for wholesale
wireless access to corporations token card,
smart card, etc. - Separate VLANs for wireless ISPs sharing
infrastructure - User authenticates to the home authentication
server, which does not necessarily have knowledge
of local network topology
24Goals for Shared Use APs
- Support for multiple SSIDs per AP
- Allows wireless ISPs sharing infrastructure to
each have an SSID - Alternative is for clients to associate to Any
this is problematic - Enterprise clients can include corporate ESSID as
well as wireless ISP ESSID within their wireless
preferences - Support for multiple VLANs per AP
- Need to enable separation between shared network
users - Airport VLAN will not be accessible from wireless
ISPs VLAN - Need to allow wireless ISPs to allocate addresses
from separate address spaces - Addresses may be allocated by single or multiple
DHCP servers - Roaming support
- Need to allow end users to access wireless
infrastructure at locations not operated by their
home service provider
25What is Needed for Shared Use APs?
- Support for multiple SSIDs per AP
- STAs use IEEE 802.1X for authentication
- Network Access Identifier (NAI) used as userID as
described in RFC 2486 - Format is user_at_domain, where domain identifies
the home server - SNMPv3 contexts used to support multiple virtual
MIB instances - RADIUS used for authentication and accounting
- RADIUS proxies used for roaming support as
described in RFC 2607 - RADIUS authentication and accounting packets
routed between AP and Home Server by RADIUS
proxies
26802.11-1997 Use of SSID
- SSID included as an Information Element (IE)
within management frames - SSID may be between 0 and 32 octets
- Zero length SSID indicates the broadcast SSID
- Management frames including the SSID IE
- Beacon
- Probe Request
- Probe Response
- Association and Reassociation Request frames
- Usage model
- Passive scanning
- STA discovers a single SSID IE within the Beacon
- Active scanning
- STA queries for each known SSID via Probe
Request/Response - Enables STA to discover multiple SSIDs per AP
- STA associates or reassociates with an AP
- STA can only be associated with one AP at a time
- Association and Reassociation Request frames
contain a single SSID IE
27Supporting Multiple SSIDs Per AP
- Passive scanning
- Can only discover a single SSID per AP
- Multiple SSIDs in Beacon not explicitly
prohibited by 802.11-1997 - However, existing 802.11 NICs typically cannot
handle multiple SSID information elements in a
Beacon or Probe Response - Result only a single SSID can be included in
Beacon and be discovered by STA in passive
scanning - Active scanning
- Can discover multiple SSIDs per AP
- STA sends a Probe Request for each SSID it knows
about - AP replies with Probe Response if the SSID is
supported - Enables STA to discover multiple SSIDs per AP
- Parameters included in Probe Response can be
different for each SSID - Enables different capabilities, rates to be
advertised for each SSID - Approach does not scale well for STAs with many
known SSIDs - Association and Reassociation Requests contain
only a single SSID Information Element - STAs choose the SSID they want to associate with,
based on SSIDs discovered via passive and active
scanning - STA can only be associated with a single AP (and
SSID) at a time
28Beacon Frame Format
29Probe Response Frame Format
30VLAN Usage
- Static VLANs
- APs manually configured to map SSIDs to VLANs
- STAs indicate SSID in Association or
Reassociation Request - APs tag packets with VLAN corresponding to SSID
- Dynamic VLANs
- AP includes SSID attribute in Access-Request
- RADIUS server includes VLAN-Profile, SSID
attribute in Access-Accept - APs map VLAN-Profile string to VLANID
- Alternative RADIUS server can include VLANID
attribute in Access-Accept - Unlikely in shared use networks, since server
will typically not know network topology
31RADIUS Attributes for Shared Use APs
- SSID included in Called-Station-Id attribute
- Provides information on the SSID that the STA
associated with - SSID is string with length 2-34 octets
- Called-Station-Id is a string of the form MAC
AddressltSSIDgt - Included in Access-Request, Access-Response, and
Accounting-Request - VLAN Profile (optional, best done as a VSA)
- String with length lt253
- Included in Access-Accept and Accounting-Request
- Needed in situations where RADIUS server does not
know the network topology of the shared use
network, cannot supply the correct VLANID - However, RADIUS server can know that the
Provider A VLAN is to be used.
32SNMP in Shared Use Networks
- Multiple providers may want to access to MIB
information - Diagnostic information in IEEE 802.1X MIB
- Accounting information in IEEE 802.1X MIB
- In SNMP accounting, reliability is determined by
the manager (accounting server), whereas in
RADIUS, reliability is determined by the RADIUS
client (AP) - Deployed approaches
- SNMP proxy
- Individual providers query the proxy
- SNMP use in shared use networks discussed in RFC
2975 - Domain as index
- Domain used as in index with tables
- Can be supported in any version of SNMP
- Requires support within the MIB not supported
in 802.11 or 802.1X MIBs - Contexts
- Enables maintenance of separate virtual tables
for each context - SNMPv3 contextName used to distinguish virtual
instances - Requires SNMPv3 support
- Requires support within the SNMPv3 agent
- Recommended approach for support of virtual
tables per ESSID
33Feedback?