eduroam: towards a managed European service

1
eduroam towards a managed European service

• Miroslav Milinovic, Srce, Zagreb, Croatia
• eduroam SA, GÉANT2
• ltmiro_at_srce.hrgt
• Wi-Fi Workshop, Barcelona, Spain

2
Contents

• Roaming acitivity in GEANT2 (JRA5, SA5)
• eduroam technology
• eduroam service
• organisation
• infrastructure elements
• supporting elements
• Current status and plans

3
GEANT2 roaming

• JRA5 Roaming and Authorisation
• How to organise access to resources in the
  research and education area in a sufficiently
  safe and easy to handle way?
• Work items roaming (eduroam), AAI (eduGAIN),
  uSSO
• JRA5 roaming vision To build a roaming
  infrastructure enabling full mobility of members
  of the scientific community in Europe
• SA5 eduroam service activity
• continue on JRA5 results in order to build and
  maintain reliable European eduroam service
• provide open your laptop and be online

4
Roaming requirements

• Identify users uniquely at the edge of the
  network
• Enable guest usage
• Scalable
• local user administration and authentication
• Easy to install and use
• at the most one-time installation by the user
• Open
• Secure

5
eduroam technology

• Security based on 802.1X
• Integration with VLAN assignment
• Protection of credentials
• Authentication based on EAP
• Different authentication mechanisms possible by
  using EAP (Extensible Authentication Protocol)
• Roaming based on RADIUS proxying
• Remote Authentication Dial In User Service
• Transport-protocol for authentication information
• Trust fabric based on
• Technical RADIUS hierarchy
• Policy (federation agreement) Documents/contracts
  that define the responsibilities of user,
  institution, NREN and the respective federation

6
eduroam architecture ubiquitous network access
Supplicant
RADIUS server University B
RADIUS server University A
Authenticator (AP or switch)
User DB
User DB
user joe_at_university_b.hr
XYZnet
Commercial VLAN
Employee VLAN
Central RADIUS Proxy server
Student VLAN

• Trust RADIUS policy documents
• 802.1X EAP
• (VLAN assignment)

signalling
data
7
eduroam confederationRADIUS hierarchy
8
eduroam goes global
http//www.eduroam.org
9
(European) eduroam service

• eduroam user experience open your laptop and be
  online
• To provide secure network access inside the
  confederation boundaries (to the end users)
• eduroam is a secure international roaming service
  for members of the European eduroam confederation
  (a confederation of autonomous roaming services)
• First steps in transition to service
• Service Definition and Implementation Plan
• Policy

10
European eduroam confederation principles

• Members are European NRENs/NROs
• Members sign European eduroam policy commiting to
  the organisational and technical requirements
• Mutual access no fees (for end users)
• Authentication at home - Authorisation at visited
  institution
• Home institutions are/remain responsible for
  their users abroad
• Members promote eduroam in their countries
• European eduroam may peer with other regions
  (confederation level)

11
Confederated eduroam service

• Encompasses all the elements necessary to support
  the Service
• confederation infrastructure
• establishing trust between the member federations
• monitoring and diagnostic facilities
• central data repository (eduroam database)
• confederation level user support

12
eduroam service model
13
eduroam service elements

• Technology infrastructure
• Supporting infrastructure
• monitoring and diagnostics
• eduroam web site (http//www.eduroam.org)
• eduroam database
• trouble ticketing system (TTS)
• mailing lists

14
Users vs. service elements
Service elements User group User group User group
Service elements End user Inst. Level personnel Federation-level personnel
Basic monitoring facilities Yes Yes Yes
Full monitoring and diagnostics facilities No Yes (limited to the information regarding the respective inst.) Yes
Public access to the eduroam web site Yes Yes Yes
Access to the internal eduroam web site No Yes (limited to the information regarding the respective inst.) Yes
Public access to the eduroam database Yes Yes Yes
Access to the all information in the eduroam database No Yes (limited to the information regarding the respective inst.) Yes
TTS No Yes Yes
SA5/OT Mailing lists No No Yes
Support from OT No No Yes
15
eduroam infrastructure
16
Monitoring problem definition

• Monitor functionality of the eduroam
  infrastructure
• servers
• infrastructure
• user experience
• It is not enough to know that host is accessible
• Ultimate goal is to test real users experience
• (very) different workflows at RADIUS servers for
  Accept and Reject
• perform both accept and reject logic tests

17
Monitoring concept

• Monitoring client is RADIUS client capable of
  sending various types of RADIUS request (PAP,
  EAP, )
• RADIUS Proxy Server is monitored server
• IdP RADIUS Server is the server that issues the
  response thus acting as loop-back server. Its
  function is to close the tunnel and create
  standard well format and specified response. This
  function might be realized on the monitored
  server (RADIUS proxy server)

18
Monitoring servers
TLRS
monitoring client
monitoring database
FLRS
19
Monitoring infrastructure
TLRS(s)
TLRS(s)
monitoring client
monitoring database
FLRS(s)
FLRS(s)
20
Testing on demand
realm A FLRS(s)

monitoring client
TLRS(s)
TLRS(s)
monitoring database
realm B FLRS(s)

21
eduroam database

• The information stored in the eduroam database
  includes
• NRO representatives and respective contacts
• Local-institutions (both SP and IdP) official
  contacts
• Information about eduroam hot spots (SP location,
  technical info)
• Monitoring information
• Information about the usage of the service
• NROs
• should provide respective data (general and usage
  data)
• in the defined XML format available at the
  specified URL address
• should be accessible only from the eduroam
  database server

22
User support problem escalation scenario (1)
home federation
OT
visited federation
fed.-level admin.
local institution admin.
fed.-level admin.
3
local institution admin.
1,2
4
user
23
User support problem escalation scenario (2)
home federation
OT
visited federation
4a
4b
fed.-level admin.
4
local institution admin.
3
fed.-level admin.
5
local institution admin.
1,2
6
user
24
Implementation plan

• service
• definition
• policy
• monitoring
• web site
• TTS
• eduroam
• database

25
eduroam current statusconnected to the TLRSs

• 33 countries
• 2 TLRSs

26
eduroam current statusmonitored TLRS/FLRS

• monitoring service is in place
• will be publicly available via www.eduroam.org
  (end of April 2008)
• further development is planned

27
eduroam current statusdemographics/user maps

• demographics info
• no of SPs, IdPs
• location of SPs
• usage
• coverage
• contacts
• user oriented maps
• based on eduroam database
• will be publicly available via www.eduroam.org
  (end of April 2008)
• further development is planned

?
28

• http//www.eduroam.org