project description

Authentis is a GET inter-site authentication project comprising three French national universities, ENST Paris, INT Evry and ENST Bretagne. The project started in 2001 and was successfully finished in the late 2002. A publication was presented at the IEEE ASWN'02 workshop in Paris. A demo for the GET committee was held in the beginning of 2003.

project context and requirements

The main goal of Authentis is to provide a ready-to-use, user-transparent authentication and authorization system for the inter-domain user access to the local wireless LANs in an academic/campus environment. More precisely, the requirements are:

• Secure access to the visited WLAN
• Site-local independent user management
• User-transparent inter-site roaming

These requirements imply the core problem: a participating network has to be able to securely authenticate a potentially unknown user. Effectively, the requirement for site-local user management prohibits installations of common user data-bases, i.e. the user data can not be distributed over participating networks. On the other hand, user-transparent roaming means that a user has to access each partner site like it was his home network.

Thus, the only solution possible in that context is the network-to-network communication on access request. However, such communication is typically routed over the public backbone (e.g. Internet), both considerably augmenting the overall authentication delay and imposing higher security requirements to the network-to-network links (compare to Section 5 of RFC2977).

technical concepts

Authentis is based upon IEEE 802.11b WLANs. Secure access is achieved by using IEEE 802.1X port control in conjunction with a site-specific AAA server (RADIUS). The necessary site interconnection is achieved by AAA server interconnection (RADIUS proxying, RFC2765).

Authentis suggests an incremental approach including three propositions, beginning with a fast&easy functional setup and consequently increasing security and minimizing authentication delays. The final solution separates authentication and authorization and proposes a scheme featuring:

• site-local, independent user management (except for a common user naming scheme, no inter-site agreements are necessary)
• fully local, secure authentication using EAP/TLS (with no inter-domain messaging)
• extensible rapid authorization (immediate, CA-independent user-validity check featuring potential roles, user-groups, etc. support)
• overall amount of only two inter-domain packets (could be sent in parallel to the authentication process)
• based completely on mature and stable open-source software (xsupplicant, FreeRADIUS, openSSL, MySQL, Apache)

In this project we designed and developed an extension module for the FreeRADIUS server, separating authentication and authorization during proxying. For more information and details, see the publication appeared at IEEE ASWN'02.