Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Slides:

Advertisements

Similar presentations

Joining eduroam Wireless Roaming for Education and Research.

Advertisements

RadSec – A better RADIUS protocol

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Encrypting Wireless Data with VPN Techniques

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Hotspot Express $ One of the Pioneers of complete WiFi solutions in India $ Hardware to create HOTSPOTs  Software to secure HOTSPOTs & Manage the users.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Flexible Network Access Overview. Flexible Access an Integral part of Universal Access Policy Universal Access to Campus IT Resources Managed LAN portsFlexible.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.

Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Cross-Campus WLAN Roaming Environment in Taiwan Che-Nan Yang The National Center for High-performance Computing.

Lecture 12: WLAN Roaming Communities EDUROAM TM. eduroam TM eduroam (education roaming) is the secure, world-wide roaming access service developed for.

Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.

Windows 2003 and 802.1x Secure Wireless Deployments.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Clinic Security and Policy Enforcement in Windows Server 2008.

EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.

AARNet Copyright 2010 Network Operations The eduroam project group

Wireless and Security CSCI 5857: Encoding and Encryption.

Reiknistofnun Háskóla Íslands

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Altai Certification Training Backend Network Planning

Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.

Education roaming Secure Wireless Service for Research and Education.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Ing. Peter Feciľak , KPI, FEI, TUKE.

70-411: Administering Windows Server 2012

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

Michal Procházka, Jan Oppolzer CESNET.

A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.

Module 5: Designing a Terminal Services Infrastructure.

Windows Small Business Server 2003 Setting up and Connecting David Overton Partner Technical Specialist.

CAEN Wireless Network College of Engineering University of Michigan October 16, 2003 Dan Maletta.

Module 9: Fundamentals of Securing Network Communication.

Cellular Access Control and Charging for Mobile Operator Wireless Local Area Networks H. Haverinen, J. Mikkonen and T. Takamaki, Nokia Wei-Jen, Lin Advanced.

Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.

802.1X in SURFnet 22 May 2003.

TERENA TF-Mobility: Roaming for WLANs Tim Chown University of Southampton TF-Mobility WG & UKERNA Wireless Advisory Group.

NETWORK INFRASTRUCTURE SECURITY Domain 5. Computer Security “in short, the average computer is about as secure as a wet paper bag, and it is one of the.

Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.

Workshop roaming services: eduroam / govroam

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 6 Essentials of Design.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

19 May 2003 © The JNT Association Terena Technical Advisory Council Terena Mobility Task Force

Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Project Moonshot Daniel Kouřil EGI Technical Forum

Firewall Issues Research Group GGF-15 Oct Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.

TF-Mobility update TF-EMC2, Barcelona 9 September 2005.

Chapter 10: Advanced Cisco Adaptive Security Appliance

Presentation transcript:

eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006

The issue: Roaming users need Internet access Grief for roaming users: –Need to arrange/agree network access in advance. –Need to remember temporary account details. Grief for visited sites: –Create temporary/guest accounts (management overhead, security concerns, etc.). –Users accessing resources may be effectively anonymous.

A solution: eduroam Formalised approach to educational roaming. Uses existing user accounts and authentication mechanisms: –Users don't have to remember details of another account. –No need for temporary/guest accounts at visited sites. –Users not anonymous (= more accountable). The eduroam infrastructure is based on mutual trust between sites. eduroam is a GN2 (Joint Research Activity 5) project.

eduroam maps

The national eduroam gateway Dell 2850 server with gigabit network interface, located on network backbone (hosting facility at Servecentric). FreeRadius running on Debian Linux. Configured to communicate with european gateways (operated by SURFnet). Configured to communicate with each Irish eduroam member institution. Installed and maintained by HEAnet.

Authentication elements 802.1X elements: –Supplicant: Software on client device. –Authenticator: Wireless AP. –Authentication Server: The home Radius server. Realm: The domain portion of username. Resource Provider: Visited site. Identity Provider: Home institution.

Authentication architecture

How do I join? Integrate local authentication server into Irish eduroam infrastructure –Facilitates your roaming users at other eduroam sites. Implement wireless LAN access at your site for roaming users –Facilitates visiting eduroam users at your site.

Integrate authentication server into eduroam Register your Radius server with national gateway. Radius server may be existing authentication server or new server which proxies to it. Consider where server sits within local network topology. Should install public SSL certificate on Radius server. Maintain accounting logs of own user sessions. Radius server options: Freeradius, Radiator, CiscoACS Server, etc.

Implement wireless LAN Wireless AP's must support 802.1X. Web redirect and VPN access are deprecated. SSID should be 'eduroam‘. Can provide eduroam service via existing wireless access network (multiple SSID's and VLAN per SSID). Define policy for user access. Maintain accounting logs of visiting user sessions.

Sample site architectures

Security Radius server –Secret key shared with national gateway. –Restrict access to local Radius server (harden OS, ACL's, firewall, monitoring, etc.). Wireless LAN –802.1X (restrict layer 2 access to wireless AP's). –EAP (“hides” user authentication details from all but supplicant and authenticating server). –TLS/TTLS (SSL certificate on server, and potentially on clients too). –Authentication can be via password, token, client certificate, etc.

Requirements on client device Device may be a laptop, mobile phone, PDA, etc. Client software must support 802.1X. Client software must support cipher in use at visited site. Examples of clients: –WinXP wireless client –MacOS wireless client –wpa_supplicant (Linux, BSD, Windows) –SecureW2 (EAP-TTLS client)

Future directions for eduroam Current model is inflexible and doesn’t scale well. Desirable features: –Peer discovery (DNS, DNSSEC). –Trust establishment (PKI, DNSSEC). Various technologies: DIAMETER, RadSec, etc. eduroam-NG (eduroam Next Generation). Possible integration with eduGAIN (European AAI).

Other resources – Info for Irish sites. – Info on the eduroam project as a whole. –Info on Australian implementation, with some useful documentation relevant to any eduroam site. –Mailing list of HEAnet clients technical staff.