eduroaminasiancountries - asia pacific advanced...
TRANSCRIPT
1
eduroam in Asian countries -‐-‐ benefits, and 4ps for opera4on -‐-‐
36th APAN Mee4ng Aug. 22, 2013, Daejeon, Korea
Hideaki Goto, Tohoku University, Japan Motonori Nakamura, NII, Japan Hideaki Sone, Tohoku University, Japan
2
Welcome to eduroam!
• Korea • Singapore • India
New members in Asia-‐Pacific
3
Campus wireless network (WLAN)
• Secure and easy-‐to-‐use Wi-‐Fi – Secure data encryp4on -‐-‐ Web-‐auth is terrible! – User authen4ca4on -‐-‐ Shared-‐key is insecure! – Collabora4on with university’s ID mgt. system
• Easy-‐to-‐deploy/operate system – Standard and popular system – Out-‐sourcing of opera4on (op4onal)
• Interna4onal roaming –
What do we need from the universi>es’ points of view?
4
Campus wireless network (WLAN) (contd.) • Free campus WLAN at conference sites, cafes, etc.
– Collabora4on with ISPs – Virtual campus expansion
• Large capacity – Fast and high-‐capacity access points – Supports for lectures, trainings, conferences, etc.
• Sophis4cated access controls – Separa4on of home/guest user networks – Easy and efficient access to services at home
• Wi-‐Fi service for ci4zens (op4onal) – Public Wi-‐Fi service by ISP in campus
What is eduroam?
5
eduroam (educa>on roaming) is the secure, world-‐wide roaming access service developed for the interna>onal research and educa>on community.
eduroam allows students, researchers and staff from par>cipa>ng ins>tu>ons to obtain Internet connec>vity across campus and when visi>ng other par>cipa>ng ins>tu>ons by simply opening their laptop.
hbp://www.eduroam.org/
Internet
Inst. A
Home inst.
students / staff
Inst. B eduroam promo4on video by AARNet
eduroam global opera4on
• The eduroam service started as a pilot under the auspices of TERENA.
• About 60 countries worldwide – 11 members in Asia Pacific
• GeGC (Global eduroam Governance Commibee) since 2010. – 11 members: EU(4), US, CA, AP(2), La4n America(2), Africa – “Compliance Statement” has been compiled and made available in 2011.
• service defini4ons, technical standards
6
7
Benefits of eduroam • One account (issued at home ins>tu>on), free Wi-‐Fi at member ins>tu>ons worldwide
• De-‐facto standard of campus Wi-‐Fi – Plenty of informa4on on the Net – Easy to use, and also easy to ask people for help
• Secure authen>ca>on, secure data encryp>on – Based on IEEE802.1X standard
• Low opera>onal cost – Much less work for issuing guest accounts (as many people already have their own accounts)
eduroam deployments in Asia-‐Pacific
• Some others (incl. Thailand) are coming soon?? • Hos4ng by a nearby country works well as an incubator. • Hos4ng is quite beneficial for countries having a small number of ins4tu4ons.
8
country (territory)
joined inst.
#total univ.+col.
deployment rate
Australia 39+10 39+61? 100% (AP regional server 1)
Hong Kong 9 9 100% (AP regional server 2)
China ? 1,700+ ?
Taiwan 217 170+ ?
Japan 51 1,200+ 4.3%
New Zealand 7+2 8 87.5% hosted by AARNet
PNG 1 6 ? hosted by AARNet
Macau 1 ?
India 2 ?
Korea 2 ?
Singapore 3 8 37.5%
9
The world becomes virtual campus!
• 130+ eduroam hotspots at rental mee4ng rooms, cafes, etc. in the central area of Tokyo
• eduroam at airports, train sta4ons, etc. in Sweden • eduroam on HotCity (municipal Wi-‐Fi) in Luxemburg • eduroam at 19 airports in Norway (pilot project)
and more … ?
10
Roaming mechanism in eduroam
C D
JP
Top level RADIUS proxy (Europe, Asia-Pacific)
National RADIUS proxy
Institutional RADIUS server A B
AU
AP WLAN access point
[email protected] RADIUS Access-Request RADIUS Access-Accept
Home institution
Visited institution
11
How to join eduroam? • Countries / territories
– Consult TERENA (or us). – Organize a NRO (Na4onal Roaming Operator) in charge of the eduroam opera4on in the territory. (typically NREN operator acts as NRO)
– Sign the Compliance Statement. – Setup na4onal RADIUS proxy server(s).
• Ins4tu4ons / ISPs – Consult the local NRO. – Organize a RO (Roaming Operator) body in charge of eduroam opera4on.
– Setup RADIUS IdP/proxy and connect to the na4onal proxy. – Build WLAN system.
12
TIPS in eduroam opera4on • Home / guest users network separa>on (recommended) • Conven4onal architecture (IdP at every inst.) or Centralized/cloud eduroam IdP (op4onal) ?
– Reduce the deployment and opera4onal burdens at both NRO and RO.
– eg. Delegate Authen4ca4on System (DEAS) – eg. Shibboleth-‐based eduroam account issuer – Quite useful for countries having a large number of ins4tu4ons
• World eduroam access point map (op4onal)
13
Network design • Without guest network separa4on?
– Visitors could gain access to local servers (security threat) – Visitors could use outer services such as Electronic Journals
Internet Campus LAN
Inst. A Inst. B
Publishers
Gateway registered for outer services
Local server
Local servers
14
Network design (contd.) • Guest network only
– Visitors cannot gain access to local servers or EJs – Home users cannot gain access to local servers or EJs (low usability)
Campus LAN
Guest network
Inst. A Inst. B
Publishers
Gateway registered for outer services
Local server
15
Network design (contd.) • Network separa4on by Dynamic VLAN (switch by realm)
– Visitors cannot gain access to local servers or EJs – High usability for home users – In Japan, SINET provides a small /30 guest network for each ins4tu4on. (NAPT is required)
Campus LAN
Dynamic VLAN
Inst. A Inst. B
Publishers
Gateway registered for outer services
Local server
16
Easy-‐to-‐join eduroam system
RADIUS IdP
RADIUS proxy
auth requests
<secret key 2>
Institution’s RADIUS server
access points
Delegate Authentication System (DEAS) or Shibboleth-based eduroam account issuer
national RADIUS
<secret key 1>
AP system by ISP/carrier
national IdP service
Benefits of DEAS / eduroam-‐Shib • Large RADIUS network can be replaced with a single RADIUS
which works as an SP for member ins4tu4ons • Higher stability and reliability • Low deployment and opera4onal costs
C D
jp
A B
au
AP
RADIUS
IdP
eduroam RADIUS tree Centralized RADIUS
C D
jp
A B
au
AP
User
DEAS
IdP
SP No fed. or Shib.
IdP
17
Cloud-‐based, disaster-‐tolerant DEAS
18
http://eduroam.jp/
eduroam Top-level servers (Asia-Pacific) eduroam Global
National RADIUS 2
na4onal DEAS (master)
na4onal DEAS (replica)
National RADIUS 1
Data replica>on for higher availability.
Sendai city Tokyo
eduroam access point map
19
• Help people to find nearby eduroam sites • Every NRO is recommended to provide map data in XML.
– Na4onal realm informa4on (realm.xml) – Ins4tu4ons informa4on including AP loca4ons (ins4tu4on.xml)
– hbps://www.eduroam.org/index.php?p=where eduroam Companion by Janet, UK Android and iOS
Map on the website
• End of presenta4on
• Supplementary slides
22
eduroam JP • Na4onal eduroam opera4on and promo4on
– 51 ins4tu4ons (4.3% of 1,200) joined (Aug. 2013) • 38 (2012), 27 (2011), 17 (2010), 9 (2009)
– Tutorial & technical documents
• R&D – Easy deployment and opera4on – Loca4on privacy, etc.
• Collabora4on with commercial W-‐ISPs – eduroam on commercial hotspots – Shared hotspots on campus – New architecture and business models for next-‐genera4on commercial / academic WLAN services
23
Federated Delegate Authen4ca4on System
• Account Issuer as a Shibboleth SP of Japan’s GakuNin federa4on (f.k.a. UPKI federa4on)
• Centralized / Clustered eduroam IdP to simplify the RADIUS proxy tree
• 3 types depending on the needs and federa4on level
• Authen4cated access with pseudo-‐anonymized, fixed-‐term, and traceable roaming IDs
eduroam in disaster-‐affected campuses • Borderless eduroam helped suffering staff
– Nomadic network in temporary evacua4on campus • Tohoku University faced the big earthquake in March.
– Many buildings were severely damaged. – Staff moved to other buildings where networks are operated by different departments.
– eduroam is an effec4ve rescue for them to use network -‐-‐-‐ Inter-‐department roaming network
Additional APs
Eduroam APs
Center
Damaged depts
Network ID