TOSIroam Technical Appendix

Technical Appendix

  • MAB
    The need for secure network access has never been greater. In today's diverse and roaming staff, learners and even guests require access to multiple network resources. As data networks become increasingly indispensable in day-to-day business operations, the possibility that unauthorized people or devices will gain access to controlled or confidential information also increases.
    The best and most secure solution to vulnerability at the access edge is to use the intelligence of the network. One access control technique is called MAC Authentication Bypass (MAB). MAB uses the MAC address of a device to determine what kind of network access to provide.
    • Benefits
      • MAB offers the following benefits on wired networks:
        • Visibility: MAB provides network visibility since the authentication process provides a way to link a device's IP address, MAC address, switch, port and user. This visibility is useful for security audits, network forensics, network use statistics, and troubleshooting.
        • Access control at the edge: MAB acts at Layer 2, allowing schools to control network access at the access edge
        • Colleges:
          MAB is deployed by Crystal as a standalone authentication mechanism.
          In most cases it is envisaged that schools will use Crystal MAB as a standalone authentication but some Colleges may chose to employ IEEE 802.1X and use MAB as a complementary fallback.
          • Identity-based services (aka Crystal) : MAB enables you to dynamically deliver customized services based on an endpoint's MAC address.
            • For example, a device might be dynamically authorized for a specific VLAN or assigned a unique access list that grants appropriate access for that device.
            • All the dynamic authorization techniques that work with IEEE 802.1X authentication will also work with MAB.
          • Fallback or standalone authentication: In a network that includes both devices that support and devices that do not support IEEE 802.1X, MAB can be deployed as a fallback, or complementary, mechanism to IEEE 802.1X. If the network does not have any IEEE 802.1X-capable devices,.
            • Delay: When used as a fallback mechanism to IEEE 802.1X, MAB waits for IEEE 802.1X to time out before validating the MAC address.
            • During the timeout period, no network access is provided by default.
            • Delays in network access can negatively affect device functions and the user experience.
            • A mitigation technique is required to reduce the impact of this delay.
      • Limitations
        • MAC database: As a prerequisite for MAB, there must be a preexisting database of MAC addresses of the devices that are allowed on the network. Crystal uses its free "Kete' service to generate a SQL based table which is linked to a shared Radius server.
          • Kete is a pre-requite Crystal service.
        • No user authentication: MAB can be used to authenticate only devices, not users.
          • Different users logged into the same device will have the same network access.
          • Crystal uses it's free BYOD registration service to build a table of each user's authorised devices ... in effect each and every device is linked authoritive to one user and the Crystal IAM/SSO can then be used to verify the user when the intelligence of the network detects an anomaly.
        •  Strength of authentication: Unlike IEEE 802.1X, MAB is not a strong authentication method.
          • MAB can be defeated by spoofing the MAC address of a valid device.
          • To over this weakness digital certificates are employed.
  • Digital certificates: To be completed after R&D
    MAB works well in this environment (used in past trials) but has the security weakness of being able to be spoofed.
    In the past this has been managed by the "the intelligence of the network" (aka using SSO to verify the user)   but with further research and development it is hoped that digital certificates will enable a more standard solution to be implemented.
    • Digital certificates are employed for N4L content filtering.
      It is envisaged that both TOSIroam and N4L certificates be installed at the same time thus allowing a more flexible and powerful environment for the users.
    • The free Crystal Kete service will be used to track which devices have appropriate digital certificates and manage the expiry dates.

  • Redundancy
    There are several elements to consider.
    • Crystal services: Crystal services (SQL and other services) are located on multiple server farms with failover.
    • Radius server: The main radius server is a physical device hosted at Waimea College/EdSerf with all the normal server farm practices.
      • Crystal hosts a standby physical redundant radius server with failover.
      • A  third radius server can manually be started on  Crystal's backup  environment.
    • School: School can failover from the TOSIroam radius server(s) to their local enterprise wireless system.
    • Connections: These are managed by the the N4L with their own practices and policies.

  • Connection types
    • GRE tunnel: Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems. This is Cisco's protocol  for a similar product to the VPN.
    • NTL layer 2 connection:  Old Loop schools usually have a NTL layer 2 switch in their cabinet. This switch can be used to provide a layer 2 direct connection back to the Crystal server farm located on EdSerf.
    • VPN tunnel: A VPN, or Virtual Private Network, is a method of linking two locations like they are on a local private network.