Title: SURFnet AAI
1SURFnet AAI
- Klaas.Wierenga_at_SURFnet.nl
- Meeting met Microsoft
- 21 April 2004
2TOC
- AAI
- Network Access
- Application Access
- The holy grail
3Environment
International connectivity
WLAN
Access Provider WLAN
Institution B
SURFnet backbone
Access Provider GPRS
WLAN
Access Provider POTS
Access Provider ADSL
4AAI
- Authentication and Authentication Infrastructure
- 2 pilars
- (Guest) Network Access EduRoam
- Application Access with SSO A-Select
- Now working on integration of the two
5Requirements
- Secure
- Identify users uniquely at the edge of the
network - No session hijacking
- Allow for guest usage
- Scalable
- Local user administration and authN!
- Using existing RADIUS infrastructure (f.e.)
- Easy to install and use
- Open
- Support for all common OSes
- Vendor independent
- After proper AuthN open connectivity (no
firewalls, no NAT, public IP-addresses)
6IEEE 802.1X
- True port based access solution (Layer 2) between
client and AP/switch - Several available authentication-mechanisms
(EAP-MD5, MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS,
PEAP) - Standardised
- Also encrypts all data, using dynamic keys
- RADIUS back end
- Scaleable
- Re-use existing Trust relationships
- Easy integration with dynamic VLAN assignment
- Client software necessary (OS-built in or
third-party) - Both for wireless AND wired
7How does 802.1X work (in combination with 802.1Q)?
Supplicant
RADIUS server Institution A
Authenticator (AP or switch)
User DB
jan_at_student.institution_a.nl
Internet
Guest VLAN
Employee VLAN
Student VLAN
signalling
data
8EduRoam
Supplicant
RADIUS server Institution B
RADIUS server Institution A
Authenticator (AP or switch)
User DB
User DB
Guest piet_at_institution_b.nl
Internet
Guest VLAN
Employee VLAN
Central RADIUS Proxy server
Student VLAN
- Some 20 Institutions
- Public hotspots in 5 cities
- Train trajectory
- 2 UMTS trials with EAP-SIM
signalling
data
9Radius proxy hierarchy
- Participation guidelines are being drafted
- Aim is to increase membership. Spain, Norway,
Slovenia, Czech Republic Greece have indicated
their willingness to join.
University of Southampton
FCCN
RADIUS Proxy servers connecting to a European
level RADIUS proxy server
10What is AuthN middleware?
- AuthN middleware decouples authentication from
the application - New authentication means dont have an impact on
the applications and vice versa - Use authentication means people already have
(mobile phone, bankcard, ), scalability in
authentication means - Recognise authentication strength
11A-Select
12Current authSPs
- IP address
- Username/password (LDAP, RADIUS, SQL)
- X.509 cert
- OTP thru SMS
- SecurID thru RADIUS
- Passfaces
- Internet banking
13Current A-Select enabled apps
- Blackboard
- N_at_tSchool
- WebCT 1-2Q04
- MMBase (CMS)
- Roxen (CMS)
- Oracle Portal
- SunOne Portal 1Q04
- Citrix
- Osiris (SIS)
- Modus (statistics)
- Java lib for small apps
- filters for IIS/ Apache 1.3.x and 2.0.x
14Work in progress
- Policy Framework for EduRoam (TF-Mobility)
- A-Select with real authorisation (TF-AACE)
- A-Select with federations (Internet2)
- Secure Instant Messaging (Internet2)
- Interworking with other architectures
(Shibboleth, PAPI, Liberty, Passport?) - SSO over network and applications (Géant2)
15Possible AAI architecture
16More information
- SURFnet and 802.1X
- http//www.surfnet.nl/innovatie/wlan
- TERENA TF-Mobility
- http//www.terena.nl/mobility
- A-Select
- http//a-select.surfnet.nl/
- TERENA TF-AACE
- http//www.terena.nl/tech/task-forces/tf-aace/