Transcript JRAx/SAx: Tentative Plans for Year 4 plus 6 Months

Connect. Communicate. Collaborate
eduroam: towards a managed
European service
Miroslav Milinović, Srce, Zagreb, Croatia
eduroam SA, GÉANT2
<[email protected]>
Wi-Fi Workshop, Barcelona, Spain
Contents
Connect. Communicate. Collaborate
• Roaming acitivity in GEANT2 (JRA5, SA5)
• eduroam technology
• eduroam service
– organisation
– infrastructure elements
– supporting elements
• Current status and plans
GEANT2 & roaming
•
JRA5: Roaming and Authorisation
–
–
–
•
Connect. Communicate. Collaborate
How to organise access to resources in the research and
education area in a sufficiently safe and easy to handle way?
Work items: roaming (eduroam), AAI (eduGAIN), uSSO
JRA5 roaming vision: To build a roaming infrastructure enabling
full mobility of members of the scientific community in Europe
SA5: eduroam service activity
–
–
continue on JRA5 results in order to build and maintain reliable
European eduroam service
provide: “open your laptop and be online”
Roaming requirements
Connect. Communicate. Collaborate
• Identify users uniquely at the edge of the network
• Enable guest usage
• Scalable
– local user administration and authentication
• Easy to install and use
– at the most one-time installation by the user
• Open
• Secure
eduroam technology
•
Connect. Communicate. Collaborate
Security based on 802.1X
– Integration with VLAN assignment
– Protection of credentials
•
Authentication based on EAP
– Different authentication mechanisms possible by using EAP
(Extensible Authentication Protocol)
•
Roaming based on RADIUS proxying
– Remote Authentication Dial In User Service
– Transport-protocol for authentication information
•
Trust fabric based on:
– Technical: RADIUS hierarchy
– Policy (federation agreement): Documents/contracts that define the
responsibilities of user, institution, NREN and the respective federation
eduroam architecture:
ubiquitous network access
Connect. Communicate. Collaborate
Supplicant
Authenticator
(AP or switch)
RADIUS server
RADIUS server
User
DB
University A
user
University B
User
DB
XYZnet
joe@university_b.hr
Employee
VLAN
signalling
data
Commercial
VLAN
Student
VLAN
Central RADIUS
Proxy server
•
Trust: RADIUS & policy documents
•
802.1X + EAP
•
(VLAN assignment)
eduroam confederation
RADIUS hierarchy
Connect. Communicate. Collaborate
confederation level
servers
.PT
.DK
federation (NREN) level
servers
inst-1
inst-2
inst-3
[email protected]
inst-4
institutional level
servers
eduroam goes global
http://www.eduroam.org
Connect. Communicate. Collaborate
(European)
eduroam service
Connect. Communicate. Collaborate
• eduroam user experience: “open your laptop and be online”
• To provide secure network access inside the confederation boundaries
(to the end users)
• eduroam is a secure international roaming service for members of the
European eduroam confederation (a confederation of autonomous
roaming services)
• First steps in transition to service:
– Service Definition and Implementation Plan
– Policy
European eduroam
confederation principles
Connect. Communicate. Collaborate
• Members are European NRENs/NROs
• Members sign European eduroam policy commiting to
the organisational and technical requirements
• Mutual access – no fees (for end users)
• Authentication at home - Authorisation at visited institution
• Home institutions are/remain responsible for their users abroad
• Members promote eduroam in their countries
• European eduroam may peer with other regions (confederation level)
Confederated
eduroam service
Connect. Communicate. Collaborate
• Encompasses all the elements necessary to
support the Service
–
–
–
–
–
confederation infrastructure
establishing trust between the member federations
monitoring and diagnostic facilities
central data repository (eduroam database)
confederation level user support
eduroam service model
Connect. Communicate. Collaborate
eduroam service (governed by SA5)
eduroam confederation
service
(provided by OT)
national eduroam
service
(provided by
NREN/NRO)
...
national eduroam
service
(provided by
NREN/NRO)
eduroam service elements
Connect. Communicate. Collaborate
• Technology infrastructure
• Supporting infrastructure
– monitoring and diagnostics
– eduroam web site (http://www.eduroam.org)
– eduroam database
– trouble ticketing system (TTS)
– mailing lists
Users vs. service elements
Service elements
Connect. Communicate. Collaborate
User group
End user
Inst. Level personnel
Federation-level personnel
Basic monitoring facilities
Yes
Yes
Yes
Full monitoring and diagnostics
facilities
No
Yes (limited to the information
regarding the respective inst.)
Yes
Public access to the eduroam
web site
Yes
Yes
Yes
Access to the internal eduroam
web site
No
Yes (limited to the information
regarding the respective inst.)
Yes
Public access to the eduroam
database
Yes
Yes
Yes
Access to the all information in
the eduroam database
No
Yes (limited to the information
regarding the respective inst.)
Yes
TTS
No
Yes
Yes
SA5/OT Mailing lists
No
No
Yes
Support from OT
No
No
Yes
eduroam infrastructure
Connect. Communicate. Collaborate
Eduroam confederation infrastructure
Top-level RADIUS Server(s)
RADIUS
RADIUS
Home Federation
Remote Federation
Federation (National)
top level RADIUS
proxy Server(s)
Federation (National)
top level RADIUS
proxy Server(s)
RADIUS
RADIUS
HI
RI
RADIUS Server
RADIUS Server
RADIUS
RI SP
HI IdP
AuthN S
User U
access
network
Monitoring: problem definition
Connect. Communicate. Collaborate
• Monitor functionality of the eduroam infrastructure
– servers
– infrastructure
– user experience
• It is not enough to know that host is accessible
• Ultimate goal is to test real users experience
– (very) different workflows at RADIUS servers for Accept and Reject
– perform both accept and reject logic tests
Monitoring: concept
Monitoring Client
Connect. Communicate. Collaborate
RADIUS Proxy Server
IdP RADIUS
Server
•
•
•
Monitoring client is RADIUS client capable of sending various types of RADIUS
request (PAP, EAP, …)
RADIUS Proxy Server is monitored server
IdP RADIUS Server is the server that issues the response thus acting as loop-back
server. It’s function is to close the tunnel and create standard well format and
specified response. This function might be realized on the monitored server
(RADIUS proxy server)
Monitoring servers
Connect. Communicate. Collaborate
TLRS
monitoring
client
monitoring
database
FLRS
Monitoring infrastructure
Connect. Communicate. Collaborate
TLRS(s)
TLRS(s)
monitoring
client
monitoring
database
FLRS(s)
FLRS(s)
Testing on demand
Connect. Communicate. Collaborate
realm A
FLRS(s)
monitoring
client
TLRS(s)
TLRS(s)
monitoring
database
realm B
FLRS(s)
eduroam database
Connect. Communicate. Collaborate
•
The information stored in the eduroam database includes:
– NRO representatives and respective contacts
– Local-institutions (both SP and IdP) official contacts
– Information about eduroam hot spots (SP location, technical info)
– Monitoring information
– Information about the usage of the service
•
NROs:
– should provide respective data (general and usage data)
– in the defined XML format available at the specified URL address
– should be accessible only from the eduroam database server
User support: problem
escalation scenario (1)
Connect. Communicate. Collaborate
home federation
OT
visited federation
fed.-level admin.
local institution
admin.
fed.-level admin.
3
local institution
admin.
4
user
1,2
User support: problem
escalation scenario (2)
Connect. Communicate. Collaborate
home federation
OT
visited federation
4b
4a
fed.-level admin.
4
3
fed.-level admin.
5
local institution
admin.
1,2
6
user
local institution
admin.
Implementation plan
Connect. Communicate. Collaborate
M37
M40
M41
M42
M43
M44
M48
M54
Sep07
Dec07
Jan08
Feb08
Mar08
Apr08
Aug08
Feb09
service
definition
& policy
monitoring
web site
TTS
eduroam
database
eduroam current status:
connected to the TLRSs
• 33 countries
• 2 TLRSs
Connect. Communicate. Collaborate
eduroam current status:
monitored TLRS/FLRS
• monitoring service is in
place
• will be publicly available
via www.eduroam.org
(end of April 2008)
• further development is
planned
Connect. Communicate. Collaborate
eduroam current status:
demographics/user maps
•
demographics info:
–
–
–
–
–
•
•
•
•
no of SPs, IdPs
location of SPs
usage
coverage
contacts
user oriented maps
based on eduroam database
will be publicly available via
www.eduroam.org
(end of April 2008)
further development is planned
Connect. Communicate. Collaborate
Connect. Communicate. Collaborate
http://www.eduroam.org