Rad Sec and DAMe University of Stuttgart University

Rad. Sec and DAMe University of Stuttgart University of Murcia Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Overview § § DAMe Project Rad. Sec and DAMe: Dynamic Server Discovery DAMe Testbed Next Steps Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Project § DAMe stands for: Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture § Subproject of GÉANT 2 § Partners: DFN, Red. IRIS, University of Murcia, University of Stuttgart § Goals: § Adding attribute-based Authorization to eduroam § Unified Single Sign On, using edu. Token in SAML format Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Attribute-based Authorization in eduroam Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Unified Single Sign On Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe-2 Project § Additional Goals: § Support for Level of Assurance (Lo. A): § Including Lo. A in the edu. Token, in the Auth. NContext § Protocol extended for Re-Authentication with higher Lo. A § Integration of Rad. Sec § Adding Rad. Sec proxy servers in front of both remote (SP) and home (Id. P) institution § edu. Token transport over Rad. Sec § Inclusion of Attribute Conversion in DAMe Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe: Dynamic Server Discovery § Rad. Sec: RADIUS over TCP and TLS § § Implementations: radsecproxy and Radiator eduroam with Rad. Sec 1. mutual authentication with valid server certificates from a trusted CA (edu. GAIN CA / SCA, others) 2. subject. Alt. Name (URI) specifying the role of a server (e. g. urn: geant: eduroam: component: sp: ABC may act as a Rad. Sec client, urn: geant: eduroam: component: idp: XYZ may act as a server) § Rad. Sec enables dynamic server discovery: 1. Lookup for a Rad. Sec server serving a specific home domain 2. Mutual authentication using server certificates 3. TLS connection is established Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe: Dynamic Server Discovery § Dynamic Discovery can be done. . . § Using DNS § radsecproxy can query for _radsec. _tcp. § Radiator can also use this mechanism § Using MDS § § radsecproxy calls radsec 2 mds tool SAML metadata is retrieved from edu. GAIN MDS is part of DAMe / edu. GAIN already MDS is flexible + secure (efficient? reliable? ) Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe: Dynamic Server Discovery (MDS) Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe: Dynamic Server Discovery (MDS) Meta data snippet: uni-stuttgart. de Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Testbed – Overall View DNS AP RADIUS Shib Id. P Rad. Sec Proxy DAMe. BE USTUTT („home“) Vienna, 18. 02. 2010 Client RADIUS XACML PDP edu. GAIN MDS UMU („remote“) Sascha Neinert

Rad. Sec and DAMe Testbed – UMU § Client § wpa_supplicant § Network SP § Free. RADIUS 1. 1. 3 with dame-dictionary § radsecproxy 1. 3. 1 § edu. GAINSCA certificate including eduroam URN (urn: geant: eduroam: component: . . . ) Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Testbed – USTUTT § Network Id. P § Free. RADIUS 2. 0. 2 with dame-enabled peap-module and damedictionary § radsecproxy 1. 3. 1 § can be discovered querying DNS for _radsec. _tcp. dame. unistuttgart. de § edu. GAINSCA certificate including eduroam URN (urn: geant: eduroam: component: . . . ) § SAML Id. P § Shibboleth Id. P 1. 3. 2 + DAMe-BE § Issuing edu. Tokens Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Next Steps § USTUTT: separate network SP and network Id. P § Finish deployment of DAMe including dynamic discovery components § Publish metadata to mds. edugain. org § Run federated tests UMU USTUTT § Optimize radsec 2 mds tool § Measure performance of DNS-based and MDS-based discovery § Compare both methods Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Any questions or comments? DAMe website: http: //dame. inf. um. es/ Vienna, 18. 02. 2010 Sascha Neinert