NetAuth-FWNA-BoF-20-September-2005.html

NetAuth/FWNA WG BoF
Fall 2005 Internet2 Member Meeting
September 20, 2005
Philadelphia, PA

*Attendees*
Christopher Misra, U. Mass (co-chair)
Kevin Miller, Duke U. (co-chair), (co-chair)
Erik Gauthier, Boston U.
Kevin Amorin, Harvard U.
Chris Myers, GrangeNet
Jessica Bibbee, Internet2 (scribe)

*Discussion*
{Chris Misra} and {Kevin Miller} detailed the latest efforts within the SALSA-NetAuth and SALSA-NetAuth – FWNA working groups. Of particular interest are the upcoming documents and applications regarding automated network policy enforcement in the NetAuth space, as well as the ‘visiting scholar’ scenario with regards to roaming.

Several items of documentation have come from the NetAuth working group, including strategies, architecture, and components.

One of the issues facing the wireless world today is the fact that while most are setting up local NetAuth, how can it be done in a way that allows integration, such as with a federation. What are the conditions surrounding a person as they pass to a federated environment?

{Kevin Miller} explained how the FWNA WG is working to outline documents regarding the ongoing experiment; the goals of this experimental work can be found at <http://fwna.oit.duke.edu:2500>. These documents aim to draw off the experience of Eduroam’s work in Europe and Australia, applying similar goals in the US. {Kevin} encouraged input from interested participants regarding a requirement for 802.1x. How should the experiment be managed in terms of designating multiple SSIDs, needing a RADIUS fabric, using multiple RADIUS servers, etc. How do people want to be authenticated?

Attendees mentioned they were already working on wireless roaming – Merit runs a centralized RADIUS server that is currently working with a couple universities. University of Maryland – Baltimore is working with the city to run wireless for 14-15 colleges. {Chris Myers} spoke of shopping centers in Australia that are looking to set up an SSID so students will have a place to do homework, etc. – The main challenge has been gaining access to wireless, which already exists. Multiple commercial roamers present solid use cases for the experiment.

{Chris Myers} suggested that key components or goals will include productive connectivity – no down time, no waiting periods for temporary accounts, high security, secure access for guests, reduced help-desk costs, etc. These are all dependent on how the access is set up. Security and scalability are handled differently by web redirect, VPN, and future deployments such as 802.11x.

The use of Shibboleth as an AuthZ experiment was discussed, but there are challenges making connections using Shibboleth. If there was a shift to Shibboleth, everyone would have to move to Shibboleth. The Group expressed interest in eventually looking towards EAP and Kerberos for AuthN.

{Erik Gauthier} presented work from the NetAuth groups, including a taxonomy document. He outlined the policy determination process as one moves across network states, i.e. from one level to another. <http://security.internet2.edu/netauth/docs/draft-internet2-salsa-netauth-architecture-03.pdf>.

{Kevin Amorin} presented components such as Policy Enforcement Point routers, Policy Decision point, Access Requestor, Administrative Domain, Data Repository, etc. {Kevin} explained how enforcement of these stages works to have the identity passed, decision made as to integrity, and then policy is enforced. Another point is how the Network Detection Point fits into this schema. <http://security.internet2.edu/netauth/docs/netauth_components_draft1.pdf>.

Additional presentations of ongoing NetAuth and FWNA work presented at the FMM will be available at <http://events.internet2.edu/2005/fall-mm/sessionDetails.cfm?session=2377&event=239>.

Further discussion of these issues will take place on the {SALSA-NetAuth} and {SALSA-FWNA} mailing lists; subscription information can be found at <http://security.internet2.edu/netauth/> and <http://security.internet2.edu/fwna/>. The next SALSA-NetAuth conference call will be held on Thursday, September 29 at 11am ET. The next SALSA-NetAuth - FWNA conference call will be held on Thursday, October 6 at 11am ET.