European eduroam service Miroslav Milinovi University Computing - - PowerPoint PPT Presentation

European eduroam service

Miroslav Milinović University Computing Centre, University of Zagreb, Zagreb, Croatia <miro@srce.hr>

EuroCAMP Cork, Ireland, May 2009

EuroCAMP 2009, Cork 2009: 2/29

Contents

 eduroam technology  eduroam service

 organisation  infrastructure elements  supporting elements

 Current status and plans

EuroCAMP 2009, Cork 2009: 3/29

Roaming requirements

 Identify users uniquely at the edge of the network  Enable guest usage  Scalable

 local user administration and authentication

 Easy to install and use

 at the most one-time installation by the user

 Open  Secure

EuroCAMP 2009, Cork 2009: 4/29

Federations

 Federations enable sharing of resources

(synergy effects, joining a federation instead of many bilateral agreements)

 A federation is constituted by a set of agreements between

members (peers)

 In a federation (agreement) there needs to be a common set of rules

(organisational and technical)

 Federations can be part of bigger federations  Federations can be interconnected  Confederation = federation of federations

(federating principles applied to federations themselves)

EuroCAMP 2009, Cork 2009: 5/29

eduroam technology

 Security based on 802.1X



Integration with VLAN assignment



Protection of credentials

 Authentication based on EAP



Different authentication mechanisms possible by using EAP (Extensible Authentication Protocol)

 Roaming based on RADIUS proxying



Remote Authentication Dial In User Service



Transport-protocol for authentication information

 Trust fabric based on:



Technical: RADIUS hierarchy



Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the respective federation

EuroCAMP 2009, Cork 2009: 6/29

RADIUS server University B RADIUS server University A

XYZnet

Central RADIUS Proxy server Authenticator (AP or switch) User DB User DB Supplicant user joe@university_b.hr

Student VLAN Commercial VLAN Employee VLAN

data signalling

• Trus

ust: : RADIUS S & & polic icy docum ument nts

• 802.

2.1X 1X + EAP

• (VLAN

LAN assign ignment ent)

eduroam architecture: ubiquitous network access

EuroCAMP 2009, Cork 2009: 7/29

eduroam confederation RADIUS hierarchy

.DK .PT inst-1 inst-2 inst-3 inst-4 tom@inst-1.dk confederation level servers federation (NREN) level servers institutional level servers

EuroCAMP 2009, Cork 2009: 8/29

eduroam goes global

http://www.eduroam.org

EuroCAMP 2009, Cork 2009: 9/29

(European) eduroam service

 work started in TF-Mobility, continued in GEANT2: JRA5 (Roaming and

Authorisation) & SA5 (eduroam service activity)

 eduroam user experience: “open your laptop and be online”  to provide secure network access inside the confederation boundaries

(to the end users)

 eduroam is a secure international roaming service for members of the

European eduroam confederation (a confederation of autonomous roaming services)

EuroCAMP 2009, Cork 2009: 10/29

European eduroam confederation principles

 Members are European NRENs/NROs  Members sign European eduroam policy commiting to

the organisational and technical requirements

 Mutual access – no fees  Authentication at home - Authorisation at visited institution  Home institutions are/remain responsible for their users abroad  Members promote eduroam in their countries  European eduroam may peer with other regions (confederation

level)

EuroCAMP 2009, Cork 2009: 11/29

Confederated eduroam service

 Encompasses all the elements necessary to

support the Service

 confederation infrastructure  establishing trust between the member federations  monitoring and diagnostic facilities  central data repository (eduroam database)  confederation level user support

EuroCAMP 2009, Cork 2009: 12/29

eduroam service model

national eduroam service (provided by NREN/NRO) national eduroam service (provided by NREN/NRO) eduroam confederation service (provided by OT) eduroam service (governed by eduroam group) ...

EuroCAMP 2009, Cork 2009: 13/29

eduroam service elements

 Technology infrastructure  Supporting infrastructure

 monitoring and diagnostics  eduroam web site (http://www.eduroam.org)  eduroam database  trouble ticketing system (TTS)  mailing lists

EuroCAMP 2009, Cork 2009: 14/29

Users vs. service elements

Service elements User group End user

• Inst. Level personnel

Federation-level personnel Basic monitoring facilities Yes Yes Yes Full monitoring and diagnostics facilities No Yes (limited to the information regarding the respective inst.) Yes Public access to the eduroam web site Yes Yes Yes Access to the internal eduroam web site No Yes (limited to the information regarding the respective inst.) Yes Public access to the eduroam database Yes Yes Yes Access to the all information in the eduroam database No Yes (limited to the information regarding the respective inst.) Yes TTS No Yes Yes Mailing lists No No Yes Support from OT No No Yes

EuroCAMP 2009, Cork 2009: 15/29

eduroam infrastructure

Top-level RADIUS Server(s)

Home Federation Remote Federation

Federation (National) top level RADIUS proxy Server(s)

HI IdP

Federation (National) top level RADIUS proxy Server(s)

RI SP network User U

access RADIUS RADIUS

AuthN S

RADIUS RADIUS

HI

RADIUS Server

RI

RADIUS Server

RADIUS

Eduroam confederation infrastructure

EuroCAMP 2009, Cork 2009: 16/29

Monitoring: problem definition

 Monitor functionality of the eduroam infrastructure

 servers  infrastructure  user experience

 It is not enough to know that host is accessible  Ultimate goal is to test real users experience

 (very) different workflows at RADIUS servers for Accept and Reject  perform both accept and reject logic tests

EuroCAMP 2009, Cork 2009: 17/29

Monitoring: concept



Monitoring client is RADIUS client capable of sending various types of RADIUS request (PAP, EAP, …)



RADIUS Proxy Server is monitored server



IdP RADIUS Server is the server that issues the response thus acting as loop-back

• server. It’s function is to close the tunnel and create standard well formated and

specified response. This function might be realized on the monitored server

(RADIUS proxy server)

Monitoring Client IdP RADIUS Server RADIUS Proxy Server

EuroCAMP 2009, Cork 2009: 18/29

Monitoring: process



Monitoring process is performed in two steps REJECT test and ACCEPT test



Both steps include :



Monitoring client creates RADIUS attributes specific for monitoring purpose



Monitoring client creates RADIUS request based on selected AuthN type (now EAP/TTLS)



Monitoring client sends RADIUS request, and starts measuring response time



Monitored RADIUS Proxy Server handles request and sends back the response



Monitoring client evaluates received response and updates database.



Monitored server is marked OK if it fulfills both testing steps.



Monitored data, saved in database:



is monitoring request accepted by RADIUS proxy server ? (yes/no)



is request properly routed? (currently to eduroam.<tld>)



type of RADIUS request (currently only EAP/TTLS)



is response well formed (equal to expectations)?



response time

EuroCAMP 2009, Cork 2009: 19/29

Monitoring servers

monitoring database monitoring client TLRS FLRS

EuroCAMP 2009, Cork 2009: 20/29

Monitoring infrastructure

monitoring database monitoring client TLRS(s) FLRS(s) TLRS(s) FLRS(s)

EuroCAMP 2009, Cork 2009: 21/29

Testing on demand

monitoring database monitoring client TLRS(s) TLRS(s) realm B FLRS(s) realm A FLRS(s)

EuroCAMP 2009, Cork 2009: 22/29

eduroam database



The information stored in the eduroam database includes:



NRO representatives and respective contacts



Local-institutions (both SP and IdP) official contacts



Information about eduroam hot spots (SP location, technical info)



Monitoring information



Information about the usage of the service



NROs:



should provide respective data (general and usage data)



in the defined XML format available at the specified URL address



should be accessible only from the eduroam database server

EuroCAMP 2009, Cork 2009: 23/29

User support: problem escalation scenario (1)

visited federation fed.-level admin. local institution admin. user home federation fed.-level admin. local institution admin.

OT

1,2 3 4

EuroCAMP 2009, Cork 2009: 24/29

User support: problem escalation scenario (2)

visited federation fed.-level admin. local institution admin. user home federation fed.-level admin. local institution admin.

OT

1,2 3 6 4a 5 4b 4

EuroCAMP 2009, Cork 2009: 25/29

eduroam current status: connected to the TLRSs

 34 countries  2 TLRSs  links to APAN,

Canada, ...

EuroCAMP 2009, Cork 2009: 26/29

eduroam current status: monitored TLRS/FLRS

 monitoring service is in place  all three scenarios implemented

(testing on demand is protected)

 publicly available via

www.eduroam.org (monitor.eduroam.org)

 further development is planned

EuroCAMP 2009, Cork 2009: 27/29

eduroam current status: demographics/user maps



demographics info:



no of SPs, IdPs



location of SPs



usage



coverage



contacts 

based on eduroam database



user oriented maps

(http://monitor.eduroam.org/gmap.php)



publicly available via www.eduroam.org



further development is planned

EuroCAMP 2009, Cork 2009: 28/29

eduroam: future plans

 European service: GEANT3 - SA3 (T2) & JRA3 (T1)  global aspects: TF-mobility & GEANT3 / SA3  continued maintenance and development (SA3)

 enhance all service elements (technology, support services, organisation)  Policy update (evolution in technology and organisation)

 continued research (JRA3)

 RadSec  CUI  NEA  ...

EuroCAMP 2009, Cork 2009: 29/29

http://www.eduroam.org