SURFnet AAI - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

SURFnet AAI

Description:

After proper AuthN open connectivity (no firewalls, no NAT, ... Osiris (SIS) Modus (statistics) Java lib for small apps. filters for IIS/ Apache 1.3.x and 2.0.x ... – PowerPoint PPT presentation

Number of Views:230
Avg rating:3.0/5.0
Slides: 17
Provided by: klaaswi
Category:
Tags: aai | osiris | surfnet

less

Transcript and Presenter's Notes

Title: SURFnet AAI


1
SURFnet AAI
  • Klaas.Wierenga_at_SURFnet.nl
  • Meeting met Microsoft
  • 21 April 2004

2
TOC
  • AAI
  • Network Access
  • Application Access
  • The holy grail

3
Environment
International connectivity
  • Institution A

WLAN
Access Provider WLAN
Institution B
SURFnet backbone
Access Provider GPRS
WLAN
Access Provider POTS
Access Provider ADSL
4
AAI
  • Authentication and Authentication Infrastructure
  • 2 pilars
  • (Guest) Network Access EduRoam
  • Application Access with SSO A-Select
  • Now working on integration of the two

5
Requirements
  • Secure
  • Identify users uniquely at the edge of the
    network
  • No session hijacking
  • Allow for guest usage
  • Scalable
  • Local user administration and authN!
  • Using existing RADIUS infrastructure (f.e.)
  • Easy to install and use
  • Open
  • Support for all common OSes
  • Vendor independent
  • After proper AuthN open connectivity (no
    firewalls, no NAT, public IP-addresses)

6
IEEE 802.1X
  • True port based access solution (Layer 2) between
    client and AP/switch
  • Several available authentication-mechanisms
    (EAP-MD5, MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS,
    PEAP)
  • Standardised
  • Also encrypts all data, using dynamic keys
  • RADIUS back end
  • Scaleable
  • Re-use existing Trust relationships
  • Easy integration with dynamic VLAN assignment
  • Client software necessary (OS-built in or
    third-party)
  • Both for wireless AND wired

7
How does 802.1X work (in combination with 802.1Q)?
Supplicant
RADIUS server Institution A
Authenticator (AP or switch)
User DB
jan_at_student.institution_a.nl
Internet
Guest VLAN
Employee VLAN
Student VLAN
signalling
data
8
EduRoam
Supplicant
RADIUS server Institution B
RADIUS server Institution A
Authenticator (AP or switch)
User DB
User DB
Guest piet_at_institution_b.nl
Internet
Guest VLAN
Employee VLAN
Central RADIUS Proxy server
Student VLAN
  • Some 20 Institutions
  • Public hotspots in 5 cities
  • Train trajectory
  • 2 UMTS trials with EAP-SIM

signalling
data
9
Radius proxy hierarchy
  • Participation guidelines are being drafted
  • Aim is to increase membership. Spain, Norway,
    Slovenia, Czech Republic Greece have indicated
    their willingness to join.

University of Southampton
FCCN
RADIUS Proxy servers connecting to a European
level RADIUS proxy server
10
What is AuthN middleware?
  • AuthN middleware decouples authentication from
    the application
  • New authentication means dont have an impact on
    the applications and vice versa
  • Use authentication means people already have
    (mobile phone, bankcard, ), scalability in
    authentication means
  • Recognise authentication strength

11
A-Select
12
Current authSPs
  • IP address
  • Username/password (LDAP, RADIUS, SQL)
  • X.509 cert
  • OTP thru SMS
  • SecurID thru RADIUS
  • Passfaces
  • Internet banking

13
Current A-Select enabled apps
  • Blackboard
  • N_at_tSchool
  • WebCT 1-2Q04
  • MMBase (CMS)
  • Roxen (CMS)
  • Oracle Portal
  • SunOne Portal 1Q04
  • Citrix
  • Osiris (SIS)
  • Modus (statistics)
  • Java lib for small apps
  • filters for IIS/ Apache 1.3.x and 2.0.x

14
Work in progress
  • Policy Framework for EduRoam (TF-Mobility)
  • A-Select with real authorisation (TF-AACE)
  • A-Select with federations (Internet2)
  • Secure Instant Messaging (Internet2)
  • Interworking with other architectures
    (Shibboleth, PAPI, Liberty, Passport?)
  • SSO over network and applications (Géant2)

15
Possible AAI architecture
16
More information
  • SURFnet and 802.1X
  • http//www.surfnet.nl/innovatie/wlan
  • TERENA TF-Mobility
  • http//www.terena.nl/mobility
  • A-Select
  • http//a-select.surfnet.nl/
  • TERENA TF-AACE
  • http//www.terena.nl/tech/task-forces/tf-aace/
Write a Comment
User Comments (0)
About PowerShow.com