Transcript The issue: Roaming users need Internet access.
eduroam – Roam In a Day
Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006
The issue: Roaming users need Internet access
• Grief for roaming users: – Need to arrange/agree network access in advance.
– Need to remember temporary account details.
• Grief for visited sites: – Create temporary/guest accounts (management overhead, security concerns, etc.).
– Users accessing resources may be effectively anonymous.
A solution: eduroam
• Formalised approach to educational roaming.
• Uses existing user accounts and authentication mechanisms: – Users don't have to remember details of another account.
– No need for temporary/guest accounts at visited sites.
– Users not anonymous (= more accountable).
• The eduroam infrastructure is based on mutual trust between sites.
• eduroam is a GN2 (Joint Research Activity 5) project.
eduroam maps
The national eduroam gateway
• Dell 2850 server with gigabit network interface, located on network backbone (hosting facility at Servecentric).
• FreeRadius running on Debian Linux.
• Configured to communicate with european gateways (operated by SURFnet).
• Configured to communicate with each Irish eduroam member institution.
• Installed and maintained by HEAnet.
Authentication elements
• 802.1X elements: – Supplicant: Software on client device.
– Authenticator: Wireless AP.
– Authentication Server: The home Radius server.
• Realm: The domain portion of username.
• Resource Provider: Visited site.
• Identity Provider: Home institution.
Authentication architecture
How do I join?
• Integrate local authentication server into Irish eduroam infrastructure – Facilitates your roaming users at other eduroam sites.
• Implement wireless LAN access at your site for roaming users – Facilitates visiting eduroam users at your site.
Integrate authentication server into eduroam
• Register your Radius server with national gateway.
• Radius server may be existing authentication server or new server which proxies to it.
• Consider where server sits within local network topology.
• Should install public SSL certificate on Radius server.
• Maintain accounting logs of own user sessions.
• Radius server options: Freeradius, Radiator, CiscoACS Server, etc.
Implement wireless LAN
• Wireless AP's must support 802.1X.
• Web redirect and VPN access are deprecated.
• SSID should be 'eduroam‘.
• Can provide eduroam service via existing wireless access network (multiple SSID's and VLAN per SSID).
• Define policy for user access.
• Maintain accounting logs of visiting user sessions.
Sample site architectures
Security
• Radius server – Secret key shared with national gateway.
– Restrict access to local Radius server (harden OS, ACL's, firewall, monitoring, etc.).
• Wireless LAN – 802.1X (restrict layer 2 access to wireless AP's).
– EAP (“hides” user authentication details from all but supplicant and authenticating server).
– TLS/TTLS (SSL certificate on server, and potentially on clients too).
– Authentication can be via password, token, client certificate, etc.
Requirements on client device
• Device may be a laptop, mobile phone, PDA, etc.
• Client software must support 802.1X.
• Client software must support cipher in use at visited site.
• Examples of clients: – WinXP wireless client – MacOS wireless client – wpa_supplicant (Linux, BSD, Windows) – SecureW2 (EAP-TTLS client)
Future directions for eduroam
• Current model is inflexible and doesn’t scale well.
• Desirable features: – Peer discovery (DNS, DNSSEC).
– Trust establishment (PKI, DNSSEC).
• Various technologies: DIAMETER, RadSec, etc.
• eduroam-NG (eduroam Next Generation).
• Possible integration with eduGAIN (European AAI).
Other resources
• • • • www.eduroam.ie
– Info for Irish sites.
www.eduroam.org
– Info on the eduroam project as a whole.
www.eduroam.edu.au
– Info on Australian implementation, with some useful documentation relevant to any eduroam site.
– Mailing list of HEAnet clients technical staff.