Showing posts with label eduroam. Show all posts
Showing posts with label eduroam. Show all posts

Tuesday, December 1, 2015

verkkovieras.fi -- making enterprise Wi-Fi authentication easy

verkkovieras.fi for simple and secure federated Wi-Fi authentication

security by David Bleasdale

Verkkovieras is a Finnish word, which means network guest. Verkkovieras.fi is our cloud authentication service for organisation’s employee and guest network access control. The service also supports authentication roaming federations such as eduroam and roam.fi making the service an easy way to deploy and serve federated network access for employees, guests and partners.

We know that maintaining user databases and RADIUS servers for employee and guest access can be difficult, especially when there’s additional complexity such as federated roaming. With verkkovieras.fi we focused in building a service, which is easy to deploy and easy to use. We thought, designed, thought some more and improved our design to be as clean and clear as possible.

Easily deployed in any Wi-Fi network

To deploy verkkovieras.fi authenticaton service you only need RADIUS capable authenticated devices such as for example almost all Wi-Fi controllers and access points. The authenticating device, usually the Wi-Fi controller, needs to be able to communicate with our cloud based servers in Internet and that’s it -- only our server details and Wi-Fi networks need to be configured in the controller.

User account registration as easy as email

verkkovieras.fi registration screen in Finnish

Employees manage their user accounts themselves by requesting them from WWW page and after simple email-www page confirmation they activate their email address based user account. Account’s username is their email address and password is randomly generated string. We wanted to make sure that the network password is secure and on the other hand create a separate user account for network access. This was to keep more important or sensitive passwords such as Active Directory or other service passwords separate and safe. This way the employee cannot undermine the security by changing password to less secure or more sensitive one.

Federated roaming with a flick of a switch



Roaming federations and federated user access is even simpler, just select which federations and to activate or deactivate it. Your employees or visiting roaming guests are then able to roam free within federations and networks with same profiles they use for network access in your home network.

Easy guest user access or traditional vouchers -- you choose

Howard Lake: Sainsburys Active Kids vouchers

For guest user access there are two options, a simple time-limited guest user account for automated access and possibility to create and print more traditional time-limited guest user accounts before hand. Automated access means that the user account can be integrated for example with WWW page based authentication to provide guest short Internet access with just a click of a button on the authentication page. The traditional guest user accounts can be used like vouchers, the username and password must be entered on the authentication page or system dialog to get the access to network.

All this as a cloud service, ready to be deployed today

verkkovieras.fi architecture

We packaged all this in a redundant Amazon cloud based service distributed across two geographical regions, where we handle the difficult details such as scaling, server certificates, EAP methods (EAP-PEAP, EAP-TTLS, EAP-PWD) leaving you as a customer time to focus to your business and core functions.

If you are interested, contact Arch Red sales ( sales <at> archred.com ) for more details.



Tuesday, July 8, 2014

There is no Free Wi-Fi, but there can be Sustainable Wi-Fi

Free Wi-Fi Zone


Today Engadget reported that Free WiFi provider admits to making up 90 percent of its revenues. The company, Gowex, runs networks in 85 cities around the world (according to company WWW pages) offices in Madrid, Paris, London, Buenos Aires and Shanghai. The company claimed that it had developed a sustainable business model for free Wi-Fi based on the idea that company makes its revenues from partnerships with local governments, carriers with Wi-Fi offloading and from premium fees (i.e. selling premium user accounts).

Some may view this as a proof that Gowex's business idea and model did not work, but I would not claim that without looking into if they managed to get any revenues at all. Running company badly and falsifying revenues and accounting are very different things from the actual business idea and model not working.  I actually think that those ideas from where Gowex planned to get revenues are valid ones and they seem to have made real roaming deals with roaming brokers such as iPass, Boingo etc. These revenues could then be used to subsidise the service costs of running WiFi networks or related services, but naturally the company should get more revenues from the service it provides than the costs of producing it. And that is actually why I do not believe Free Wi-Fi exists.

Forex Money for Exchange in Currency Bank


The Free Wi-Fi is an illusion for consumers. Somebody always ends up with the bill. It may be the company, organisation or city providing or buying the Free Wi-Fi service out of hospitability. It may be an airport or a shopping mall deploying or buying a service for tracking customer movements or web surfing, but like many other free Internet services, Free Wi-Fi is not really free. You as a consumer may think that with Free Wi-Fi that you are still customer, but the reality is that the one providing and paying for Free Wi-Fi service, needs to get enough benefits and/or revenue from providing the free service to you and their benefit maybe the data about you.

Where Gowex was on a right is that providing Wi-Fi for free needs to be sustainable. The Wi-Fi network service needs to provide so much benefits for the one paying for it, that the payer is willing to cover the costs of running, maintaining and developing the network. Too often in many hospitability guest networks (hotel/conference Wi-Fi, company guest Wi-Fi) the deployed network may serve its users when it was first deployed, but the development of it (Internet bandwidth capacity, better radios) is neglected until enough users are complaining about it. In city-wide Wi-Fi networks similar kind of problems occur, when city-wide Wi-Fi is setup with development project money from government or EU without any plan how to cover the costs after the development project has ended.

Sustainable Wi-Fi networks should be planned so that they can be maintained and even developed with the revenues coming from organisations and companies benefitting from the network service, or from something measurable the network provides. There even exists a successful example of this kind of sustainable global Wi-Fi network concept -- eduroam (*).



In eduroam, universities, research institutions, government organisations and even cities have seen the benefits of joining their existing Wi-Fi networks via federated RADIUS authentication and providing this way a free Wi-Fi around the world for researchers, teachers and students. Every organisation deploys, maintains and develops their own network service with their own funding and shares it with the other eduroam organisations. There is no single vendor, service provider or organisation controlling anything. Instead, every vendor, service provider or organisation which is ready to fulfil the open requirements and standard interfaces is welcome to join or provide equipment or services to other eduroam organisations. There are not a lot of revenues or profits moved around, just normal network and authentication business for companies, but the benefits are clear for participants to justify the costs of basically running the Wi-Fi networks, which they are going to do anyway.

eduroam is real, sustainable Wi-Fi and I am hoping that we (Arch Red and Open System Consultants) may help in bringing its benefits also to wider audience in a very near future. eduroam itself still limits its use to universities and research organisations and networks and cannot unfortunately yet be used as a common global concept to provide sustainable Wi-Fi for all.



* eduroam is a registered trademark of TERENA. Arch Red and Open System Consultants are independent of TERENA".

Tuesday, June 1, 2010

Debugging eduroam at TNC2010

Yesterday Matti was having trouble with Helsinki University user accounts and the eduroam network here at TNC2010. Together with few eduroam guys (Stefan Winter and Miroslav Milinovic) and Heikki Vatiainen from our company we tried to find out why the authentication process did not seem to go through. What made it harder was that for example Radiator does not log enough information about failing authentication process unless it clearly ends in success or failure. Increasing log level to debug levels of course helps and we were able to see that the Helsinki University RADIUS server did send response messages to authentication requests even if the process did not go through.

Other servers in Finland worked fine (I have been able to use eduroam the whole time with my TUT accounts) and only difference we first found was that Helsinki University certificate was bigger than the ones in some of the working organisations. This lead us to suspect RADIUS message fragmentation problems somewhere in between European Top Level RADIUS and Matti's device. We then remembered the one Radiator configuration directive, which we found was missing from Helsinki University RADIUS server configuration.

Adding EAPTLS_MaxFragmentSize 1024 solved this problem so if you are having similar problems with eduroam and your home organisation is running Radiator RADIUS, we suggest checking at least this setting found in Radiator manual:

EAPTLS_MaxFragmentSize

For TLS based EAP types such as TLS, TTLS and PEAP, this optional parameter specifies the maximum size in octets permitted for each TLS message fragment. Defaults to 2048, but many EAP clients, routers and wireless Access Points have limitations that require EAPTLS_MaxFragmentSize to be set as low as 1000 or less. Setting this number too small can result in excessive RADIUS request round trips during EAP TLS authentication, slowing down the authentication process. Setting this number too large can result in failure to complete TLS authentication for some types of clients and devices.

Monday, May 31, 2010

Blogging at Terena Networking Conference 2010

You know that you have done too much Web 2.0 when people invite you to blog about events. This year I am once again participating in Terena Networking Conference and the conference organiser asked if I would interested to blog about the event. Since I am already hanging around here (currently in Juniper's meeting) and taking photos I accepted and here we are, part of Terena Networking Conference 2010 coverage.

To make sure that my time was efficiently used, instead of just watching presentations, blogging and drinking beer :) I am also both invited speaker, paper and poster presenter here, which should keep me busy doing those slides and later by presenting them.
My first presentation is about RadSec/RADIUS based roaming paper and the second invited one is about the Internet bus from Tampere, Netti-Nysse. The poster is about ICT SHOK Future Internet Testbed and I just managed to bring it to conference lobby before coming to this Juniper presentation.

And speaking of presentations, I really have to now upload some placeholders for compatibility testing purposes to the presentation system, so more coverage and even some nice photos about Vilnius will have to wait to the next post. Luckily they have a nice working eduroam Wi-Fi network here complete with both public IPv4 and IPv6 addresses.

Sunday, April 11, 2010

What is eduroam and roaming?

A promotional eduroam video produced by Australia's research and education network (AARnet) explains the concept of eduroam and the benefits of federated roaming:



For you, it is possible to get this technology to your home organisation or even a company by utilising Arch Red products and services to bring your network and users as a part of eduroam or other community networks such as Wireless Tampere (Langaton Tampere).

Saturday, April 3, 2010

Building a mobile eduroam access point with RadSec and OpenWRT

A mobile Wi-Fi access point is a very useful way to both demonstrate and extend existing community network coverage over any third-party broadband connections. The problem usually is how the authentication traffic can be transferred over Internet jungle and secured from eavesdropping and man-in-the-middle attacks. Often this is done by deploying VPN solutions such as OpenVPN, but a new IETF draft, RadSec, makes it possible to achieve same security and functionality without having to rely on the use of VPNs.

Figure 1: the mobile eduroam access point network architecture

It has been in my plans to write this article for a while now, but now finally Easter holidays gave the opportunity to finalise the configuration and some free time to write these configuration instructions. This blog post describes how you can build a mobile eduroam access point by utilising RadSec and a popular open source access point firmware called OpenWRT. The network architecture is presented in the Figure 1 above and the rest of the instructions follow below.

The first thing to do is of course install OpenWRT on your access point. There are several different OpenWRT supported access point models and the installation instruction vary between models and manufacturers. In this case I assume that you have alredy OpenWRT based access point installed and continue from the actual eduroam and RadSec configuration.

The base OpenWRT distribution does not come with all the software we will require so we need a working Internet connection to install some additional packages. The most important of these are the tools for time synchronisation (for certificate validity verification) and radsecproxy for RadSec functionality.

From the OpenWRT command line you can install the needed packages by giving the following commands:

# opkg update
# opkg upgrade
# opkg install radsecproxy
# opkg install ntpclient

I recommend rebooting the access point and verifying the correct time with date command. The default OpenWRT timezone is UTC so the time is likely to be hours off from your local time. You can change the timezone, hostname and remote logging address from /etc/config/system displayed below:

config system
        option hostname mobile-ap
        option timezone UTC
        # remote syslog server, we used the syslog configured to radsec server
        option log_ip 10.10.10.10

The wireless settings for eduroam are configured in /etc/config/wireless. The important thing to notice is that the RADIUS server (radsecproxy) will be run on the OpenWRT access point.

config wifi-device  wl0
        option type     broadcom
        option channel  5 
        option country  FI
        # REMOVE THIS LINE TO ENABLE WIFI:
        # option disabled 1

config wifi-iface
        option device           wl0
        option network          lan
        option mode             ap
        # in case you are already running eduroam in your organisation you might
        # want to consider different ssid to prevent causing denial of service for
        # your users
        option ssid             eduroam

        option encryption       mixed-wpa
        # as we use radsecproxy on localhost for converting RADIUS to RADSEC
        # the RADIUS server is the radsexproxy on localhost
        option server           127.0.0.1
        option port             1812
        option key              RadiusSecretHere
        option nasid            nas.id.here
        option wpa_group_key    600
        option ieee80211d       1

Radsecproxy is an open source implementation of the RadSec protocol. The RadSec protocol is essentially TLS-secured RADIUS over TCP making it more reliable and more secure for setting up connections over unreliable or unsecure networks (such as most Internet connections).

There are however few pre-requirements for configuring RadSec and eduroam:

  • Home organisation must be part of the national eduroam federation and international confederation to have an access to eduroam infrastructure
  • a RadSec capable server (either radsecproxy (also on server side) or commercial RadSec capable server such as Radiator)
  • existing Certificate Authority (CA) for signing certificates for RadSec server and clients

In our company we already had Radiator RADIUS server and own CA configured so making certificates and server configuration was not very difficult. The client side (OpenWRT) configuration was done in the /etc/radsecproxy.conf file.:

listenUDP               127.0.0.1:1812
ListenAccountingUDP     127.0.0.1:1813

# Optional log level. 3 is default, 1 is less, 4 is more
LogLevel                3
#Optional LogDestinatinon, else stderr used for logging
# Logging to file
#LogDestination         file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7

# Syslog is nice as you can direct it to external host via OpenWRT's
# system configuration
LogDestination          x-syslog:///log_daemon

tls mobile-ap-to-radsec-server {
    # In Arch Red we have multiple levels of CA servers with root CA and server CA
    # so the CACertificateFile is a bundle of root CA and server CA. The server CA
    # is the actual CA certifying both the server and mobile-ap certificates.
    CACertificateFile    /etc/certs/ca-servers-bundle-cert.pem
    CertificateFile     /etc/certs/mobile-ap-cert.pem
    CertificateKeyFile  /etc/certs/mobile-ap-key.pem
    # Optionally enable CRL checking
    # CRLCheck on
    # Optionally specify how long CAs and CRLs are cached, default forever
    # CacheExpiry 3600
}

# configuration for OpenWRT's local RADIUS
client 127.0.0.1 {
        type    udp
        # the secret between OpenWRT nas/hostapd and radsecproxy
        secret  RadiusSecretHere
}

# in the real configuration the IP address of the RadSec server
server 10.10.10.10 {
        type    TLS
        # the RADIUS shared secret between mobile-ap and RadSec server
        secret  SecretBetweenMobileAPandRadServer
        port    2083
        tls     mobile-ap-to-radsec-server
        certificateNameCheck off
        matchCertificateAttribute CN:/^radsecserver\.hostname\.here$/
        retryCount      3
        retryInterval   5
}

# The realm below is equivalent to /.*
realm * {
        # the IP addresses of the RadSec server
        server 10.10.10.10 
        accountingServer 10.10.10.10
}

I copied the necessary (CA and client) certificates manually to a directory /etc/certs I had created on the wireless access point file system. A larger deployment of RadSec access points would of course require either a scalable way to deploy and install client certificates or utilising only one client certificate for all mobile access points. Solving this issue can however be a topic for paper or some future blog post, when actual need arises. I did not yet configure the certificate revokation list (CRL) retrieval, but it is in my plans to document also this aspect.

Right, so now we have the actual configuration pretty much set up and we can start testing. Before running radsecproxy as a service I did a prelimanry testing by running it on OpenWRT console with the following command:

# radsecproxy -c /etc/radsecproxy.conf -d 3 -f

I was now able to check if the radsecproxy was able to connect to the home organisation RADIUS server and thus verify the radsecproxy configuration. After this was verified I enabled the radsecproxy permanently with the following command:

# /etc/init.d/radsecproxy enable

Then I rebooted the access point and verified once again that time was correct, radsecproxy was running as a daemon and wireless settings were correct before proceeding to eduroam authentication tests using my own TUT user account.

Like you have probably guessed, the testing was successful and I was able to now have my own mobile eduroam access point to be deployed wherever I may roam. :) Of the difficulties I ran into while doing this, I think the most difficult was once again setupping and configuring the X.509 certificates properly. The radsecproxy default was to check if the certificate CN contained the IP address mentioned in the server block and I had to check from the documentation how this check could be replaced with hostname check without having to use DNS hostname in the configuration block. The result is documented above there in the radsecproxy configuration.

RadSec as a technology felt very solid and functional for connecting devices and services to eduroam and the radsecproxy open source implementation was so well implemented and documented that I think it could be used as an official open source implementation to join to the eduroam federation with RadSec and this way as a roaming proxy replacing for example FreeRADIUS. Even the current radsecproxy implementation has better functionality set (for example dead realm marking) for eduroam proxy usage than the current FreeRADIUS has.

<commercial>Or then again, you can get a Radiator RADIUS+RADSEC server from us, Open System Consultants or some other reseller.</commercial>

Thursday, March 11, 2010

eduroam(tm) expands in Japan

RADIUS based authentication roaming federation eduroam(tm) expands in Japan according to Terena's translated news item. The expansion is done in cooperation between the Japanese National Institute of Informatics (NII) and Livedoor, a Japanese provider of commercial WLAN services.

These kind of cooperation announcements give additional validation to Arch Red's vision on utilising eduroam(tm) tried technology to increase community network coverage through roaming instead of building overlapping Wi-Fi networks or trying to form only one dominating one.

Wednesday, May 21, 2008

A Community Networks and Wireless Tampere presentation at TERENA Networking Conference 2008

Terena 2008 Networking Conference in 7B - Who is there? - eduroam session. The session is streamed to the network at 17:00-18:30 Finnish time (UTC+3) and can be watched in real time here. The topic of my presentation is: Utilising eduroam in building wireless community networks. The presentation will be archived and will be available also later in case you absolutely do not want to miss it. :)

Thursday, April 10, 2008

Arch Red and Cisco power the NORDUnet2008 WLAN network

Arch Red and Cisco Finland joined forces with CSC to provide an eduroam(tm) compatible WLAN guest network for NORDUnet2008 conference 7th -- 11th of April 2008 in Dipoli, Espoo, Finland. The network was designed by Arch Red and build with Cisco 4400 WLAN controller and 12 AP1130AG access points. This gave the conference participants a choice of WPA/WPA2-authenticated eduroam(tm) network as well as completely open WLAN for unsecured, easy guest access. In cooperation with CSC the WLAN network in conference also supported state-of-art network technologies like IPv6 and multicast with enough bandwidth in radio and fixed network for all conference participants and also for streaming services. Arch Red also provided the RADIUS connectivity to eduroam(tm) WLAN roaming community for secured international WiFi roaming access.

By utilising Arch Red expertise and Cisco hardware, creating and deploying this kind of conference network was efficient and a quick way to provide reliable 2.4Ghz and 4GHz WiFi wireless access for all conference participants quickly.