Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.

Published byMartin Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014."— Presentation transcript:

1 Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014

2 2 Connect | Communicate | Collaborate Introduction to eduroam eduroam is a secure international roaming service for members of the European eduroam Confederation (eduroam Service Definition, July 2012) provides consistent and secure wireless access across research and education institutions based on a hierarchy of RADIUS servers username is in user@realm format

3 3 Connect | Communicate | Collaborate eduroam infrastructure elements European Top-level RADIUS servers (ETLRS) operated by the eduroam Operations Team (OT) located in Denmark and Netherlands hub for the European Confederation provide inter-federation roaming Federation-level RADIUS servers (FLRS) operated by the National Roaming Operators (NROs) provide intra-federation roaming in case of inter-federation roaming, forward the request to an ETLR

4 4 Connect | Communicate | Collaborate eduroam infrastructure elements #2 Service providers (SPs) provide network access to local or visiting users receive RADIUS requests from NAS devices (wireless APs, switches) forward the request to user’s IdP grant or reject access Identity providers (IdPs) responsible for authenticating the users in a specific domain(realm) receive RADIUS access request from SPs consult a user database grant or reject access Access points / switches Supplicants

5 5 Connect | Communicate | Collaborate eduroam infrastructure – static routing

6 6 Connect | Communicate | Collaborate eduroam infrastructure – dynamic routing

7 7 Connect | Communicate | Collaborate eduroam infrastructure – dynamic routing

8 8 Connect | Communicate | Collaborate Protocols RADIUS provides AAA (authentication, authorization and accounting) – accounting is generally not used in eduroam relies on shared secrets for mutual authentication gradually superseded by RADSEC (RADIUS over TCP/TLS) 802.1x EAP EAP-TLS (authentication with TLS certificate) PEAP (EAP-MSCHAPv2) EAP-TTLS (PAP, CHAP, MS-CHAP) Outer and inner tunnel – Allows usage of anonymous identity – Outer tunnel: anonymous@realm – Inner tunnel: username@realm

9 9 Connect | Communicate | Collaborate RADIUS server software FreeRADIUS open source license most popular RADIUS server version 3 includes RADSEC support and other improvements Radiator commercial license targeting telco and other high-end market segments Radsecproxy open source license only supports proxying, not usable for an IdP Microsoft IAS/NPS

10 10 Connect | Communicate | Collaborate NRO requirements/recommendations Sign the eduroam policy Maintain a web-site at www.eduroam.[cc] Provide user support form Allow requests from the eduroam monitoring service Configure logging with F-Ticks Maintain the eduroam database Keep logs for at least 6 month

11 11 Connect | Communicate | Collaborate eduroam database Aggregated automatically from predefined locations www.eduroam.[cc]/general/realm.xml www.eduroam.[cc]/general/institution.xml institution.xml is populated in a federation-specific method, usually manually Used for contact data and coverage map

12 12 Connect | Communicate | Collaborate F-ticks Collects statistics for roaming authentication requests within the confederation to a central location FreeRADIUS configuration linelog f_ticks { filename = syslog format = "" reference = "f_ticks.%{%{reply:Packet-Type}:-format}" f_ticks { Access-Accept = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BG#CSI=%{Calling- Station-Id}#RESULT=OK#" Access-Reject = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BG#CSI=%{Calling- Station-Id}#RESULT=FAIL#" } rsyslog configutation msg, contains, "F-TICKS" @1.2.3.4

13 13 Connect | Communicate | Collaborate Setting up an IdP Choosing EAP method PEAP (EAP-MSCHAPv2) EAP-TTLS (PAP, CHAP, MS-CHAP) Authentication backend support – PEAP: plaintext password or NT hash available – TTLS: any (with PAP) OS support – PEAP: Windows Vista/7/8, iOS, Android – TTLS: Windows 8, iOS, Android

14 14 Connect | Communicate | Collaborate Setting up an IdP Generate EAP certificates Current recommendation is to set up a private CA specifically for eduroam Use a long enough validity period (20 years?) Commercial CA doesn’t provide additional security for EAP

15 15 Connect | Communicate | Collaborate Setting up an IdP Provide assistance to users eduroam CAT – http://cat.eduroam.org web-site with instructions Promo materials at www.eduroam.org www.eduroam.org

16 16 Connect | Communicate | Collaborate Setting up an IdP Enabling dynamic discovery DNS records for dynamic discovery example.com. 43200 IN NAPTR 00 10 "s" "x-eduroam:radius.tls" "" _radsec._tcp.example.com. _radsec._tcp.example.com. 43200 IN SRV 10 0 2083 radius.example.com. _radsec._tcp.example.com. 43200 IN SRV 5 0 2083 radius.example.com. Additionally, a PKI layer will verify the realm/domain is owned by a research/education institution. Currently in pilot state in 10 NRENs greatidp.aq. 43200 IN NAPTR 100 10 "s" "x-eduroam:radius.tls" "" _radsec._tcp.eduroam.aq.

17 17 Connect | Communicate | Collaborate Setting up a SP Wireless equipment choice and setup Controller-based or standalone APs Controller-based solutions provide centralized management and other benefits such as better roaming experience Standalone APs require smaller initial investment Client isolation General wireless networking best practices (coverage, channel selection, etc.) Extra SSID for initial setup (eduroam-help)

18 18 Connect | Communicate | Collaborate Setting up a SP Dynamic VLAN assignment # VLAN for staff if ( Realm == "uni-ruse.bg" ) { update reply { Tunnel-type := VLAN Tunnel-Medium-Type := 802 Tunnel-Private-Group-ID := 29 } # VLAN for students if ( Realm == "stud.uni-ruse.bg" ) { update reply { Tunnel-type := VLAN Tunnel-Medium-Type := 802 Tunnel-Private-Group-ID := 31 }

19 19 Connect | Communicate | Collaborate Setting up a SP Establish and publish policy Keep authentication logs for at least 6 months Set the Operator-Name attribute authorize { update request { Operator-Name := "1yourdomain.tld" } What NOT to do: don’t use web logins not recommended to do port restrictions – port 25 can still be blocked (465 and 587 are on the minimum list) not recommended to use transparent proxies or force users to configure their systems to use a proxy not recommended to use NAT

20 20 Connect | Communicate | Collaborate Further references http://www.eduroam.org/ http://monitor.eduroam.org/ https://wiki.terena.org/display/H2eduroam https://tools.ietf.org/html/draft-wierenga-ietf-eduroam-04

21 21 Connect | Communicate | Collaborate Question time Questions?

22 22 Connect | Communicate | Collaborate www.geant.net www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv Connect | Communicate | Collaborate Thank you!

Download ppt "Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Authentication.

Authentication.
Joining eduroam Wireless Roaming for Education and Research.

Joining eduroam Wireless Roaming for Education and Research.
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,

Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,
Why eduroam sucks, and how to fix it.

Why eduroam sucks, and how to fix it.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia, 19.06.2014.

Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia,
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Similar presentations

Ads by Google