Enhancing Eduroam Security with New Standards and Practices

Slide Note
Embed
Share

Explore the foundations of eduroam and the challenges with RADIUS, along with recommendations for improving security. Learn why moving away from RADIUS/UDP and adopting shared secrets of 16 characters is essential. Discover the issues with transitioning from UDP to RADIUS/TLS, and the new standards introduced to enhance security and compatibility. Stay informed about TLS, DTLS, and RADIUS 1.1 updates for a secure network environment.


Uploaded on Jul 20, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Making eduroam safer New standards and practices Alan DeKok, FreeRADIUS Underground B Thursday June 6, 2023

  2. What are the foundations of eduroam? eduroam is built on RADIUS RADIUS is just about the worst thing ever invented The big questions are: What is wrong with RADIUS? How can we make it better? How will it help you, the administrators of eduroam? 2

  3. What is wrong with RADIUS RADIUS is a dumpster fire of bad implementations and terrible security MD5 has been broken for a decade https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/ a hobbyist attacker can crack all possible RADIUS shared secrets of eight characters in about a day Users location can be tracked within 15m or less GPDR issues are large. 3

  4. What you can do Use shared secrets of 16 characters, derived from a cryptographic source Do not use RADIUS/UDP or RADIUS/TCP Do not use RADIUS/UDP or RADIUS/TCP Do not use RADIUS/UDP or RADIUS/TCP Do not use RADIUS/UDP or RADIUS/TCP [1] #!/usr/bin/env perl use MIME::Base32; use Crypt::URandom(); print join('-', unpack("(A4)*", lc encode_base32(Crypt::URandom::urandom(12)))), "\n"; 2nw2-4cfi-nicw-3g2i-5vxq [1] Only use it in a secure network. Never over the Internet. 4

  5. Issues with moving away from UDP We can all use just RADIUS/TLS, or IPSec, right? But IPSec is harder than TLS FreeRADIUS has had a long-standing issue with TLS and does not implement RADIUS/DTLS Microsoft NPS does not implement RADIUS/TLS Radsecproxy does not run on Windows 5

  6. New standards Moving RADIUS/TLS and RADIUS/DTLS to standards track FIPS compatible RADIUS: RADIUS 1.1 How to keep your security people happy! CoA even when using NAT TLS-PSK Multi-hop ping / traceroute packet Get information about proxies! 6

  7. TLS, DTLS, and RADIUS 1.1 Not much more to be said about TLS and DTLS updates. RADIUS 1.1 is 100% compatible with existing RADIUS/TLS No more MD5, can be used in a FIPS environment Essentially nothing else changes. It s just RADIUS with a small splash of paint on it. It s not a new protocol. Proxies should probably upgrade to RADIUS 1.1 as quickly as possible 7

  8. CoA / Disconnect with NAT less relevant for eduroam, but could potentially help with security The idea is to leverage RADIUS/TLS connections Client connects to server, sends Access-Request Server re-uses that TLS connection to send CoA-Request to client! How would this be used in eduroam? 8

  9. Certificate management Certificates are hard. Why? CAs are managed by the CAB Forum. B is for Browser i.e. web server certs are used for EAP, RADIUS/TLS, etc. Generally using a private CA is preferable to using a public (web) CA EAP - users already know about you, and need to be configured anyways RADIUS/TLS - only trusted administrators can connect Certificate renewal is an ongoing process which never stops! 9

  10. RADIUS traceRoute Still in development, but wide-spread agreement that it is useful Where are the packets going? What happens when they get there? radius traceroute @unitir.edu.al Tracks packets hop by hop through multiple layers of proxies returns information about each proxy it passes through Who runs the proxy Transport protocols used Connection status Lets you see where authentications are failing, but not always why 10

  11. The future New standards should make it easier to manage and debug eduroam networks. the radius traceroute alone should be a significant improvement 11

  12. Thank you Any questions? aland@freeradius.org

Related


More Related Content