European eduroam service Miroslav Milinović University Computing Centre, University of Zagreb, Zagreb, Croatia <miro@srce.hr> EuroCAMP Cork, Ireland, May 2009
Contents eduroam technology eduroam service organisation infrastructure elements supporting elements Current status and plans EuroCAMP 2009, Cork 2009: 2/29
Roaming requirements Identify users uniquely at the edge of the network Enable guest usage Scalable local user administration and authentication Easy to install and use at the most one-time installation by the user Open Secure EuroCAMP 2009, Cork 2009: 3/29
Federations Federations enable sharing of resources (synergy effects, joining a federation instead of many bilateral agreements) A federation is constituted by a set of agreements between members (peers) In a federation (agreement) there needs to be a common set of rules (organisational and technical) Federations can be part of bigger federations Federations can be interconnected Confederation = federation of federations (federating principles applied to federations themselves) EuroCAMP 2009, Cork 2009: 4/29
eduroam technology Security based on 802.1X Integration with VLAN assignment Protection of credentials Authentication based on EAP Different authentication mechanisms possible by using EAP (Extensible Authentication Protocol) Roaming based on RADIUS proxying Remote Authentication Dial In User Service Transport-protocol for authentication information Trust fabric based on: Technical: RADIUS hierarchy Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the respective federation EuroCAMP 2009, Cork 2009: 5/29
eduroam architecture: ubiquitous network access Supplicant Authenticator RADIUS server RADIUS server User User (AP or switch) University A University B DB DB user XYZnet joe@university_b.hr Commercial Employee VLAN VLAN Central RADIUS Student Proxy server VLAN • Trus ust: : RADIUS S & & polic icy docum ument nts • 802. 2.1X 1X + EAP signalling • (VLAN LAN assign ignment ent) data EuroCAMP 2009, Cork 2009: 6/29
eduroam confederation RADIUS hierarchy confederation level servers .PT .DK federation (NREN) level servers inst-1 inst-2 inst-3 inst-4 institutional level servers tom@inst-1.dk EuroCAMP 2009, Cork 2009: 7/29
eduroam goes global http://www.eduroam.org EuroCAMP 2009, Cork 2009: 8/29
(European) eduroam service work started in TF-Mobility, continued in GEANT2: JRA5 (Roaming and Authorisation) & SA5 (eduroam service activity) eduroam user experience: “open your laptop and be online” to provide secure network access inside the confederation boundaries (to the end users) eduroam is a secure international roaming service for members of the European eduroam confederation (a confederation of autonomous roaming services) EuroCAMP 2009, Cork 2009: 9/29
European eduroam confederation principles Members are European NRENs/NROs Members sign European eduroam policy commiting to the organisational and technical requirements Mutual access – no fees Authentication at home - Authorisation at visited institution Home institutions are/remain responsible for their users abroad Members promote eduroam in their countries European eduroam may peer with other regions (confederation level) EuroCAMP 2009, Cork 2009: 10/29
Confederated eduroam service Encompasses all the elements necessary to support the Service confederation infrastructure establishing trust between the member federations monitoring and diagnostic facilities central data repository (eduroam database) confederation level user support EuroCAMP 2009, Cork 2009: 11/29
eduroam service model eduroam service (governed by eduroam group) eduroam confederation service (provided by OT) national eduroam service ... (provided by national eduroam NREN/NRO) service (provided by NREN/NRO) EuroCAMP 2009, Cork 2009: 12/29
eduroam service elements Technology infrastructure Supporting infrastructure monitoring and diagnostics eduroam web site (http://www.eduroam.org) eduroam database trouble ticketing system (TTS) mailing lists EuroCAMP 2009, Cork 2009: 13/29
Users vs. service elements Service elements User group End user Inst. Level personnel Federation-level personnel Basic monitoring facilities Yes Yes Yes Full monitoring and diagnostics No Yes (limited to the information Yes facilities regarding the respective inst.) Public access to the eduroam Yes Yes Yes web site Access to the internal eduroam No Yes (limited to the information Yes web site regarding the respective inst.) Public access to the eduroam Yes Yes Yes database Access to the all information in No Yes (limited to the information Yes the eduroam database regarding the respective inst.) TTS No Yes Yes Mailing lists No No Yes Support from OT No No Yes EuroCAMP 2009, Cork 2009: 14/29
eduroam infrastructure Eduroam confederation infrastructure Top-level RADIUS Server(s) RADIUS RADIUS Home Federation Remote Federation Federation (National) Federation (National) top level RADIUS top level RADIUS proxy Server(s) proxy Server(s) RADIUS RADIUS HI RI RADIUS Server RADIUS Server RADIUS RI SP HI IdP network User U access AuthN S EuroCAMP 2009, Cork 2009: 15/29
Monitoring: problem definition Monitor functionality of the eduroam infrastructure servers infrastructure user experience It is not enough to know that host is accessible Ultimate goal is to test real users experience (very) different workflows at RADIUS servers for Accept and Reject perform both accept and reject logic tests EuroCAMP 2009, Cork 2009: 16/29
Monitoring: concept RADIUS Proxy Server Monitoring Client IdP RADIUS Server Monitoring client is RADIUS client capable of sending various types of RADIUS request (PAP, EAP, …) RADIUS Proxy Server is monitored server IdP RADIUS Server is the server that issues the response thus acting as loop-back server. It’s function is to close the tunnel and create standard well forma ted and specified response. This function might be realized on the monitored server (RADIUS proxy server) EuroCAMP 2009, Cork 2009: 17/29
Monitoring: process Monitoring process is performed in two steps REJECT test and ACCEPT test Both steps include : Monitoring client creates RADIUS attributes specific for monitoring purpose Monitoring client creates RADIUS request based on selected AuthN type (now EAP/TTLS) Monitoring client sends RADIUS request, and starts measuring response time Monitored RADIUS Proxy Server handles request and sends back the response Monitoring client evaluates received response and updates database. Monitored server is marked OK if it fulfills both testing steps. Monitored data, saved in database: is monitoring request accepted by RADIUS proxy server ? (yes/no) is request properly routed? (currently to eduroam.<tld>) type of RADIUS request (currently only EAP/TTLS) is response well formed (equal to expectations)? response time EuroCAMP 2009, Cork 2009: 18/29
Monitoring servers TLRS monitoring client monitoring database FLRS EuroCAMP 2009, Cork 2009: 19/29
Monitoring infrastructure TLRS(s) TLRS(s) monitoring client monitoring database FLRS(s) FLRS(s) EuroCAMP 2009, Cork 2009: 20/29
Testing on demand realm A FLRS(s) monitoring client TLRS(s) monitoring TLRS(s) database realm B FLRS(s) EuroCAMP 2009, Cork 2009: 21/29
eduroam database The information stored in the eduroam database includes: NRO representatives and respective contacts Local-institutions (both SP and IdP) official contacts Information about eduroam hot spots (SP location, technical info) Monitoring information Information about the usage of the service NROs: should provide respective data (general and usage data) in the defined XML format available at the specified URL address should be accessible only from the eduroam database server EuroCAMP 2009, Cork 2009: 22/29
User support: problem escalation scenario (1) home federation OT visited federation fed.-level admin. local institution admin. fed.-level admin. 3 local institution admin. 1,2 4 user EuroCAMP 2009, Cork 2009: 23/29
User support: problem escalation scenario (2) home federation OT visited federation 4b 4a fed.-level admin. 4 local institution admin. 3 fed.-level admin. 5 local institution admin. 1,2 6 user EuroCAMP 2009, Cork 2009: 24/29
eduroam current status: connected to the TLRSs 34 countries 2 TLRSs links to APAN, Canada, ... EuroCAMP 2009, Cork 2009: 25/29
eduroam current status: monitored TLRS/FLRS monitoring service is in place all three scenarios implemented (testing on demand is protected) publicly available via www.eduroam.org (monitor.eduroam.org) further development is planned EuroCAMP 2009, Cork 2009: 26/29
Recommend
More recommend