Connect Communicate Collaborate Eduroam past present and future
Connect. Communicate. Collaborate Eduroam: past, present, and future TERENA Networking Conference, 7 june 2005 Klaas. Wierenga@surfnet. nl
Contents • • • What is Eduroam? Current status of Eduroam Is anything wrong with Eduroam? Eduroam-ng and Géant 2 Conclusion Connect. Communicate. Collaborate
Connect. Communicate. Collaborate Users are mobile Internation al connectivit y University A WLA N SURFnet backbone University B Access Provide r GPRS/ UMTS WLA N Access Provide r Cable Eduroam enables them to roam seamlessly Access Provide r WLAN Access Provide r ADSL
Edu. Roam architecture Connect. Communicate. Collaborate • Security based on 802. 1 X (or web-based redirect) – Identity-based networking – Different authentication mechanisms possible – Prevents session hijacking – Mutual authentication possible – Protection of credentials – Integration with VLAN assignment – Provides basis for new wireless security standards WPA and 802. 11 i • Roaming based on RADIUS proxying – Remote Authentication Dial In User Service – Transport-protocol for authentication information • Trust fabric based on: – Technical: RADIUS hierarchy – Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the Edu. Roam federation
Edu. Roam Connect. Communicate. Collaborate Supplicant Authenticator (AP or switch) RADIUS server User DB University A Gast University B User DB SURFnet piet@university_b. nl Employee VLAN signaling data Student VLAN Commercial VLAN Central RADIUS Proxy server • Trust based on RADIUS plus policy documents • 802. 1 X • (VLAN assigment)
Tunneled authentication (PEAP/TTLS) Connect. Communicate. Collaborate • Uses TLS/SSL tunnel to protect data – The TLS tunnel is set up using the server certificate, thus authenticating the server and preventing man-in-the-middle attacks – The user sends his credentials through the secure tunnel to the server, thus authenticating the user • Can use dynamic session keys for ‘in the air’ encryption © Alfa&Ariss
Status of Edu. Roam Connect. Communicate. Collaborate • USA will follow shortly • Over 350 institutions in Europe and Australia
Limitations • Technology – Static trust – Single points of failure – All auth. N and auth. Z traffic flows through hierarchy • Policy – Not suitable for full service yet • Usability – Eduroam comes in many flavours – Where are the access points? • Management & Monitoring – Are all servers up and running? – Who is abusing the service? • AAI – How to integrate with the European AAI Connect. Communicate. Collaborate
Connect. Communicate. Collaborate Eduroam-ng
Technology: bypassing the hierarchy overhead? Connect. Communicate. Collaborate European Server . nl . ac. uk … uva. nl Access Point . pl Uni. torun. pl Access Point User database tomasz@uni. torun. pl • AA traffic goes through all intermediate entries • All links are peer-to-peer agreements / static routes / p 2 p secure • DIAMETER? DNSsec? (See: Henk Eertink, Future directions in mobility)
Roaming policy • • • Minimal security level Levels of assertion SLA’s Incident response Policy board Connect. Communicate. Collaborate
Usability: standardisation, localisation, expansion Connect. Communicate. Collaborate • Standardisation – Limited set of encryption and SSID choices • Encryption: 802. 1 X+WEP, WPA+TKIP, WPA 2 • SSID: eduroam • Localisation – Eduroam-around-the-corner (See: Martijn Arts) • Expansion – Integration with commercial roaming services (See: Martin Bech)
Managing&Monitoring: usertracking & weathermap Connect. Communicate. Collaborate (See also : Kostas Kalevras, Large scale WLAN deployments)
AAI Integration: offload Auth. Z? Connect. Communicate. Collaborate European Server . nl . ac. uk … . es uva. nl Access Point uclm. es PAPI A-Select diego@uclm. es UCLM user database • How do all these applications communicate? (SAML? ) • Or should we do it inline? (See: Diego Lopez, AAI Infratructures)
Conclusions Connect. Communicate. Collaborate • 802. 1 X plus RADIUS provide a secure and future proof solution for access to the institutional network • Infra stucture not perfect yet but… – It works ™ – It is ready for the future – Géant 2 JRA 5 will make it even better • Joining Edu. Roam is a small step for administrator-kind but a giant leap for the users, so…. .
Time to join…. . Connect. Communicate. Collaborate
More information Connect. Communicate. Collaborate • Edu. Roam in SURFnet – http: //www. eduroam. nl • Edu. Roam in Europa – http: //www. eduroam. org • TERENA TF-Mobility – http: //www. terena. nl/mobility • Géant 2 Joint Research Activity 5 (authorisation and roaming) – http: //www. geant 2. net/ (click on research) • The unofficial IEEE 802. 11 security page – http: //www. drizzle. com/~aboba/IEEE
- Slides: 17