eduroam: towards a managed european service
DESCRIPTION
eduroam: towards a managed European service. Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, G É ANT2 Wi-Fi Workshop, Barcelona, Spain. Contents. Roaming acitivity in GEANT2 (JRA5, SA5) eduroam technology eduroam service organisation infrastructure elements - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/1.jpg)
Connect. Communicate. Collaborate
eduroam: towards a managed European serviceMiroslav Milinović, Srce, Zagreb, Croatiaeduroam SA, GÉANT2 <[email protected]>
Wi-Fi Workshop, Barcelona, Spain
![Page 2: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/2.jpg)
Connect. Communicate. CollaborateContents• Roaming acitivity in GEANT2 (JRA5, SA5) • eduroam technology• eduroam service
– organisation– infrastructure elements– supporting elements
• Current status and plans
![Page 3: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/3.jpg)
Connect. Communicate. CollaborateGEANT2 & roaming• JRA5: Roaming and Authorisation
– How to organise access to resources in the research and education area in a sufficiently safe and easy to handle way?
– Work items: roaming (eduroam), AAI (eduGAIN), uSSO– JRA5 roaming vision: To build a roaming infrastructure enabling
full mobility of members of the scientific community in Europe
• SA5: eduroam service activity– continue on JRA5 results in order to build and maintain reliable
European eduroam service– provide: “open your laptop and be online”
![Page 4: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/4.jpg)
Connect. Communicate. CollaborateRoaming requirements• Identify users uniquely at the edge of the network• Enable guest usage• Scalable
– local user administration and authentication
• Easy to install and use– at the most one-time installation by the user
• Open• Secure
![Page 5: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/5.jpg)
Connect. Communicate. Collaborateeduroam technology• Security based on 802.1X
– Integration with VLAN assignment– Protection of credentials
• Authentication based on EAP– Different authentication mechanisms possible by using EAP
(Extensible Authentication Protocol)
• Roaming based on RADIUS proxying– Remote Authentication Dial In User Service– Transport-protocol for authentication information
• Trust fabric based on:– Technical: RADIUS hierarchy– Policy (federation agreement): Documents/contracts that define the
responsibilities of user, institution, NREN and the respective federation
![Page 6: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/6.jpg)
Connect. Communicate. CollaborateConnect. Communicate. Collaborate
RADIUS serverUniversity B
RADIUS serverUniversity A
XYZnet
Central RADIUSProxy server
Authenticator(AP or switch) User
DBUser DB
Supplicant
userjoe@university_b.hr
StudentVLAN
CommercialVLAN
EmployeeVLAN
data
signalling
• Trust: RADIUS & policy documents
• 802.1X + EAP• (VLAN assignment)
eduroam architecture: ubiquitous network access
![Page 7: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/7.jpg)
Connect. Communicate. Collaborate
eduroam confederationRADIUS hierarchy Connect. Communicate. Collaborate
.DK .PT
inst-1 inst-2 inst-3 inst-4
confederation level servers
federation (NREN) levelservers
institutional levelservers
![Page 8: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/8.jpg)
Connect. Communicate. Collaborateeduroam goes global
http://www.eduroam.org
![Page 9: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/9.jpg)
Connect. Communicate. Collaborate
(European) eduroam service• eduroam user experience: “open your laptop and be online”
• To provide secure network access inside the confederation boundaries (to the end users)
• eduroam is a secure international roaming service for members of the European eduroam confederation (a confederation of autonomous roaming services)
• First steps in transition to service:– Service Definition and Implementation Plan– Policy
![Page 10: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/10.jpg)
Connect. Communicate. Collaborate
European eduroam confederation principles
• Members are European NRENs/NROs
• Members sign European eduroam policy commiting to the organisational and technical requirements
• Mutual access – no fees (for end users)
• Authentication at home - Authorisation at visited institution
• Home institutions are/remain responsible for their users abroad
• Members promote eduroam in their countries
• European eduroam may peer with other regions (confederation level)
![Page 11: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/11.jpg)
Connect. Communicate. Collaborate
Confederated eduroam service
• Encompasses all the elements necessary to support the Service– confederation infrastructure– establishing trust between the member federations– monitoring and diagnostic facilities– central data repository (eduroam database)– confederation level user support
![Page 12: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/12.jpg)
Connect. Communicate. Collaborateeduroam service model
national eduroam service
(provided by NREN/NRO)
national eduroam service
(provided by NREN/NRO)
eduroam confederation service
(provided by OT)
eduroam service (governed by SA5)
...
![Page 13: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/13.jpg)
Connect. Communicate. Collaborateeduroam service elements
• Technology infrastructure• Supporting infrastructure
– monitoring and diagnostics– eduroam web site (http://www.eduroam.org)– eduroam database– trouble ticketing system (TTS)– mailing lists
![Page 14: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/14.jpg)
Connect. Communicate. CollaborateUsers vs. service elements
Service elements User group
End user Inst. Level personnel Federation-level personnel
Basic monitoring facilities Yes Yes Yes
Full monitoring and diagnostics facilities
No Yes (limited to the information regarding the respective inst.)
Yes
Public access to the eduroam web site
Yes Yes Yes
Access to the internal eduroam web site
No Yes (limited to the information regarding the respective inst.)
Yes
Public access to the eduroam database
Yes Yes Yes
Access to the all information in the eduroam database
No Yes (limited to the information regarding the respective inst.)
Yes
TTS No Yes Yes
SA5/OT Mailing lists No No Yes
Support from OT No No Yes
![Page 15: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/15.jpg)
Connect. Communicate. Collaborateeduroam infrastructure
Top-level RADIUS Server(s)
Home Federation Remote Federation
Federation (National) top level RADIUS proxy Server(s)
HI IdP
Federation (National) top level RADIUS proxy Server(s)
RI SP
networkUser U access
RADIUS RADIUS
AuthN S
RADIUS RADIUS
HIRADIUS Server
RIRADIUS Server
RADIUS
Eduroam confederation infrastructure
![Page 16: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/16.jpg)
Connect. Communicate. CollaborateMonitoring: problem definition
• Monitor functionality of the eduroam infrastructure– servers– infrastructure– user experience
• It is not enough to know that host is accessible
• Ultimate goal is to test real users experience – (very) different workflows at RADIUS servers for Accept and Reject– perform both accept and reject logic tests
![Page 17: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/17.jpg)
Connect. Communicate. CollaborateMonitoring: concept
• Monitoring client is RADIUS client capable of sending various types of RADIUS request (PAP, EAP, …)
• RADIUS Proxy Server is monitored server• IdP RADIUS Server is the server that issues the response thus acting as loop-back
server. It’s function is to close the tunnel and create standard well format and specified response. This function might be realized on the monitored server (RADIUS proxy server)
Monitoring Client
IdP RADIUS Server
RADIUS Proxy Server
![Page 18: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/18.jpg)
Connect. Communicate. CollaborateMonitoring servers
monitoringdatabase
monitoring client
TLRS
FLRS
![Page 19: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/19.jpg)
Connect. Communicate. CollaborateMonitoring infrastructure
monitoringdatabase
monitoring client
TLRS(s)
FLRS(s)
TLRS(s)
FLRS(s)
![Page 20: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/20.jpg)
Connect. Communicate. CollaborateTesting on demand
monitoringdatabase
monitoring client
TLRS(s)TLRS(s)
realm B
FLRS(s)
realm A
FLRS(s)
![Page 21: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/21.jpg)
Connect. Communicate. Collaborateeduroam database• The information stored in the eduroam database includes:
– NRO representatives and respective contacts– Local-institutions (both SP and IdP) official contacts– Information about eduroam hot spots (SP location, technical info)– Monitoring information– Information about the usage of the service
• NROs:– should provide respective data (general and usage data)– in the defined XML format available at the specified URL address– should be accessible only from the eduroam database server
![Page 22: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/22.jpg)
Connect. Communicate. Collaborate
User support: problem escalation scenario (1)
visited federation
fed.-level admin.
local institution admin.
user
home federation
fed.-level admin.
local institution admin.
OT
1,2
3
4
![Page 23: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/23.jpg)
Connect. Communicate. Collaborate
User support: problem escalation scenario (2)
visited federation
fed.-level admin.
local institution admin.
user
home federation
fed.-level admin.
local institution admin.
OT
1,2
3
6
4a
5
4b
4
![Page 24: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/24.jpg)
Connect. Communicate. CollaborateImplementation plan
servicedefinition& policy
monitoring
web site
TTS
eduroamdatabase
Sep07 Jan08Dec07 Mar08Feb08 Apr08 Aug08 Feb09
M37 M41M40 M43M42 M44 M48 M54
![Page 25: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/25.jpg)
Connect. Communicate. Collaborate
eduroam current status:connected to the TLRSs
• 33 countries
• 2 TLRSs
![Page 26: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/26.jpg)
Connect. Communicate. Collaborate
eduroam current status:monitored TLRS/FLRS
• monitoring service is in place
• will be publicly available via www.eduroam.org (end of April 2008)
• further development is planned
![Page 27: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/27.jpg)
Connect. Communicate. Collaborate
eduroam current status:demographics/user maps
• demographics info:– no of SPs, IdPs– location of SPs– usage– coverage– contacts
• user oriented maps• based on eduroam database• will be publicly available via
www.eduroam.org (end of April 2008)
• further development is planned
![Page 28: eduroam: towards a managed European service](https://reader036.vdocument.in/reader036/viewer/2022062305/56815ba3550346895dc9a8b6/html5/thumbnails/28.jpg)
Connect. Communicate. Collaborate
http://www.eduroam.org