1. No category

Inter WISP WLAN roaming

Inter WISP WLAN roaming
A service concept
by Wirlab
© Wirlab Research Center
Inter-WISP roaming
•
most of RADIUS servers support domain-based AAA proxying
capabilities
•
increasing number of RADIUS servers support 802.1X via different
authentication methods (EAP-MD5, EAP-TLS, EAP-TTLS ...)
•
Access Controllers and wireless access points are hardware that
support RADIUS protocol for AAA purposes
•
Standard based equipment should be used in order to achieve
vendor independency and easier management
© Wirlab Research Center
RADIUS
• How does the RADIUS server work in inter-WISP
roaming?
– it checks the domain part of the authenticating username
([email protected]) visiting a foreign domain (operator.fi)
– based on the domain name it decides whether to authenticate
the user locally or proxy the request to an external server
– a specific Clearing House Proxy handles all the AAA-messages
between WISPs
– after the username has been authenticated from its home server,
reply messages are delivered back to the originating server via
the Clearing House
– each RADIUS server along the path keeps track of its own
messages, but the Clearing House processes all inter-WISP
messages, too
© Wirlab Research Center
AAA
• Beside the authentication for roaming users, the
Clearing House Proxy stores accounting
information
– timestamps, amount of transferred data, start-alivestop messages and authenticator IP-addresses are
stored into a database from which all roaming reports
are generated
– the organization taking care of the Clearing provides
all participants with the roaming statistics for billing
• RADIUS servers can also be used for
authorization of services
© Wirlab Research Center
802.1X
• Fairly new, port-based authentication
scheme
– a user logs on to the network with a separate
authentication client on his/her PC
– client comes bundled with Windows XP, other
OS’s have third party clients available
– multiple methods are underway and
implemented: MD5, EAP-TLS, TTLS, LEAP,
PEAP ...
© Wirlab Research Center
Access Controllers
• Multiple WLAN vendors have integrated 802.1X / RADIUS support in
their hardware
– Cisco, Nokia, Avaya, 3Com ...
• Separate Access Controllers are available also from multiple vendors
– Nokia, USG, Vernier, Cisco ...
– these AC’s use HTTP-authentication via web browser to authenticate the
users to the network. No separate clients needed for the user!
• Separate Access Controllers can also be used in traditional wired
environments where existing network can easily be turned to inter
ISP roaming service
© Wirlab Research Center
From theory to practise
• Although there are a lot of white papers about
inter-WISP roaming, no standard based service
has been announced
• Wirlab has built a working environment with
802.1X WLAN access-points and separate Access
Controllers combined with an efficient RADIUS
server
• The solution has been in testing for the last six
months and no major problems have occured
© Wirlab Research Center
Example
CLEARING
HOUSE
RADIUS
Internet
ISP DB
operator.fi
RADIUS
Access
Controller
wirlab.net
RADIUS
User DB
User DB
Client:
Client:
[email protected]
[email protected]
© Wirlab Research Center
Example – RADIUS messages
CLEARING
HOUSE
RADIUS
1. Access-Request
2. Access-Challenge
operator.fi
RADIUS
3. Access-Request
4. Access-Accept
5. Accounting-Request
6. Accounting-Response
wirlab.net
RADIUS
1. Access-Request
2. Access-Challenge
1. Access-Request
2. Access-Challenge
3. Access-Request
4. Access-Accept
5. Accounting-Request
6. Accounting-Response
3. Access-Request
4. Access-Accept
5. Accounting-Request
6. Accounting-Response
© Wirlab Research Center
User’s view / 802.1X
• On a 802.1X enabled OS
As soon as the wireless client is
associated to the access point, the
AP prompts the user for username
and password
© Wirlab Research Center
User’s view / 802.1X
• A new window opens for the required information
© Wirlab Research Center
User’s view / 802.1X
• After the information is sent and the user is
authenticated by the RADIUS-servers, the view in the
Network Connections changes as follows. The user is
authenticated and the network session can begin
© Wirlab Research Center
User’s view / HTTP
• When authenticating via HTTP, the user has to open his/her browser
and then be redirected to the authentication page. After entering
the username and password the user is granted access to the
network
Example: Cisco BBSM
© Wirlab Research Center
User’s view / HTTP
• A pop-up window containing a ”Logoff” or ”Disconnect” button is
usually initialized after login. Until the user logs off, all traffic is
passed through the Access Controller. This enables accounting for
the session
© Wirlab Research Center
Clearing House
• Inter WISP traffic logs per given timeframe
Displays information
of usernames, visited
and visiting domains,
timestamps, in/out
bytes and number of
accounting messages
© Wirlab Research Center
Clearing House (contd.)
• Collect balance information from current time
Balance figures per
operator reflected
against others
© Wirlab Research Center
CH Management (contd.)
• Administrate WISP RADIUS-servers via browser
© Wirlab Research Center
http://www.wirlab.net/
© Wirlab Research Center

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz