This document discusses the Canadian Access Federation eduroam workshop that was held in August 2011. It provides an overview of how eduroam works to allow wireless access for visiting users from participating institutions. This includes using 802.1X authentication with EAP methods and RADIUS infrastructure to route authentication requests to a user's home institution. The document also covers topics like the onboarding process for new sites, implementation decisions around the RADIUS platform, and the importance of logging for troubleshooting and attributing network issues.

1. Canadian Access Federation Eduroam workshop Aug ,2011 Chris Phillips –chris.phillips@canarie.ca

2. Credits Thanks to other content contributors Jens Haeusser – UBC – technical negotiation slides GEANT & TERENA – Logging and other areas Prior implementors for inspiring the checklist Useful reference sites http://eduroam.ca - Canadian eduroam site http://eduroam.org - Top level eduroam site http://eduroamus.org - US eduroam site 2

3. Use Case – Wireless Access Without eduRoam User arrives, needs to get onto wireless Needs to talk to IT staff to get credential in system created and a password set User waits for account User uses known password, signs into wireless When user is complete, IT should be notified to delete account and terminate access (right?) IT deletes account(right?) Done With eduRoam User arrives, needs to get onto wireless, has eduRoam enabled ID Open laptop User is authenticated to home system and is online Done 3

4. Eduroam impact Reduces effort supporting guest network ids Support calls…How do I…? Guest account footprint in your systems Only available on wireless systems, not others 4

5. How does eduroam work? 802.1X - to authenticate clients before allowing access to the network EAP framework – with secure EAP methods to protect user credentials RADIUS - authentication server infrastructure RADIUS proxying – to route authentication requests to a users home institution Separate IP address space – treated as external to institution (compliance with service agreements, etc) End Users have standard internet access with as few filters as possible (if any at all).

6. Secure Wireless – 802.1X April 27th 2010 Canada eduroam Slide 6 Wireless Encryption Established secure.wireless.ubc.ca ssid:ubcsecure id:jdoe 1)Negotiate Authentication Method EAP-PEAPv0-MSCHAPv2 2)Certificate Validation Prevents “man-in-the-middle” attack 3)Establish Secure Tunnel Prevents eavesdropping Using MSCHAPv2 4)Perform authentication through tunnel 5)Authentication successful Establish encryption, connect to net 6)Client acquires IP address (DHCP)

7. Eduroam - Roaming User April 27th 2010 Canada eduroam Slide 7 Federation Server realm: ca ssid:eduroam Cert: eduroam.sfu.ca Institution Servers id: joe@sfu.ca realm: ubc.ca realm: sfu.ca 1) Negotiate EAP type EAP-TTLS-PAP 2) Outer Request Validate cert. Establish TLS tunnel PAP – through tunnel – secure! 3) Inner Request 4) Success Connect to network Establish encryption.

8. Eduroam – International Roaming April 27th 2010 Canada eduroam Slide 8 Confederation Server Federation Server realm: ca realm: edu id: pam@mit.edu realm: ubc.ca realm: sfu.ca realm: mit.edu realm: ucla.edu

9. Reciprocity - Hallmark of eduroam Eduroam is about you treating guest credentials how you would like to be treated: Just think about what you would like when you travel: No filtered connections No traffic shaping Public IP address (where possible) NAT is not necessarily appropriate, but if you already private IP folks now, probably works out ok. 9

10. eduRoam @ CANHEIT2011 - McMaster 10

11. Canadian eduRoam Coverage 11

12. Digging into Deployment Details 12

13. Sample Deployment: Queen’s 13

14. Cisco ACS Config 14

15. Onboarding Process Canada has ~28 of 92 universities on eduroam. US has slightly less in number (25) but 3,000 plus insitutions Eduroam operator: Standard template for connecting new sites Policy sign-off followed by technical implementation Estimated time for Canada federation-level RADIUS server personnel: on-board a new member site: a few hours to two person-days, depending on member site expertise general maintenance: ~one person-day per month Eduroam site: Local implementation from 4 hours to 4 weeks depending on capabilities Skill: operate/install RADIUS on your choice of platform (Cisco ACS, Microsoft NPS, FreeRADIUS) Operational maintenance: same as your AuthN server now 15

16. Important Implementation Decisions Your RADIUS platform Keep it simple and least number of cogs in the machine Running Active Directory? You may already have RADIUS (NPS) Running Cisco ACS? You can use that. Want an alternative commercial platform? RADIATOR is likely your choice – heavily Perl influenced Root servers run RADIATOR Looking for ‘free’? FREE-Radius Need to deal with MS-CHAPv2 properly Recommendation is to split the config for proxying and answering between 2 instances for clarity/diagnosis sake (see Queen’s build) 16

17. About Server Certificate This certificate is on your IdP Users see this & will evaluate authenticity of the passwd validation Self signed is not recommended Would YOU trust it? How do you convince the 1st year student to ascertain it as valid and not a rogue AP doing an attack? 17

18. Problem Solving/Diagnosis 18

19. Logging Cue GEANT Module 5 19

20. Module 5: Log Files, Statistics and Incidents

22. Why not provide the User-Name?

23. User-Name attribute could be obfuscated.

25. RADIUS Authorisation log.

27. Find MAC address in DHCP or ARP sniffing log.

28. Find authentication session in Auth log.

30. Home federation can find user’s identity provider.

31. Identity provider can find the user name.

33. Auth logs.

34. Reliable time source.

36. Side-thought: why is NAT considered bad?

37. Must be able to find a MAC address from the IP address.

38. Must log:

39. Time client’s DHCP lease was issued.

40. MAC address of client.

45. May be a named individual or an organisational unit.

47. Issue Escalation 32

48. USER SUPPORT: PROBLEM ESCALATION SCENARIO (1) home federation OT visited federation fed.-level admin. local institution admin. fed.-level admin. 3 local institution admin. 1,2 4 user

49. USER SUPPORT: PROBLEM ESCALATION SCENARIO (2) home federation OT visited federation 4a 4b fed.-level admin. 4 local institution admin. 3 fed.-level admin. 5 local institution admin. 1,2 6 user

50. Questions? For more info or details please contact: Chris.phillips@canarie.ca 35