Embed Size (px)
Citation preview
2
Contents Page
• Background• Current status• Future plans• Discussion
3
Background
• TF Mobility (Taskforce) officially began on January 1 2003. – The group has an 18 month lifetime.
• Aim: ”coordinating research and testing in Europe regarding real usage and scalability of mobility solutions inside the academic community”.
• Mobility solutions are defined as – a way to transfer authentication information between organisations
so that a user from different organisation may gain wired or wireless access to 1) the visiting organisation’s network or 2) the visitor’s home network for home authentication and network access.
• Work Areas
– Identify inter-NREN roaming requirements.– Evaluate current national roaming solutions.– Select inter-NREN solution and test.– Evaluate mobile equipment, technology and next generation mobile
technology for handover and roaming (mobile IPv4 & v6).
4
Requirements definition
• Enable NREN users to use the Internet (WLAN and wired) everywhere in Europe with:
– Minimal administrative overhead (per roaming user)
– Good usability– Maintaining required security for all partners.– Scalable!
5
Web-based with RADIUS
Internet
Docking Network
AccessControl Device
AAAServer
WWW-browser
1.
2.
3.
4.
5.
RADIUS based Web interface authentication at the University of Tampere
The Finnish are scaling their solution by using a hierarchy of RADIUS proxy servers for their national infrastructure
6
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
VPN
SWITCHmobile – VPN solution deployed at 7 universities across Switzerland.
Wbone – VPN roaming solution to 4 universities / colleges in state of Bremen.
A "virtual campus" initiative in Lisbon, and been testing and developing a VPN & PKI infrastructure.
PPPoE – University of Bristol
7
Cross-domain 802.1X with VLAN assignment
RADIUS server
Institution B
RADIUS server
Institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
piet@institution_b.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
Authentication at home institution, 802.1X , TTLS (SecureW2), (proxy) RADIUS. One time passwords are also transmitted via SMS to guest users.
A RADIUS Hierarchy is proposed to scale this to a European wide solution.
8
Current status• Documentation of national WLAN roaming solutions – complete• Characteristics identified as
– 802.1X - “The future”, easy to scale, secure but cutting edge, thus expensive.
– VPN - Widely available, expensive, secure & hard to scale.– Web based – cheap, widely available, easy to scale, but not
secure.
• WLAN Product testing matrix – 1st draft completed
• Preliminary selection for inter-NREN roaming – in draft, conclusions are– No national solution meets all the requirements.– The group has chosen not to consider the following
– Local VPN access.– PKI– An architecture that supports the various national solutions is
needed, a three stream approach is recommended…
9
Future plans
Resolve scaling and interoperability issues for 802.1x, VPN, web-
based redirect, PPPoE)
Consolidate findings into a trial report
Build and scale a RADIUS proxy hierarchy for non-VPN
AAA
Conduct feasibility tests on creating an scalable VPN
solution
Subject to feasibility, build the proposed
CASG solution
Extend to VPN in parallel
Work on software changes to PPPoE to facilitate roaming
The testing of inter-NREN roaming solutions has already started !
10
Controlled Address Space for VPN Gateways• Design and work plan documentation underway.• Interoperability tests of VPN to RADIUS proxy hierarchy agreed.• Further work to follow.
11
FCCN
RADIUS Proxy servers connecting to a European level RADIUS proxy server
University of Southampton
• Participation guidelines are being drafted
• Aim is to increase membership. Spain, Norway, Slovenia, Czech Republic & Greece have indicated their willingness to join.
SURFnet
FUNET
(DFN)
CARnet
Radius proxy hierarchy
