Page 453 - From GMS to LTE
P. 453

Wireless Local Area Network (WLAN)  439

               any other participating Eduroam institution. At the beginning of the authentication
               process the client has to supply an anonymous identity that points to the user’s home
               university. Based on this information the Eduroam authentication system then either
               uses the local authentication certificate, or, in the case of a roamer, contacts the user’s
               home university to get the certificate from one of the authentication servers there. The
               certificate is then forwarded to the client device, which then has to check that it is valid
               and has been issued by the user’s home university. Afterward the client device encrypts
               the username and password with the public key that is part of the certificate and sends
               it to the access point. From there it is forwarded either to the local authentication server
               or to a remote authentication server in the case of a roaming user. It is interesting to
               note that in the case of a roamer, the local network does not see the username and
               password as they can only be decrypted by the remote authentication server. If the
               username and password are valid the authentication server returns a positive result to
               the Wi‐Fi installation and access to the network is granted. Internet access is then pro-
               vided via the local network, i.e. in case of a roaming user, their data packets are not
               tunneled back to their home network.
                Typically, universities supporting Eduroam provide customized installation programs
               to their users that automatically install the required certificate chain for validation, con-
               figure a WLAN connection entry for the Eduroam SSID and also ensure that certificate
               validation is performed correctly. In Ubuntu, the certificate verification parameters for
               a University of Vienna Eduroam user are configured as follows:
               [802-1x]
               eap=peap;
               anonymous‐identity=@univie.ac.at
               identity=a8398493@univie.ac.at
               ca‐cert=/home/…./eduroam‐full‐certificate‐chain‐university‐of‐
               vienna.pem
               # In Ubuntu up to 15.10 use the following line:
               subject‐match=univie.ac.at

               # In Ubuntu 16.04 and newer use the following line:
               domain‐suffix‐match=univie.ac.at
               phase2-auth=mschapv2
                Apart from the path to the certificate chain file the ‘subject‐match’ or ‘domain‐suffix‐match’
               line (depending on the Ubuntu version) are equally important so the device rejects
               any certificate chain not belonging to the home university of the user. In combination
               this prevents man‐in‐the‐middle attacks. Further configuration details can be found
               in [17].


               6.7.6  WPA and WPA2 Enterprise Mode Authentication – EAP‐SIM
               Today, smartphones, tablets and other cellular devices are also equipped with a WLAN
               interface to connect to the Internet at home, in the office or via public WLAN hotspots.
               Mobile network operators that offer hotspot services are faced with the question of how
               they can authenticate their customers over WLAN. A number of proprietary solutions
               are available on the market but all of them require some sort of interaction with the
   448   449   450   451   452   453   454   455   456   457   458