eduroam JPand
development of UPKI roaming
Yoshikazu Watanabe*, Satoru Yamano*
Hideaki Goto**, Hideaki Sone**
* NEC Corporation, Japan
** Tohoku University, Japan
APAN24, Xi’an, 28 Aug. 2007
2
Contents
• UPKI project and network roaming
• eduroam in Japan
• Problems and solutions
• Access control of roaming users regarding local resources
• Summary
3
UPKI project and network roaming
• UPKI: University PKI (also referred to as: Inter-
University Authentication and Authorization Platform) – Campus Ubiquitous Network (Tohoku Univ.)
• R&D of authentication/policy-based network control mechanism
– Introduction of eduroam to Japan
– R&D of UPKI roaming system
• Collaborative research by Tohoku Univ. and NEC
4
eduroam in JapanAug. 31, Tohoku University connected to
Asia-Pacific eduroamSep. 28, eduroam JP website openedDec., Connected to Asia-Pacific eduroa
m secondary server in Hong KongDec., Four organizations federated
High Energy Accelerator Research Organization (KEK), National Institute of Informatics (NII),Hokkaido Univ., and Kyoto Univ.
June, Kyushu University federated
2006
2007
Eduroam HP : http://www.eduroam.jp/
5
eduroam JP network
JPSecondary
JPPrimary
HokkaidoUniv.
TohokuUniv.
KyotoUniv.
KEK NII
APPrimary
APSecondary
Hong KongAustralia
Europe
KyushuUniv.
The first eduroam APin Japan
6
• Scale– Lots of universities and colleges
(87 national, 76 public, 571 private, and colleges; 1,200+ total as of Apr. 2006)
– Large universities (some have 30,000+ people)
• Operational policy– Guest use of IP addresses owned by a visited
institution for the Internet access is not acceptable ( illegal)≒ in many cases.
– Each institution has different network administration policies.
Circumstance in Japan
7
Problem about scale• Problem
– Lots of universities and colleges
→ Configuring radius proxies is so hard
• Solution– Utilizing realms regular expression patch for FreeRAD
IUS• A patch that enables to configure proxying with regular expre
ssions• Adopted to recent ver. of FreeRADIUS
– RadSec is also expected to solve this problem, and further to enhance the flexibility of configuration.
8
Problem about operational policy• Problem
1. Guest use of IP addresses in a visited institution is not acceptable.• Responsible bodies become unclear.• Visited institutions are often involved to resolve troubles.
(e.g. cracking, illegal access)• Cause a violation of subscription conditions of
IP address-based licensing (e.g. online journals).
2. Each institution has different network administration policies.→ Visited institutions need a way to authorize roaming guests’
accesses to local resources.
VPN-only policy (for the Internet access)
Exchange of user class information andaccess control for local resources
9
Proposed solutions(Campus Ubiquitous Network)
RADIUS
LocalResources
(VPN)
AP
FW
Client
Homeinstitution
Visitedinstitution
Client supplicant
S/W
The Internet
FW
FW
RADIUS
LocalResources
VPN
AP
FW
FW
FW
supplicantS/W
After authentication at AP, a user access VPN server and go outside. (Use a home IP address)
After authentication at AP, a user access VPN server and go outside. (Use a home IP address)
1. VPN-only policy Roaming users must use a home VPN server to access the Internet. (A direct access to the Internet from the visited institution network is prohibited.)
Exchange of authorization informationand access control
2. Exchange of user class information and access control for local resources
Extension to eduroam authentication
Our recent main theme
10
Exchange of user class information and access control for local resources• Basic idea
– Extend eduroam authentication procedure– A home radius server attaches user class information
to a radius access-accept packet.– A radius server in a visited institution authorizes user
accesses to local resources according to the received user class and local policies.
→ Realize access control for local resources
• Prototype implementation is done
11
User class
• Classification of users by common criteria in eduroam federation
• Each institution assigns user class to each user of the institution in advance.
12
Example of access control forlocal resources by user class
local service(e.g. printer)
AP
Client Visited
institution
The InternetFW
campus network
FWFW
1 2 3 4userclass
Users (class 1) cannot access local resourcesUsers (class 2) can access only local networkUsers (class 3) can access campus network, but cannot access the internet directrlyUsers (class 4) can access the Internet directly
13
RADIUS
LocalResources
AP
Client
VisitedInstitutionsupplicant
S/W
FW
FW
Procedure : Access-Request
HomeInstitution
Client
The Internet
RADIUSLocal
Resources
AP
FW
supplicantS/W
FW
A normal radius access request packet as usual
in eduroam
Start 802.1x authentication
Authenticate and authorize the user
Use eduroam to authenticate the us
er
Send a radius access-request
14
RADIUS
LocalResources
AP
Client
VisitedInstitutionsupplicant
S/W
FW
FW
Procedure : Access-Accept
HomeInstitution
Client
The Internet
RADIUSLocal
Resources
AP
FW
supplicantS/W
FW
A radius access accept packet with the user
class information
Retrieve the user class for the user, and send a radius
access accept packet
Authorize accesses to local resources
using the user class and local policies
15
RADIUS
LocalResources
AP
Client
VisitedInstitutionsupplicant
S/W
FW
FW
Procedure : Access-Accept (cont.)
HomeInstitution
Client
The Internet
RADIUSLocal
Resources
AP
FW
supplicantS/W
FW
802.1x authentication succeeds
Send a radius access-accept packet with information of authorized local resources
Send an access-accept packet without information of authorized resources
Set filtering rules according to the received information
16
RADIUSLocal
Resources
AP
Client
VisitedInstitutionsupplicant
S/W
FW
FW
Procedure : access to local resources
HomeInstitution
Client
The Internet
RADIUSLocal
Resources
AP
FW
supplicantS/W
FW
Filter traffic to local resources(block un-authorized accesses)
Access to local resources
17
Issues to be examined
• The definition of the “user class” in eduroam– Representation, granularity, and so on
• How to realize and control the communication between roaming users and local resources
• Et cetera
18
Summary
• 6 institutions are participating in eduroam JP.
• Issues regarding roaming are revealed through the deployment of eduroam JP.
• Examining access control of roaming users regarding local resources
19
Thank you for your kind attention.
20
References
21
The problem about traceabilityvisitor
The Internet
illegal access
What if a visitor with IP address of visited institution did some attacks to servers outside ???
VisitedInstitution
HomeInstitution
Guest users using host’s IP addresses are recognized as members of the institution.
A visitor cannot access the user’s home resources
Host IP address
22
Traceability : case study 1
In univ-B, NW manager has to analyze the roaming logs, and contact univ-A to search for the user.
University B is subscribing to an electronic journal X, while another university A is not.
A student at univ-A goes to univ-B so he/she can download journal X using the WLAN roaming. Since the student downloaded too many articles at once, the publisher thought it was a violation of the subscription condition and sent a complaint to univ-B.
User tracking and communications between universities are laborious. Even between departments in a university, such a user tracking is very difficult. It is also much more difficult between countries.
23
Traceability : case study 2
Some resources such as local web servers in univ-B are protected by an address-based access restriction. When people in univ-A visited univ-B, they could gain access to the resources using the WLAN roaming system.
Even if the administrators of the web servers examine the access logs, the outsiders’ accesses cannot be noticed because the “local” IP addresses are used.
24
Possible solution for roaming issues
Dedicated network• Dedicated network might be useful for
solving the responsibility problems.– User tracking remains difficult.
• WLAN users cannot use local resources.– can be either merit or demerit
Internetcampus LAN
dedicated network
Visited universityHome university
Publisher
25
VPN only solution
Permitted protocols for roaming users
• VPN– PPTP (GRE(47) , (TCP/1723))– OpenVPN (UDP/1194)– SSH (TCP/22)– IPsec NAT-traversal (UDP/4500)– Cisco IPsec (TCP/10000)– L2TP (UDP/1701)
• Others– pop3 (TCP/110) – pop3s (TCP/995)– imap4 (TCP/143)– imaps (TCP/993)– ssmtp (TCP/465)– msa (TCP/587)
Top Related