Connect Communicate Collaborate eduroam towards a managed European
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT 2 <miro@srce. hr> Wi-Fi Workshop, Barcelona, Spain
Contents Connect. Communicate. Collaborate • Roaming acitivity in GEANT 2 (JRA 5, SA 5) • eduroam technology • eduroam service – organisation – infrastructure elements – supporting elements • Current status and plans
GEANT 2 & roaming • JRA 5: Roaming and Authorisation – – – • Connect. Communicate. Collaborate How to organise access to resources in the research and education area in a sufficiently safe and easy to handle way? Work items: roaming (eduroam), AAI (edu. GAIN), u. SSO JRA 5 roaming vision: To build a roaming infrastructure enabling full mobility of members of the scientific community in Europe SA 5: eduroam service activity – – continue on JRA 5 results in order to build and maintain reliable European eduroam service provide: “open your laptop and be online”
Roaming requirements Connect. Communicate. Collaborate • Identify users uniquely at the edge of the network • Enable guest usage • Scalable – local user administration and authentication • Easy to install and use – at the most one-time installation by the user • Open • Secure
eduroam technology • Connect. Communicate. Collaborate Security based on 802. 1 X – Integration with VLAN assignment – Protection of credentials • Authentication based on EAP – Different authentication mechanisms possible by using EAP (Extensible Authentication Protocol) • Roaming based on RADIUS proxying – Remote Authentication Dial In User Service – Transport-protocol for authentication information • Trust fabric based on: – Technical: RADIUS hierarchy – Policy (federation agreement): Documents/contracts that define the responsibilities of user, institution, NREN and the respective federation
eduroam architecture: ubiquitous network access Connect. Communicate. Collaborate Supplicant Authenticator (AP or switch) RADIUS server User DB University A user University B User DB XYZnet joe@university_b. hr Employee VLAN signalling data Commercial VLAN Student VLAN Central RADIUS Proxy server • Trust: RADIUS & policy documents • 802. 1 X + EAP • (VLAN assignment)
eduroam confederation RADIUS hierarchy Connect. Communicate. Collaborate
eduroam goes global http: //www. eduroam. org Connect. Communicate. Collaborate
(European) eduroam service Connect. Communicate. Collaborate • eduroam user experience: “open your laptop and be online” • To provide secure network access inside the confederation boundaries (to the end users) • eduroam is a secure international roaming service for members of the European eduroam confederation (a confederation of autonomous roaming services) • First steps in transition to service: – Service Definition and Implementation Plan – Policy
European eduroam confederation principles Connect. Communicate. Collaborate • Members are European NRENs/NROs • Members sign European eduroam policy commiting to the organisational and technical requirements • Mutual access – no fees (for end users) • Authentication at home - Authorisation at visited institution • Home institutions are/remain responsible for their users abroad • Members promote eduroam in their countries • European eduroam may peer with other regions (confederation level)
Confederated eduroam service Connect. Communicate. Collaborate • Encompasses all the elements necessary to support the Service – – – confederation infrastructure establishing trust between the member federations monitoring and diagnostic facilities central data repository (eduroam database) confederation level user support
eduroam service model Connect. Communicate. Collaborate eduroam service (governed by SA 5) eduroam confederation service (provided by OT) national eduroam service (provided by NREN/NRO) . . . national eduroam service (provided by NREN/NRO)
eduroam service elements Connect. Communicate. Collaborate • Technology infrastructure • Supporting infrastructure – monitoring and diagnostics – eduroam web site (http: //www. eduroam. org) – eduroam database – trouble ticketing system (TTS) – mailing lists
Users vs. service elements Service elements Connect. Communicate. Collaborate User group End user Inst. Level personnel Federation-level personnel Basic monitoring facilities Yes Yes Full monitoring and diagnostics facilities No Yes (limited to the information regarding the respective inst. ) Yes Public access to the eduroam web site Yes Yes Access to the internal eduroam web site No Yes (limited to the information regarding the respective inst. ) Yes Public access to the eduroam database Yes Yes Access to the all information in the eduroam database No Yes (limited to the information regarding the respective inst. ) Yes TTS No Yes SA 5/OT Mailing lists No No Yes Support from OT No No Yes
eduroam infrastructure Connect. Communicate. Collaborate
Monitoring: problem definition Connect. Communicate. Collaborate • Monitor functionality of the eduroam infrastructure – servers – infrastructure – user experience • It is not enough to know that host is accessible • Ultimate goal is to test real users experience – (very) different workflows at RADIUS servers for Accept and Reject – perform both accept and reject logic tests
Monitoring: concept • • • Connect. Communicate. Collaborate Monitoring client is RADIUS client capable of sending various types of RADIUS request (PAP, EAP, …) RADIUS Proxy Server is monitored server Id. P RADIUS Server is the server that issues the response thus acting as loop-back server. It’s function is to close the tunnel and create standard well format and specified response. This function might be realized on the monitored server (RADIUS proxy server)
Monitoring servers Connect. Communicate. Collaborate TLRS monitoring client monitoring database FLRS
Monitoring infrastructure Connect. Communicate. Collaborate TLRS(s) monitoring client monitoring database FLRS(s)
Testing on demand Connect. Communicate. Collaborate realm A FLRS(s) monitoring client TLRS(s) monitoring database realm B FLRS(s)
eduroam database Connect. Communicate. Collaborate • The information stored in the eduroam database includes: – NRO representatives and respective contacts – Local-institutions (both SP and Id. P) official contacts – Information about eduroam hot spots (SP location, technical info) – Monitoring information – Information about the usage of the service • NROs: – should provide respective data (general and usage data) – in the defined XML format available at the specified URL address – should be accessible only from the eduroam database server
User support: problem escalation scenario (1) Connect. Communicate. Collaborate home federation OT visited federation fed. -level admin. local institution admin. fed. -level admin. 3 local institution admin. 4 user 1, 2
User support: problem escalation scenario (2) Connect. Communicate. Collaborate home federation OT visited federation 4 b 4 a fed. -level admin. 4 3 fed. -level admin. 5 local institution admin. 1, 2 6 user local institution admin.
Implementation plan Connect. Communicate. Collaborate M 37 M 40 M 41 M 42 M 43 M 44 M 48 M 54 Sep 07 Dec 07 Jan 08 Feb 08 Mar 08 Apr 08 Aug 08 Feb 09 service definition & policy monitoring web site TTS eduroam database
eduroam current status: connected to the TLRSs • 33 countries • 2 TLRSs Connect. Communicate. Collaborate
eduroam current status: monitored TLRS/FLRS • monitoring service is in place • will be publicly available via www. eduroam. org (end of April 2008) • further development is planned Connect. Communicate. Collaborate
eduroam current status: demographics/user maps • demographics info: – – – • • no of SPs, Id. Ps location of SPs usage coverage contacts user oriented maps based on eduroam database will be publicly available via www. eduroam. org (end of April 2008) further development is planned Connect. Communicate. Collaborate
Connect. Communicate. Collaborate http: //www. eduroam. org
- Slides: 28