BdNOG-20220625-MT-v6.0.pptx

1. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate 0 100 Versatility of Federated Services and its Applications 14th BdNOG Conference Date: 01 July 2022 Time: 14:30 hrs [GMT+6] Presented by Mohammad Tawrit, CEO and Khandakar Rashedul Arefin, Manager

4. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Federated Services => Benefits • Ease of Access to services • To improve the user experience through Single Sign-on • Improved security • Ease of Management of users

5. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Metadata Theory => Bilateral Connectivity Bi-Lateral Connections Connecting an IdP and SP together through directly sharing metadata between each.

6. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Bilateral Connectivity => doesn’t scale For each services connected to an IdP • An agreement with each SP • Swapping metadata though some agreed process (each SP may have their own process for sharing metadata) • IdP needs to be modified for each new SP added (manual process) • If the IdPs metadata changes (e.g certificate renewal) all SP need to refresh their version of the IdPs metadata

7. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Bilateral Connectivity => doesn’t scale For each IdP a service connects to • An agreement with each IdP • Swapping metadata though some agreed process (each IdP may have their own process for sharing metadata) • SP needs to be modified for each new IdP added (manual process) • If the SPs metadata changes (e.g certificate renewal) all IdPs need to refresh their version of the SPs metadata

8. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Federation Architecture The IdP • Users • IdP Metadata The SP • A service being offered to users • SP Metadata The Federation • Federation Policy • Metadata Registration Practice Statement (MRPS) • Metadata Signing Key • Signed Federation Metadata

9. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate IdP Joins Federation An IdP Joins the federation… • Using Jagger it • Registers its metadata • Connects with the federation The Federation Operator will… • Verify the organisation based on rules in the MRPS Jagger will • Validate the metadata provided • Add the metadata to federation metadata • Sign and publish the updated metadata.

10. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate SP Joins Federation A SP Joins the federation… • Using Jagger it • Registers its metadata • Connects with the federation The Federation Operator will… • Verify the organisation based on rules in the MRPS Jagger will • Validate the metadata provided • Add the metadata to federation metadata • Sign and publish the updated metadata.

11. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Getting the Signing key IdPs and SP need a copy of the metadata signing key. • Download the key from a known location • Verify the key • Add the key to their configuration The Federation operator must make the signing key available for download • MUST key the private half of the key private!

12. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Get the Federation Metadata IdPs and SPs get the common signed metadata file from the federation operator • Download the file • Verify it has not been modified using the signing key • Repeat every hour When IdP or SP metadata changes… • The change is made in Jagger • It is published to the federation metadata and signed The change is then consumed by all federation members

14. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Applications • eduGAIN • eduroam • OpenRoaming • Research Paper Access • Zoom as a Service • Other Applications

22. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduGAIN links What is eduGAIN… https://edugain.org/ Who is participating… https://technical.edugain.org/status What services are available… https://technical.edugain.org/entities Which IdPs are participating… https://technical.edugain.org/entities What about the policy… https://technical.edugain.org/documents

23. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduroam => what it is? • eduroam is a global WiFi roaming consortium which gives members of education and research Community access to the internet for free on all eduroam hotspots on the planet.

24. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduroam hierarchical structure .bd BdREN NRSs BdREN SUST SAU SBAU BUET IUB MBSTU JUST PSTU PUST DUET BRUR KUET IU BSMRAU IUT CUET EU BoU .bd Federation Operators IdPs and SPs Inter- Federation Operatos

25. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Service/Identity Provider Eduroam -->> flow of authentication (local) BdREN NRS HERNET/AARnet TLR mafiz@ru.ac.bd mafiz@ru.ac.bd mafiz@ru.ac.bd RU IRS DTU IRS Rajshahi University Technical University of Denmark DeIC NRS Local Authentication Access Accept/Reject

26. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Eduroam -->> flow of authentication (In-Roamer) BdREN NRS HERNET/AARNet TLR Martin@dtu.dk Martin @dtu.dk Martin@dtu.dk Martin@dtu.dk Martin@dtu.dk RU IRS DTU IRS Rajshahi University Technical University of Denmark DeIC NRS Martin@dtu.dk Martin@dtu.dk Foreign Authentication Access Accept/Reject Service Provider Identity Provider

27. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduroam security Concern (is it safe?) AUTHENTICATION: 802.1x AUTHENTICATION [INNER TUNNEL] MSCHAPV2.0 AUTHENTICATION [Outer TUNNEL] EAP-TLS

28. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate MSCHAPv2.0 -->> Inner Tunnel Authentication I would like to login, username: james Here’s your challenge message: 15472a309fe22789efa522d45c7af9ad pass111+ 15472a309fe22789efa522d45c7af9ad Hashing Expected challenge response: db3fc40e6439d4d972870252ccc11f99 Pass111+ 15472a309fe22789efa522d45c7af9ad Hashing Challenge response: db3fc40e6439d4d972870252ccc11f99 Challenge Response: db3fc40e6439d4d972870252ccc11f99 Access Accept Username: james Password: pass111 MSCHAP Server Client Challenge Response Matched Challenge Message 15472a309fe22789efa522d45c7af9ad

29. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduroam authentication -->> full flow Supplicant Radius Server Authentication Server Certificate Supplicant Certificate Authentication Server Certificate Supplicant Username, Password Hash Exchange of Information and Creation of Outer Tunnel MSCHAP Challenge Authenticator EAP Request-ID EAP Response ID Radius Request ID EAP-TLS Start Client Hello Radius Server’s Public Key Supplicant’s Public Key Radius Server’s Public Key  Client and Server both have valid Certificate containing their “Public Key”  Client and Server share their Certificate thereby share their “Public Key”  Client encrypts its credentials using Server’s Public Key  Server encrypts its traffic using Client’s Public Key Outer Tunnel: EAP-TLS Provide/Reject Access Initialization Outer Tunnel Inner Tunnel

30. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Eduroam security • Framework 802.1x: – Radius with tunneled EAP (TTLS, PEAP) Outer Tunnel Outer Tunnel Inner Tunnel

31. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate • ISPs can come forward to allow their hotspots under the coverage of eduroam for the benefit of education and research community. What ISPs will require?  Access Point with Dual SSID broadcast facility  Access Point having 802.1x authentication feature Hotel Airport Fervent Appeal

32. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate • Challenges: • Routing Radius Request: • Need an hierarchy same as NRENs • IRS  NRS  TLR/eTLR • Also can be accomplished by dynamic resolution of RADIUS service from Domain Name Server using SRV record resolution [Overcome using OpenRoaming] • Billing: • Not an NREN concern as NRENs are non-profit organizations • A real challenge for ISPs as they need to charge the subscribers [Yes, it can be accomplished using OpenRoaming as well] Can Commercial ISPs do it?

34. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate OpenRoaming => Authentication Flow Configure DNS Enterprise based security and Hotspot 2.0 IDP Discovery EAP/TLS Authentication, Policy and Accounting WPA2 EAP/TLS WPA2

35. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate OpenRoaming Requirements • Wireless Networks • Cisco Wireless Networks • Cisco AireOS based WLC running AireOS 8.3 or later plus Cisco DNA Spaces SEE • Cisco Catalyst 9800 WLC running IOS-XE 16.12 or later plus Cisco DNA Spaces SEE • Cisco Meraki® plus Cisco DNA Spaces SEE • Service Provider • Top Venues in the world including Cannery Wharf, Clair and the Fira de Barcelona • Identity Provider • Samsung, Boingo Wireless • Apple ID • Google ID • End device • Samsung Devices [Android 10 or higher] using Native OS • iPhone [iOS 13.3 or higher] using OpenRoaming Mobile App • Android [Android 9.0 or higher] using OpenRoaming Mobile App • Google Pixel [Android 11.0 or higher] using Native OS

BdNOG-20220625-MT-v6.0.pptx

Du liest eine Vorschau.

Hier ansehen

BdNOG-20220625-MT-v6.0.pptx

Weitere Verwandte Inhalte

Ähnlich wie BdNOG-20220625-MT-v6.0.pptx (20)

Weitere von Bangladesh Network Operators Group (20)

Aktuellste (20)