Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Slides:



Advertisements
Similar presentations
Joining eduroam Wireless Roaming for Education and Research.
Advertisements

Lousy Introduction into SWITCHaai
RadSec – A better RADIUS protocol
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
SALSA-NetAuth SALSA-FWNA BoF Kevin Miller Duke University Internet2 Member Meeting May 2005.
Copyright JNT Association 2006 The JANET Roaming Service.
EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia,
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.
Lecture 12: WLAN Roaming Communities EDUROAM TM. eduroam TM eduroam (education roaming) is the secure, world-wide roaming access service developed for.
What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Wireless ambitions Frans Panken I2 Spring meeting 24 april 2012.
EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.
SWITCHaai Team Federated Identity Management.
AARNet Copyright 2010 Network Operations The eduroam project group
(From Radius Hierarchy to AAI) Miroslav Milinović University Computing Centre - Srce EuroCAMP Ljubljana, March 2006.
Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.
Education roaming Secure Wireless Service for Research and Education.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.
Michal Procházka, Jan Oppolzer CESNET.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005
Supporting Are we ready? REFEDS, Oct 2013 Ann Harding
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
802.1X in SURFnet 22 May 2003.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Eduroam.us Operational Experiment Kevin Miller Duke University Andy Rosenzweig Merit Network ESCC/Internet2 Joint.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Workshop roaming services: eduroam / govroam
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Govroam Belnet – 19/11/2015 Els Lemmens, Belnet Federation Manager Nicolas Loriau, Belnet Technical Advisor.
Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Module 6: Network Policies and Access Protection.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.
Connect. Communicate. Collaborate educonf Coordinated support of European videoconferencing under the GN2 SA6 framework Dimitris Daskopoulos, GRNET, AUTH.
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Project Moonshot Daniel Kouřil EGI Technical Forum
RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
10 Years of eduroam (from an idea to a product)
Module Overview Installing and Configuring a Network Policy Server
First steps in federation peering: eduGAIN and eduroam
TF-Mobility update TF-EMC2, Barcelona 9 September 2005.
GN2 JRA5 Roaming and Authorisation Jürgen Rauschenbach, DFN-Verein
Presentation transcript:

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo, Finland

Connect. Communicate. Collaborate Contents Roaming acitivity in GEANT2 (JRA5, SA5) eduroam technology eduroam service –organisation –infrastructure elements –supporting elements Current status and plans

Connect. Communicate. Collaborate GEANT2 & roaming JRA5: Roaming and Authorisation –How to organise access to resources in the research and education area in a sufficiently safe and easy to handle way? –activities: roaming (eduroam), AAI (eduGAIN), uSSO –JRA5 roaming vision: To build a roaming infrastructure enabling full mobility of members of the scientific community in Europe SA5: eduroam service activity –continue on JRA5 results in order to build and maintain reliable European eduroam service –provide: open your laptop and be online

Connect. Communicate. Collaborate Federations Federations enable sharing of resources (synergy effects, joining a federation instead of many bilateral agreements) A federation is constituted by a set of agreements between members (peers) In a federation (agreement) there needs to be a common set of rules (organisational and technical) Federations can be part of bigger federations Federations can be interconnected Confederation = federation of federations (federating principles applied to federations themselves)

Connect. Communicate. Collaborate Roaming requirements Identify users uniquely at the edge of the network Enable guest usage Scalable –local user administration and authentication Easy to install and use –at the most one-time installation by the user Open Secure

Connect. Communicate. Collaborate eduroam technology Security based on 802.1X –Integration with VLAN assignment –Protection of credentials Authentication based on EAP –Different authentication mechanisms possible by using EAP (Extensible Authentication Protocol) Roaming based on RADIUS proxying –Remote Authentication Dial In User Service –Transport-protocol for authentication information Trust fabric based on: –Technical: RADIUS hierarchy –Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the respective federation

Connect. Communicate. Collaborate RADIUS server University B RADIUS server University A XYZnet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant user Student VLAN Commercial VLAN Employee VLAN data signalling Trust: RADIUS & policy documents 802.1X + EAP (VLAN assignment) eduroam architecture: ubiquitous network access

Connect. Communicate. Collaborate eduroam confederation RADIUS hierarchy Connect. Communicate. Collaborate

eduroam goes global

Connect. Communicate. Collaborate (European) eduroam service eduroam user experience: open your laptop and be online To provide secure network access inside the confederation boundaries (to the end users) eduroam is a secure international roaming service for members of the European eduroam confederation (a confederation of autonomous roaming services) First steps in transition to service: –Service Definition and Implementation Plan –Policy

Connect. Communicate. Collaborate European eduroam confederation principles Members are European NRENs/NROs Members sign European eduroam policy commiting to the organisational and technical requirements Mutual access – no fees Authentication at home - Authorisation at visited institution Home institutions are/remain responsible for their users abroad Members promote eduroam in their countries European eduroam may peer with other regions (confederation level)

Connect. Communicate. Collaborate Confederated eduroam service Encompasses all the elements necessary to support the Service –confederation infrastructure –establishing trust between the member federations –monitoring and diagnostic facilities –central data repository (eduroam database) –confederation level user support

Connect. Communicate. Collaborate eduroam service model national eduroam service (provided by NREN/NRO) eduroam confederation service (provided by OT) eduroam service (governed by SA5)...

Connect. Communicate. Collaborate eduroam service elements Technology infrastructure Supporting infrastructure –monitoring and diagnostics –eduroam web site ( –eduroam database –trouble ticketing system (TTS) –mailing lists

Connect. Communicate. Collaborate Users vs. service elements Service elementsUser group End userInst. Level personnelFederation-level personnel Basic monitoring facilitiesYes Full monitoring and diagnostics facilities NoYes (limited to the information regarding the respective inst.) Yes Public access to the eduroam web site Yes Access to the internal eduroam web site NoYes (limited to the information regarding the respective inst.) Yes Public access to the eduroam database Yes Access to the all information in the eduroam database NoYes (limited to the information regarding the respective inst.) Yes TTSNoYes SA5/OT Mailing listsNo Yes Support from OTNo Yes

Connect. Communicate. Collaborate eduroam infrastructure

Connect. Communicate. Collaborate Monitoring: problem definition Monitor functionality of the eduroam infrastructure –servers –infrastructure –user experience It is not enough to know that host is accessible Ultimate goal is to test real users experience –(very) different workflows at RADIUS servers for Accept and Reject –perform both accept and reject logic tests

Connect. Communicate. Collaborate Monitoring: concept Monitoring client is RADIUS client capable of sending various types of RADIUS request (PAP, EAP, …) RADIUS Proxy Server is monitored server IdP RADIUS Server is the server that issues the response thus acting as loop-back server. Its function is to close the tunnel and create standard well format and specified response. This function might be realized on the monitored server (RADIUS proxy server)

Connect. Communicate. Collaborate Monitoring: process Monitoring proces is performed in two steps REJECT test and ACCEPT test Both steps include : –Monitoring client creates RADIUS attributes specific for monitoring purpose –Monitoring client creates RADIUS request based on selected AuthN type (now EAP/TTLS) –Monitoring client sends RADIUS request, and starts measuring response time –Monitored RADIUS Proxy Server handles request and sends back the response –Monitoring client evaluates received response and updates database. –Monitored server is marked OK if it fulfills both testing steps. Monitored data, saved in database: –is monitoring request accepted by RADIUS proxy server ? (yes/no) –is request properly routed? (currently to eduroam. ) –type of RADIUS request (currently only EAP/TTLS) –is response well formed (equal to expectations)? –response time

Connect. Communicate. Collaborate Monitoring servers monitoring database monitoring client TLRS FLRS

Connect. Communicate. Collaborate Monitoring infrastructure monitoring database monitoring client TLRS(s) FLRS(s) TLRS(s) FLRS(s)

Connect. Communicate. Collaborate Testing on demand monitoring database monitoring client TLRS(s) realm B FLRS(s) realm A FLRS(s)

Connect. Communicate. Collaborate eduroam database The information stored in the eduroam database includes: –NRO representatives and respective contacts –Local-institutions (both SP and IdP) official contacts –Information about eduroam hot spots (SP location, technical info) –Monitoring information –Information about the usage of the service NROs: –should provide respective data (general and usage data) –in the defined XML format available at the specified URL address –should be accessible only from the eduroam database server

Connect. Communicate. Collaborate eduroam database

Connect. Communicate. Collaborate User support: problem escalation scenario (1) visited federation fed.-level admin. local institution admin. user home federation fed.-level admin. local institution admin. OT 1,2 3 4

Connect. Communicate. Collaborate User support: problem escalation scenario (2) visited federation fed.-level admin. local institution admin. user home federation fed.-level admin. local institution admin. OT 1, a 5 4b 4

Connect. Communicate. Collaborate Implementation plan service definition & policy monitoring web site TTS eduroam database Sep07Jan08Dec07Mar08Feb08Apr08Aug08Feb09 M37M41M40M43M42M44M48M54

Connect. Communicate. Collaborate eduroam current status: connected to the TLRSs 33 countries 2 TLRSs

Connect. Communicate. Collaborate eduroam current status: monitored TLRS/FLRS monitoring service is in place will be publicly available via (end of April 2008) further development is planned

Connect. Communicate. Collaborate eduroam current status: demographics/user maps demographics info: –no of SPs, IdPs –location of SPs –usage –coverage –contacts user oriented maps based on eduroam database will be publicly available via (end of April 2008) further development is planned

Connect. Communicate. Collaborate

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.