Post on 19-Dec-2015
transcript
Deliverable H: the interoperability testbed designKlaas Wierenga
SURFnet
<Klaas.Wierenga@SURFnet.nl>
2
Web-based with RADIUS
Internet
Docking Network
AccessControl Device
AAAServer
WWW-browser
1.
2.
3.
4.
5.
RADIUS based Web interface authentication at the University of Tampere
The Finnish are scaling their solution by using a hierarchy of RADIUS proxy servers for their national infrastructure
3
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
VPN
SWITCHmobile – VPN solution deployed at 7 universities across Switzerland.
Wbone – VPN roaming solution to 4 universities / colleges in state of Bremen.
A "virtual campus" initiative in Lisbon, and been testing and developing a VPN & PKI infrastructure.
PPPoE – University of Bristol
4
Cross-domain 802.1X with VLAN assignment
RADIUS server
Institution B
RADIUS server
Institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
piet@institution_b.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
Authentication at home institution, 802.1X , TTLS (SecureW2), (proxy) RADIUS. One time passwords are also transmitted via SMS to guest users.
A RADIUS Hierarchy is proposed to scale this to a European wide solution.
5
Current status• Characteristics identified as
– 802.1X - “The future”, easy to scale, secure but cutting edge, thus expensive.
– VPN - Widely available, expensive, secure & hard to scale.– Web based – cheap, widely available, easy to scale, but not
secure.
• Preliminary selection for inter-NREN roaming – in draft, conclusions are
– No national solution meets all the requirements.– The group has chosen not to consider the following
– Local VPN access.– PKI– An architecture that supports the various national solutions
is needed, a three stream approach is recommended…
6
Controlled Address Space for VPN Gateways• Design and work plan documentation underway.• Interoperability tests of VPN to RADIUS proxy hierarchy agreed.• Further work to follow.
7
FCCN
RADIUS Proxy servers connecting to a European level RADIUS proxy server
UKERNA
SURFnet
FUNET
DFN
CARnet
Radius proxy hierarchie
CESnet
RedIRIS
UNI-C
GRnet
8
Integration?
• 802.1X– Secure SSID– RADIUS
• Web-based captive portal– Open SSID– RADIUS
• PKI-based– Open SSID– No RADIUS
9
Network layout with multiple SSID’s and VLAN assignment
10
Network layout without multiple SSID’s and VLAN assignment
11
Layer 2 design of the interoperability testbed
AP 1 2 0 0
C ap tiv e p o r ta l( ac tin g as a r o u ter )
G u es t u s in g W E B- ac c es s( S S I D : ed u r o am - g u es t)
S w itc h
R AD I US s er v er1 9 2 .8 7 .1 0 8 .6 7
v lan 1 0 8
tru n k w ith
v lan 1 0 8 , 1 0 9 , 1 1 7 , 1 6 3
vlan 1 6 3
G u es t u s in g 8 0 2 .1 x - g u es t- ac c es s( S S I D : ed u r o am )
vlan 1 1 7
tr u n k w ithv lan 1 6 3 , 1 1 7
G u es t u s in g W E B- ac c es sv ia d o t1 x - g u es t- VL AN
G u es t u s in g 8 0 2 .1 xp r o x ied c r ed en tia ls
vlan 1 1 7vlan 1 6 3
12
Conclusions
• It is possible to create an interoperable solution
• It’s not that hard – especially when you use delievrable H to guide you
• Future will show if and how these solutions will continue to be in existence
• Del. H provides also a easy upgrade path