Transcript TF-Mobility meeting

Results of the TF-Mobility group
James Sankar
8 August 2004
Geant2 – JRA5 meeting
TF-Mobility group
Current Status
•
•
•
•
•
Taskforce officially ended June 2004.
Almost all deliverables are complete.
End of taskforce report written.
New charter written for approval.
New TF-Mobility “kick-off” meeting on Friday
10 September in Berlin.
8 August 2004
Geant2 – JRA5 meeting
End of taskforce report
Details on the following deliverables
–
–
–
–
–
–
A: Website
B: Glossary
C: Requirements definition
D: Web-based inventory
E: 802.1X inventory
F: VPN inventory
8 August 2004
Geant2 – JRA5 meeting
End of taskforce report
Details on the following
deliverables (continued)
– G: Preliminary selection
for inter-NREN roaming
• Interoperable design for
802.1X, web redirection
and VPN.
8 August 2004
User with 
Site uses
802.1X
VPN
Web-based
802.1X
Okay
Work reqd
Work reqd
VPN
Okay
Work reqd
Work reqd
web
Work
reqd
Work reqd
Okay
Geant2 – JRA5 meeting
End of taskforce report
Details on the following deliverables (continued)
– H: Test bed and reference design for inter-NREN roaming
To support both types of
network authentication two
logically separated networks
on the radio layer are
needed.
Approach 
Technology
802.1X
VPN
Web-based
Encrypted radio
Yes
No
No
RADIUS backend
Yes
No
Yes
Access points must be
capable of multiple SSID’s
and (multiple) VLAN
assignment.
8 August 2004
Geant2 – JRA5 meeting
End of taskforce report
Details on the following deliverables (continued)
– H: Test bed and reference design for inter-NREN roaming
• CASG tests were successful across NRENs.
8 August 2004
Geant2 – JRA5 meeting
End of taskforce report
Details on the following deliverables (continued)
– I: Inter-NREN roaming policy (1)
• Vision:
–
–
–
–
–
8 August 2004
Create a collaborative environment, nationally and internationally
Offer an automated authentication network access service
Offer a service that is recognisable to the academic community
Respect visited organisation AUP, follow home organisation AUP
Once authenticated the visited organisation will “trust” the response
from the user’s home organisation and grant network access based
on local site policy.
Geant2 – JRA5 meeting
End of taskforce report
Details on the following deliverables (continued)
– I: Inter-NREN roaming policy (2)
• General principles
– Roaming access to authorised users only (authenticated at home institution)
– All roaming users are responsible for own credentials and abiding by
roaming AUP.
– Visited institutions
» must provide a recognisable service for guest users.
» must state whether the transmission of user credentials is secure.
» have the right to block any roaming user, academic institution of NREN
from network access
– Home institution is responsible for educating own users who use the service.
– Participants should provide feedback to institutions, who may escalate to the
NREN or in rare occasions to TERENA.
• Policies
– TERENA level: TERENA and NRENs
– NREN level: NRENs and Institutions
8 August 2004
Geant2 – JRA5 meeting
End of taskforce report
Details on the following deliverables (continued)
– J/K: Wireless LAN information
• Product-testing Matrix (WLAN devices)
• A rich source of information about product testing can be found at:
http://www.uninett.no/wlan/
• More wireless information on a variety of topics can be found at:
http://www.ja.net/development/network_access/wireless/wag/wirel
ess-info.html
8 August 2004
Geant2 – JRA5 meeting
End of taskforce report
Details on the following deliverables (continued)
– L: MobileIP (currently being drafted)
• Network Access and IPv6
– Commercial Web-based redirect does not support IPv6, would be
interesting to investigate NoCatAuth (+ IPv6 capability)
– IPv6 capable VPNs are still in infancy
– 802.1X allows IPv6 admittance (as it works at Layer 2), some early
work on IPv6 RADIUS Lookup (Supported by latest version of
RADIATOR and FREERADIUS patch)
• RADIUS servers
– Option to deploy dual stack RADIUS to support Ipv4/v6 lookups
• MIPv6 (RFC3775)
8 August 2004
Geant2 – JRA5 meeting
End of taskforce report
Update on national roaming developments across Europe.
Country
Current Status (June 2004)
Active
Institutions
Croatia
National RADIUS hierarchy established in February 2003 with LDAP
directory tie in. Currently primary network access is via 802.1X
197
Czech Republic
National RADIUS servers deployed and being tested, their priority is
802.1X, however they will support other methods and have applied for
IP addresses for CASG
Denmark
Installed redundant NRPS (RADIATOR), offered to host top level
secondary servers. Call for participation – mid June 2004
Finland
Provide national roaming via web-based redirect, considering 802.1X.
20 realms registered so far.
12
Germany
DFNRoaming pilot started Jan 2004 based on 802.1X. Also supporting
web and VPN.
15
Greece
Joined European RADIUS in June 2004. National University of Athens
registered.
1
Netherlands
Eduroam 802.1X service launched, 50 institutions participating, 15
provide WLAN roaming access. Also supporting web-based via ASelect authentication system.
15
8 August 2004
Geant2 – JRA5 meeting
End of taskforce report
Update on national roaming developments across Europe.
Country
Current Status (June 2004)
Norway
FEIDE (Federated ID for Education) will be a user dbase /
PKI authentication system in parallel to RADIUS, currently
advising on 802.1X
Portugal
Currently 8 pilot institutions using VPN, 802.1X or web
based access. 7 of the 8 institutions have roaming in place.
7
Spain
MovIRIS is a national mobility initiative, currently 7
organisations are involved, this is a focus on VPN and
NoCAT solutions.
7
Switzerland
SWITCHmobile is a VPN based solution that currently
supports 15 active institutions, more to follow soon.
15
UK
UKERNA have launched a LIN trial based on RADIUS
(RADIATOR) with support to a variety of network access
methods that support mutual authentication. Currently there
are 6 participants, a national trial will begin shortly.
Other work include a national VPN solution (RUGIT).
6
Total Active institutions
275
8 August 2004
Geant2 – JRA5 meeting
Active
Institutions
Eduroam participants
Available online
as a clickable map
to NREN specific
web pages.
http://www.terena.nl/tech/task-forces/tf-mobility/eduroam/index.html
8 August 2004
Geant2 – JRA5 meeting
End of taskforce report
• Conclusions
– No single national roaming solution can support all
inter-NREN roaming requirements.
– Interoperable solutions (RADIUS, CASG) were
designed, built and tested.
– Interest in Inter-NREN roaming has grown.
– Roaming Policies introduced.
– Valuable work on access points and WLAN clients
produced.
– The impact of MobileIP / IPv6 considered.
8 August 2004
Geant2 – JRA5 meeting
End of taskforce report
• Recommendations
– Continue work already done
– Draft a broader charter
• Develop a roaming service
• Extend roaming access beyond NRENs
• Develop more secure, flexible and accountable roaming
services by integrating with AAI solutions
8 August 2004
Geant2 – JRA5 meeting