SlideShare uma empresa Scribd logo

EAP-TLS

Karri Huhtanen
Karri Huhtanen

How to deploy certificate based Wi-Fi authentication and authorisation.? A presentation in the Nordunet Technical Workshop 2019.

Tecnologia
1 de 9
Baixar para ler offline
EAP-TLS KARRI HUHTANEN RADIATOR SOFTWARE OY
EAP-TLS is easy … … for RADIUS server. At the minimum one needs only to configure RADIUS server certificate and the CA certificate for client certificate verification. … to configure improperly. Understanding how certificates, certificate revocation, root and intermediate CAs, PKI etc works requires significant effort. Designing and deploying working model requires even more. … only when one does not need to care about the client certificates, their configuration, provisioning and management.
Deploying EAP-TLS never start or settle requirements because of a product, solution or technology start with defining and designing policies (validity, expiry times, authorisation, usage …) PKI (hierarchy: CAs, intermediate CAs, certificate usage …) configuration management certificate provisioning certificate requirements (roaming, use, technology …) … but do pilot /trials simultaneously to learn and to see how things do (or do not) work or scale with real users and infrastructure
Start with simple trial … Try self-signed CA, manually created client certificates first (or Radiator’s certificates directory) eduroam managed IdP as a service for roaming EAP-TLS tests Verify first that your underlying network and especially firewalls and their rules work when using EAP-TLS Firewalls filtering UDP fragments and especially *BSD firewalls (scrub setting) can cause problems. Federation Level RADIUS IdP/SP RADIUS Wi-Fi network (controller) Client devices
Add basic automatic certificate validation… a separate Certificate Authority (CA) capable of providing certificate revocation lists (CRLs) or function as a Online Certificate Status Protocol (OCSP) server is needed several open source CAs/PKIs available: easypki, dogtag, ejbca … with this setup one can ensure that when certificates expire, they do not work for authentication anymore automating the certificate validity check is essential for using certificate authentication Federation Level RADIUS IdP/SP RADIUS Wi-Fi network (controller) Certificate Authority (CA) OCSP reqs. CRLs, delta- CRLs Certificates
Add connection to authorisation database… Authorisation database can be Active Directory, LDAP, SQL with additional information about the client certificate. CA, CRLs and OCSP can be sometimes replaced by client certificate check against the authorisation database. Authorisation database can contain additional information such as VLAN assignments, account active/locked etc. How flexible/complex/simple the authorisation checks can be depends on the IdP RADIUS product. Federation Level RADIUS IdP RADIUS Wi-Fi network (controller) Certificate Authority (CA) OCSP reqs. CRLs, delta- CRLs Certificates LDAP, SQL, etc. IdP Authorisation Database (AD, LDAP, SQL)
Deploy certificate management service… Properly distributing and configuring certificates in the end user devices is difficult. For managed devices (Windows domain/ Intune) or for Apple devices it is easier, but Android/Linux devices are hard. Currently there seems to be no better approach than to have an app in the device talking to a service. One commercial option is SecureW2. Certificate signing requests created in the actual device are even harder. IdP RADIUS Wi-Fi network (controller) Certificate Management Service OCSP reqs. CRLs, delta- CRLs Certificates LDAP, SQL, etc. IdP Authorisation Database (AD, LDAP, SQL) Certificate (signing) requests Certificate request authorisation requests
… and you are done… sort of … maybe … If everything presented before works for you, it’s brilliant … and you are brilliant. Unfortunately any organisation who does not have the first step right will break your organisation’s users’ roaming. Sometimes even the packet filters / firewalls in front of federation level RADIUS servers need configuration adjustments. Deploying certificate based authentication requires design, competence and support from infrastructure and service vendors — choose wisely, select vendors and solutions, for which you can get support for design, deployment and production.
Questions? Find this presentation and more from: https://blog.radiatorsoftware.com/ https://slideshare.net/radiatorsoftware/ https://slideshare.net/khuhtanen/ https://twitter.com/OSCRadiator Extended presentation coming to JISC govroam stakeholders’ meeting (15th of October 2019 in Manchester, United Kingdom) and to the Internet locations above.

Recomendados

Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAAKarri Huhtanen
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and CertificatesKarri Huhtanen
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamKarri Huhtanen
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)Karri Huhtanen
 
Routing host certificates in eduroam
Routing host certificates in eduroamRouting host certificates in eduroam
Routing host certificates in eduroamRadiator Software
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshellMohamed Daif
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAAdkaya
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...DATA SECURITY SOLUTIONS
 

Recomendados

Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAAKarri Huhtanen
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and CertificatesKarri Huhtanen
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamKarri Huhtanen
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)Karri Huhtanen
 
Routing host certificates in eduroam
Routing host certificates in eduroamRouting host certificates in eduroam
Routing host certificates in eduroamRadiator Software
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshellMohamed Daif
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAAdkaya
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...DATA SECURITY SOLUTIONS
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
RADIUS
RADIUSRADIUS
RADIUSamogh_ubale
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)Sarah Conway
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guideRichardsCCNA
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practicesSergey Kucherenko
 
Authentication services
Authentication servicesAuthentication services
Authentication servicesGreater Noida Institute Of Technology
 
Kerberos part 1
Kerberos part 1Kerberos part 1
Kerberos part 1Spencer Harbar
 
10215 A 14
10215 A 1410215 A 14
10215 A 14Juanchi_43
 
NetScaler 11 Update
NetScaler 11 UpdateNetScaler 11 Update
NetScaler 11 UpdateMarketingArrowECS_CZ
 
At8000 s configurando_8021x
At8000 s configurando_8021xAt8000 s configurando_8021x
At8000 s configurando_8021xNetPlus
 
Kerberos explained
Kerberos explainedKerberos explained
Kerberos explainedDotan Patrich
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsDhananjay Aloorkar
 
Kerberos
KerberosKerberos
KerberosPrafull Johri
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocolAjit Dadresa
 
Kerberos
KerberosKerberos
KerberosMohanasundaram Nattudurai
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To KerberosIshan A B Ambanwela
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case studyMayuri Patil
 
Ssl Https Server
Ssl Https ServerSsl Https Server
Ssl Https ServerRam Srivastava
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxssuser865ecd
 

Mais conteúdo relacionado

Mais procurados

Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)Sarah Conway
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guideRichardsCCNA
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
At8000 s configurando_8021x
At8000 s configurando_8021xAt8000 s configurando_8021x
At8000 s configurando_8021xNetPlus
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsDhananjay Aloorkar
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case studyMayuri Patil
 

Mais procurados (20)

Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
 
RADIUS
RADIUSRADIUS
RADIUS
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guide
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practices
 
Authentication services
Authentication servicesAuthentication services
Authentication services
 
Kerberos part 1
Kerberos part 1Kerberos part 1
Kerberos part 1
 
10215 A 14
10215 A 1410215 A 14
10215 A 14
 
NetScaler 11 Update
NetScaler 11 UpdateNetScaler 11 Update
NetScaler 11 Update
 
At8000 s configurando_8021x
At8000 s configurando_8021xAt8000 s configurando_8021x
At8000 s configurando_8021x
 
Kerberos explained
Kerberos explainedKerberos explained
Kerberos explained
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP Protocols
 
Kerberos
KerberosKerberos
Kerberos
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocol
 
Kerberos
KerberosKerberos
Kerberos
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To Kerberos
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
 

Semelhante a EAP-TLS

Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxssuser865ecd
 
Recipes for a successful production cloudfoundry deployment - CF Summit 2014
Recipes for a successful production cloudfoundry deployment - CF Summit 2014Recipes for a successful production cloudfoundry deployment - CF Summit 2014
Recipes for a successful production cloudfoundry deployment - CF Summit 2014Vinícius Carvalho
 
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...VMware Tanzu
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKPeter Selch Dahl
 
Herramientas Cloud Ninja AWS "From Zero to Hero"
Herramientas Cloud Ninja AWS "From Zero to Hero"Herramientas Cloud Ninja AWS "From Zero to Hero"
Herramientas Cloud Ninja AWS "From Zero to Hero"Amazon Web Services LATAM
 
Herramientas Cloud Ninja AWS "From Zero to Hero"
Herramientas Cloud Ninja AWS "From Zero to Hero"Herramientas Cloud Ninja AWS "From Zero to Hero"
Herramientas Cloud Ninja AWS "From Zero to Hero"Amazon Web Services LATAM
 
What's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinWhat's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinAmazon Web Services
 
App viewx cert+
App viewx cert+App viewx cert+
App viewx cert+AppViewX
 
CyberArk Engineer.docx
CyberArk Engineer.docxCyberArk Engineer.docx
CyberArk Engineer.docxVasuJ6
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityT.Rob Wyatt
 
Demystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync serverDemystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync serverThomas Poett
 
Migrating to the cloud - Windows on AWS
Migrating to the cloud - Windows on AWSMigrating to the cloud - Windows on AWS
Migrating to the cloud - Windows on AWSAmazon Web Services
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesAmazon Web Services
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisationanupriti
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...Amazon Web Services
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPALDAPCon
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followNCCOMMS
 
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan VMware Tanzu
 

Semelhante a EAP-TLS (20)

Ssl Https Server
Ssl Https ServerSsl Https Server
Ssl Https Server
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
Recipes for a successful production cloudfoundry deployment - CF Summit 2014
Recipes for a successful production cloudfoundry deployment - CF Summit 2014Recipes for a successful production cloudfoundry deployment - CF Summit 2014
Recipes for a successful production cloudfoundry deployment - CF Summit 2014
 
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
 
AAA server
AAA serverAAA server
AAA server
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
Herramientas Cloud Ninja AWS "From Zero to Hero"
Herramientas Cloud Ninja AWS "From Zero to Hero"Herramientas Cloud Ninja AWS "From Zero to Hero"
Herramientas Cloud Ninja AWS "From Zero to Hero"
 
Herramientas Cloud Ninja AWS "From Zero to Hero"
Herramientas Cloud Ninja AWS "From Zero to Hero"Herramientas Cloud Ninja AWS "From Zero to Hero"
Herramientas Cloud Ninja AWS "From Zero to Hero"
 
What's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinWhat's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow Dublin
 
App viewx cert+
App viewx cert+App viewx cert+
App viewx cert+
 
CyberArk Engineer.docx
CyberArk Engineer.docxCyberArk Engineer.docx
CyberArk Engineer.docx
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of Mediocrity
 
Demystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync serverDemystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync server
 
Migrating to the cloud - Windows on AWS
Migrating to the cloud - Windows on AWSMigrating to the cloud - Windows on AWS
Migrating to the cloud - Windows on AWS
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon Workspaces
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisation
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
 
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
 

Mais de Karri Huhtanen

Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyKarri Huhtanen
 
Wi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and PrivacyWi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and PrivacyKarri Huhtanen
 
OpenRoaming and CapPort
OpenRoaming and CapPortOpenRoaming and CapPort
OpenRoaming and CapPortKarri Huhtanen
 
Suomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistuksetSuomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistuksetKarri Huhtanen
 
Adding OpenRoaming to existing IdP and roaming federation service
Adding OpenRoaming to existing IdP and roaming federation serviceAdding OpenRoaming to existing IdP and roaming federation service
Adding OpenRoaming to existing IdP and roaming federation serviceKarri Huhtanen
 
OpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for AllOpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for AllKarri Huhtanen
 
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoamingBeyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoamingKarri Huhtanen
 
Cooperative labs, testbeds and networks
Cooperative labs, testbeds and networksCooperative labs, testbeds and networks
Cooperative labs, testbeds and networksKarri Huhtanen
 
Privacy and traceability in Wi-Fi networks
Privacy and traceability in Wi-Fi networksPrivacy and traceability in Wi-Fi networks
Privacy and traceability in Wi-Fi networksKarri Huhtanen
 
What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?Karri Huhtanen
 
What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?Karri Huhtanen
 
Building secure, privacy aware, quality Wi-Fi coverage via cooperation
Building secure, privacy aware, quality Wi-Fi coverage via cooperationBuilding secure, privacy aware, quality Wi-Fi coverage via cooperation
Building secure, privacy aware, quality Wi-Fi coverage via cooperationKarri Huhtanen
 
Connecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
Connecting the Dots: Integrating RADIUS to Network Measurement and MonitoringConnecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
Connecting the Dots: Integrating RADIUS to Network Measurement and MonitoringKarri Huhtanen
 
Building city and nationwide Wi-Fi coverage via cooperation
Building city and nationwide Wi-Fi coverage via cooperationBuilding city and nationwide Wi-Fi coverage via cooperation
Building city and nationwide Wi-Fi coverage via cooperationKarri Huhtanen
 
eduroam diagnostics in NTLR, IdPs and SPs
eduroam diagnostics in NTLR, IdPs and SPseduroam diagnostics in NTLR, IdPs and SPs
eduroam diagnostics in NTLR, IdPs and SPsKarri Huhtanen
 
Using NoSQL databases to store RADIUS and Syslog data
Using NoSQL databases to store RADIUS and Syslog dataUsing NoSQL databases to store RADIUS and Syslog data
Using NoSQL databases to store RADIUS and Syslog dataKarri Huhtanen
 
Open WiFi or Broken WiFi?
Open WiFi or Broken WiFi?Open WiFi or Broken WiFi?
Open WiFi or Broken WiFi?Karri Huhtanen
 
Cloud Based Identity Management
Cloud Based Identity ManagementCloud Based Identity Management
Cloud Based Identity ManagementKarri Huhtanen
 
eduroam ennen, nyt ja tulevaisuudessa
eduroam ennen, nyt ja tulevaisuudessaeduroam ennen, nyt ja tulevaisuudessa
eduroam ennen, nyt ja tulevaisuudessaKarri Huhtanen
 
Joukkoliikennedatan ongelmat ja ratkaisuja
Joukkoliikennedatan ongelmat ja ratkaisujaJoukkoliikennedatan ongelmat ja ratkaisuja
Joukkoliikennedatan ongelmat ja ratkaisujaKarri Huhtanen
 

Mais de Karri Huhtanen (20)

Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
 
Wi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and PrivacyWi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and Privacy
 
OpenRoaming and CapPort
OpenRoaming and CapPortOpenRoaming and CapPort
OpenRoaming and CapPort
 
Suomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistuksetSuomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistukset
 
Adding OpenRoaming to existing IdP and roaming federation service
Adding OpenRoaming to existing IdP and roaming federation serviceAdding OpenRoaming to existing IdP and roaming federation service
Adding OpenRoaming to existing IdP and roaming federation service
 
OpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for AllOpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for All
 
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoamingBeyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
 
Cooperative labs, testbeds and networks
Cooperative labs, testbeds and networksCooperative labs, testbeds and networks
Cooperative labs, testbeds and networks
 
Privacy and traceability in Wi-Fi networks
Privacy and traceability in Wi-Fi networksPrivacy and traceability in Wi-Fi networks
Privacy and traceability in Wi-Fi networks
 
What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?
 
What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?
 
Building secure, privacy aware, quality Wi-Fi coverage via cooperation
Building secure, privacy aware, quality Wi-Fi coverage via cooperationBuilding secure, privacy aware, quality Wi-Fi coverage via cooperation
Building secure, privacy aware, quality Wi-Fi coverage via cooperation
 
Connecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
Connecting the Dots: Integrating RADIUS to Network Measurement and MonitoringConnecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
Connecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
 
Building city and nationwide Wi-Fi coverage via cooperation
Building city and nationwide Wi-Fi coverage via cooperationBuilding city and nationwide Wi-Fi coverage via cooperation
Building city and nationwide Wi-Fi coverage via cooperation
 
eduroam diagnostics in NTLR, IdPs and SPs
eduroam diagnostics in NTLR, IdPs and SPseduroam diagnostics in NTLR, IdPs and SPs
eduroam diagnostics in NTLR, IdPs and SPs
 
Using NoSQL databases to store RADIUS and Syslog data
Using NoSQL databases to store RADIUS and Syslog dataUsing NoSQL databases to store RADIUS and Syslog data
Using NoSQL databases to store RADIUS and Syslog data
 
Open WiFi or Broken WiFi?
Open WiFi or Broken WiFi?Open WiFi or Broken WiFi?
Open WiFi or Broken WiFi?
 
Cloud Based Identity Management
Cloud Based Identity ManagementCloud Based Identity Management
Cloud Based Identity Management
 
eduroam ennen, nyt ja tulevaisuudessa
eduroam ennen, nyt ja tulevaisuudessaeduroam ennen, nyt ja tulevaisuudessa
eduroam ennen, nyt ja tulevaisuudessa
 
Joukkoliikennedatan ongelmat ja ratkaisuja
Joukkoliikennedatan ongelmat ja ratkaisujaJoukkoliikennedatan ongelmat ja ratkaisuja
Joukkoliikennedatan ongelmat ja ratkaisuja
 

Último

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Último (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

EAP-TLS

  • 2. EAP-TLS is easy … … for RADIUS server. At the minimum one needs only to configure RADIUS server certificate and the CA certificate for client certificate verification. … to configure improperly. Understanding how certificates, certificate revocation, root and intermediate CAs, PKI etc works requires significant effort. Designing and deploying working model requires even more. … only when one does not need to care about the client certificates, their configuration, provisioning and management.
  • 3. Deploying EAP-TLS never start or settle requirements because of a product, solution or technology start with defining and designing policies (validity, expiry times, authorisation, usage …) PKI (hierarchy: CAs, intermediate CAs, certificate usage …) configuration management certificate provisioning certificate requirements (roaming, use, technology …) … but do pilot /trials simultaneously to learn and to see how things do (or do not) work or scale with real users and infrastructure
  • 4. Start with simple trial … Try self-signed CA, manually created client certificates first (or Radiator’s certificates directory) eduroam managed IdP as a service for roaming EAP-TLS tests Verify first that your underlying network and especially firewalls and their rules work when using EAP-TLS Firewalls filtering UDP fragments and especially *BSD firewalls (scrub setting) can cause problems. Federation Level RADIUS IdP/SP RADIUS Wi-Fi network (controller) Client devices
  • 5. Add basic automatic certificate validation… a separate Certificate Authority (CA) capable of providing certificate revocation lists (CRLs) or function as a Online Certificate Status Protocol (OCSP) server is needed several open source CAs/PKIs available: easypki, dogtag, ejbca … with this setup one can ensure that when certificates expire, they do not work for authentication anymore automating the certificate validity check is essential for using certificate authentication Federation Level RADIUS IdP/SP RADIUS Wi-Fi network (controller) Certificate Authority (CA) OCSP reqs. CRLs, delta- CRLs Certificates
  • 6. Add connection to authorisation database… Authorisation database can be Active Directory, LDAP, SQL with additional information about the client certificate. CA, CRLs and OCSP can be sometimes replaced by client certificate check against the authorisation database. Authorisation database can contain additional information such as VLAN assignments, account active/locked etc. How flexible/complex/simple the authorisation checks can be depends on the IdP RADIUS product. Federation Level RADIUS IdP RADIUS Wi-Fi network (controller) Certificate Authority (CA) OCSP reqs. CRLs, delta- CRLs Certificates LDAP, SQL, etc. IdP Authorisation Database (AD, LDAP, SQL)
  • 7. Deploy certificate management service… Properly distributing and configuring certificates in the end user devices is difficult. For managed devices (Windows domain/ Intune) or for Apple devices it is easier, but Android/Linux devices are hard. Currently there seems to be no better approach than to have an app in the device talking to a service. One commercial option is SecureW2. Certificate signing requests created in the actual device are even harder. IdP RADIUS Wi-Fi network (controller) Certificate Management Service OCSP reqs. CRLs, delta- CRLs Certificates LDAP, SQL, etc. IdP Authorisation Database (AD, LDAP, SQL) Certificate (signing) requests Certificate request authorisation requests
  • 8. … and you are done… sort of … maybe … If everything presented before works for you, it’s brilliant … and you are brilliant. Unfortunately any organisation who does not have the first step right will break your organisation’s users’ roaming. Sometimes even the packet filters / firewalls in front of federation level RADIUS servers need configuration adjustments. Deploying certificate based authentication requires design, competence and support from infrastructure and service vendors — choose wisely, select vendors and solutions, for which you can get support for design, deployment and production.
  • 9. Questions? Find this presentation and more from: https://blog.radiatorsoftware.com/ https://slideshare.net/radiatorsoftware/ https://slideshare.net/khuhtanen/ https://twitter.com/OSCRadiator Extended presentation coming to JISC govroam stakeholders’ meeting (15th of October 2019 in Manchester, United Kingdom) and to the Internet locations above.