JRA 3 T 4 eduroam development plan Stefan

  • Slides: 8
Download presentation
JRA 3 -T 4 eduroam development - plan Stefan Winter Task Leader JRA 3

JRA 3 -T 4 eduroam development - plan Stefan Winter Task Leader JRA 3 -T 4 R&D Engineer, RESTENA Foundation JRA 3 Kick-Off Meeting, Zürich 12 July 2016 Networks ∙ Services ∙ People www. geant. org

Work Areas • eduroam-as-a-service, comprising • Id. P-as-a-service (“Silver Bullet Id. P”) • SP-as-a-service

Work Areas • eduroam-as-a-service, comprising • Id. P-as-a-service (“Silver Bullet Id. P”) • SP-as-a-service (“No fancy name”) • Self-Service Support • for end users (“Why am I not online? ”) • For admins (“I need to talk to Id. P/SP X because…”) • CAT “business as usual” development • new devices like Kindle • beefing-up of current installers (more Passpoint support. . . ) • Let’s Rad. Sec Networks ∙ Services ∙ People www. geant. org 2

Id. P-as-a-service • “Silver Bullet” Id. P • EAP-TLS based • “Id. P” admin

Id. P-as-a-service • “Silver Bullet” Id. P • EAP-TLS based • “Id. P” admin gets simple web interface to manage own users • Requires • CA which issues/revokes user certificates in real-time • RADIUS server(s) which terminate EAP-TLS and do actual authentication • More than one? Decentralisation difficult due to EAP server verification! • Management UI for the admins • Exploits • Availability of installer generation engine in eduroam CAT (“just yet another EAP type”) • Existing admin UI in CAT for the config parts unrelated to Silver Bullet • • Additional SSIDs Institution Logo Helpdesk contact details … you name it Networks ∙ Services ∙ People www. geant. org 3

SP-as-a-service • Just an ordinary proxy-only RADIUS server • Best-of-class: implement all optional/recommended features

SP-as-a-service • Just an ordinary proxy-only RADIUS server • Best-of-class: implement all optional/recommended features we like to but seldomly do see in real life • Easy to distribute: central, NRO level, at the spot • With Let’s Rad. Sec: uplink with eduroam SP certificate Networks ∙ Services ∙ People www. geant. org 4

Self-Service • For users: • integrate monitoring subsystems and real-time diagnostics into a cohesive

Self-Service • For users: • integrate monitoring subsystems and real-time diagnostics into a cohesive and simple user experience • give simple explanations / instructions / steps forward • automate wherever possible • e. g. instead of generic “contact your Id. P”: show web form which will be sent to relevant contact at Id. P – users do not need to know contact details themselves • fallbacks in place (no Id. P email known? Display phone, or send to NRO instead) • Needs improvements in eduroam monitoring -> operations • For admins: • automate workflows for common issues where flow was previously “contact your NRO and wait for guidance” • typical use cases: abuse complaints, reject due to missing MAC address in request, informing SP of lack of IP addresses in DHCP pool, malformed Operator-Name • web forms all around Networks ∙ Services ∙ People www. geant. org 5

eduroam CAT • Devices • Not many “actually new” devices on the radar. •

eduroam CAT • Devices • Not many “actually new” devices on the radar. • Contrary, Windows Phone is dead! • Kindle (Fire. OS) is mostly Android, but different enough to potentially be(come) difficult • Features • Passpoint now configurable on all our supported platforms (currently implemented only on i. OS / OS X room for improvement) • Shift from install-once to a permanent assistance application on all platforms • Initial installation • Ongoing account management (check expiry and consequences, renew cert) • Running diagnosis where needed • Maps of coverage • I would call it the “Companion” if that name weren’t already taken ; -) Networks ∙ Services ∙ People www. geant. org 6

Let’s Rad. Sec • RADIUS/TLS for server infrastructure is all nice • But getting

Let’s Rad. Sec • RADIUS/TLS for server infrastructure is all nice • But getting certificates too cumbersome in practice • Need a more automated solution • Prototype can provision RADIUS/TLS server certificates to EAP servers fully automated • • EAP server == eduroam Id. P security profile still under discussion Unfortunately, eduroam Id. Ps unlikely first adopters Rather expect trickle-down from NRO level • So, need a provisioning method for the other slice of servers • NRO RADIUS proxies in top priority • (then eduroam Id. Ps, mostly solved) • eduroam SPs • CSR copy&paste to web form the likely best candidate for SPs and NRO Networks ∙ Services ∙ People www. geant. org 7

Thank you Networks ∙ Services ∙ People www. geant. org © GEANT Limited on

Thank you Networks ∙ Services ∙ People www. geant. org © GEANT Limited on behalf of the GN 4 Phase 1 project (GN 4 -1). The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 691567 (GN 4 -1). Networks ∙ Services ∙ People www. geant. org 8

BALTIJAS JRA Baltijas jra iekj jra Eiropas ziemeaustrumuBALTIJAS JRA Baltijas jra iekj jra Eiropas ziemeaustrumu
BALTIJAS JRA Prmslot jra 2010 Baltijas jra BaltijasBALTIJAS JRA Prmslot jra 2010 Baltijas jra Baltijas
Projekt eduroam Tomasz Wolniewicz UCI UMK Seminarium eduroamProjekt eduroam Tomasz Wolniewicz UCI UMK Seminarium eduroam
eduroam es GT 2006 Indice eduroam q Drafteduroam es GT 2006 Indice eduroam q Draft
Eduroam Norwegian airports NTW 2013 Why eduroam atEduroam Norwegian airports NTW 2013 Why eduroam at
ChargeableUserIdentity in eduroam The problem Current eduroam setupChargeableUserIdentity in eduroam The problem Current eduroam setup
eduroam series Installation and Configuration of eduroam servereduroam series Installation and Configuration of eduroam server