1 / 31

eduroam: a managed European service

eduroam: a managed European service. Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, G É ANT2 <miro@srce.hr> NORDUnet 2008, Espoo, Finland. Contents. Roaming acitivity in GEANT2 (JRA5, SA5) eduroam technology eduroam service organisation infrastructure elements

preston
Download Presentation

eduroam: a managed European service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 <miro@srce.hr> NORDUnet 2008, Espoo, Finland

  2. Contents • Roaming acitivity in GEANT2 (JRA5, SA5) • eduroam technology • eduroam service • organisation • infrastructure elements • supporting elements • Current status and plans

  3. GEANT2 & roaming • JRA5: Roaming and Authorisation • How to organise access to resources in the research and education area in a sufficiently safe and easy to handle way? • activities: roaming (eduroam), AAI (eduGAIN), uSSO • JRA5 roaming vision:To build a roaming infrastructure enabling full mobility of members of the scientific community in Europe • SA5: eduroam service activity • continue on JRA5 results in order to build and maintain reliable European eduroam service • provide: “open your laptop and be online”

  4. Federations • Federations enable sharing of resources(synergy effects, joining a federation instead of many bilateral agreements) • A federation is constituted by a set of agreements between members (peers) • In a federation (agreement) there needs to be a common set of rules (organisational and technical) • Federations can be part of bigger federations • Federations can be interconnected • Confederation = federation of federations(federating principles applied to federations themselves)

  5. Roaming requirements • Identify users uniquely at the edge of the network • Enable guest usage • Scalable • local user administration and authentication • Easy to install and use • at the most one-time installation by the user • Open • Secure

  6. eduroam technology • Security based on 802.1X • Integration with VLAN assignment • Protection of credentials • Authentication based on EAP • Different authentication mechanisms possible by using EAP (Extensible Authentication Protocol) • Roaming based on RADIUS proxying • Remote Authentication Dial In User Service • Transport-protocol for authentication information • Trust fabric based on: • Technical: RADIUS hierarchy • Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the respective federation

  7. Connect. Communicate. Collaborate eduroam architecture: ubiquitous network access Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB user joe@university_b.hr XYZnet Commercial VLAN Employee VLAN Central RADIUS Proxy server Student VLAN • Trust: RADIUS & policy documents • 802.1X + EAP • (VLAN assignment) signalling data

  8. Connect. Communicate. Collaborate eduroam confederationRADIUS hierarchy

  9. eduroam goes global http://www.eduroam.org

  10. (European) eduroam service • eduroam user experience: “open your laptop and be online” • To provide secure network access inside the confederation boundaries (to the end users) • eduroam is a secure international roaming service for members of the European eduroam confederation (a confederation of autonomous roaming services) • First steps in transition to service: • Service Definition and Implementation Plan • Policy

  11. European eduroam confederation principles • Members are European NRENs/NROs • Members sign European eduroam policy commiting to the organisational and technical requirements • Mutual access – no fees • Authentication at home - Authorisation at visited institution • Home institutions are/remain responsible for their users abroad • Members promote eduroam in their countries • European eduroam may peer with other regions (confederation level)

  12. Confederated eduroam service • Encompasses all the elements necessary to support the Service • confederation infrastructure • establishing trust between the member federations • monitoring and diagnostic facilities • central data repository (eduroam database) • confederation level user support

  13. eduroam service (governed by SA5) eduroam confederation service(provided by OT) national eduroam service(provided by NREN/NRO) ... national eduroam service(provided by NREN/NRO) eduroam service model

  14. eduroam service elements • Technology infrastructure • Supporting infrastructure • monitoring and diagnostics • eduroam web site (http://www.eduroam.org) • eduroam database • trouble ticketing system (TTS) • mailing lists

  15. Users vs. service elements

  16. eduroam infrastructure

  17. Monitoring: problem definition • Monitor functionality of the eduroam infrastructure • servers • infrastructure • user experience • It is not enough to know that host is accessible • Ultimate goal is to test real users experience • (very) different workflows at RADIUS servers for Accept and Reject • perform both accept and reject logic tests

  18. Monitoring: concept • Monitoring client is RADIUS client capable of sending various types of RADIUS request (PAP, EAP, …) • RADIUS Proxy Server is monitored server • IdP RADIUS Server is the server that issues the response thus acting as loop-back server. It’s function is to close the tunnel and create standard well format and specified response. This function might be realized on the monitored server (RADIUS proxy server)

  19. Monitoring: process • Monitoring proces is performed in two stepsREJECT test and ACCEPT test • Both steps include : • Monitoring client creates RADIUS attributes specific for monitoring purpose • Monitoring client creates RADIUS request based on selected AuthN type (now EAP/TTLS) • Monitoring client sends RADIUS request, and starts measuring response time • Monitored RADIUS Proxy Server handles request and sends back the response • Monitoring client evaluates received response and updates database. • Monitored server is marked OK if it fulfills both testing steps. • Monitored data, saved in database: • is monitoring request accepted by RADIUS proxy server ? (yes/no) • is request properly routed? (currently to eduroam.<tld>) • type of RADIUS request (currently only EAP/TTLS) • is response well formed (equal to expectations)? • response time

  20. Monitoring servers TLRS monitoring client monitoring database FLRS

  21. Monitoring infrastructure TLRS(s) TLRS(s) monitoring client monitoring database FLRS(s) FLRS(s)

  22. Testing on demand realm A FLRS(s) monitoring client TLRS(s) TLRS(s) monitoring database realm B FLRS(s)

  23. eduroam database • The information stored in the eduroam database includes: • NRO representatives and respective contacts • Local-institutions (both SP and IdP) official contacts • Information about eduroam hot spots (SP location, technical info) • Monitoring information • Information about the usage of the service • NROs: • should provide respective data (general and usage data) • in the defined XML format available at the specified URL address • should be accessible only from the eduroam database server

  24. eduroam database

  25. User support: problem escalation scenario (1) home federation OT visited federation fed.-level admin. local institution admin. fed.-level admin. 3 local institution admin. 1,2 4 user

  26. User support: problem escalation scenario (2) home federation OT visited federation 4b 4a fed.-level admin. 4 local institution admin. 3 fed.-level admin. 5 local institution admin. 1,2 6 user

  27. Sep07 M37 Dec07 M40 Jan08 M41 Feb08 M42 M43 Mar08 M44 Apr08 Aug08 M48 M54 Feb09 Implementation plan service definition & policy monitoring web site TTS eduroam database

  28. eduroam current status:connected to the TLRSs • 33 countries • 2 TLRSs

  29. eduroam current status:monitored TLRS/FLRS • monitoring service is in place • will be publicly available via www.eduroam.org(end of April 2008) • further development is planned

  30. eduroam current status:demographics/user maps • demographics info: • no of SPs, IdPs • location of SPs • usage • coverage • contacts • user oriented maps • based on eduroam database • will be publicly available via www.eduroam.org(end of April 2008) • further development is planned ?

  31. http://www.eduroam.org

More Related