Federated peering the NREN way: eduGAIN and eduroam
Download
Report
Transcript Federated peering the NREN way: eduGAIN and eduroam
The European eduroam confederation
Klaas Wierenga
10º Encontro de Centros de Informática
Universidade do Porto, 8 de Março 2007
Contents
• Intro
• eduroam
• The European eduroam
confederation
– European level
– NREN level
– Institutional level
• Integration with other
federations
– DAMe
• Summary
Hoogwaardig internet voor hoger onderwijs en onderzoek
eduroam members
Portugal and The
Netherlands sometimes do
have succesful
collaboration……. ;-)
Hoogwaardig internet voor hoger onderwijs en onderzoek
eduroam
Hoogwaardig internet voor hoger onderwijs en onderzoek
The goal of eduroam
• “open your laptop and be online”
• To build an interoperable, scalable and secure
authentication infrastructure that will be used
all over the world enabling seamless sharing
of network resources
Hoogwaardig internet voor hoger onderwijs en onderzoek
eduroam
Supplicant
Authenticator
(AP or switch)
RADIUS server
RADIUS server
User
DB
University A
Guest
University B
SURFnet
piet@university_b.nl
Employee
VLAN
Commercial
VLAN
Central RADIUS
Student
VLAN
Proxy server
•
Trust based on RADIUS plus policy
documents
signalling
•
802.1X
data
•
(VLAN assigment)
Hoogwaardig internet voor hoger onderwijs en onderzoek
User
DB
Eduroam interactions
Tue Oct 10 00:05:15 2006: DEBUG: Packet dump:
Oct
10 00:17:32 2006:
*** ReceivedTue
from
145.99.133.194
portDEBUG:
1025 .... Handling request with Handler 'TunnelledByTTLS=
1, Realm=/guest.showcase.surfnet.nl/i'
Code:
Access-Request
Identifier: 1 Tue Oct 10 00:17:32 2006: DEBUG: Deleting session for [email protected]
case.surfnet.nl, 145.99.133.194,
Authentic: k<145><206><152><185><0><0><0><249><26><0><0><208>D<1><16>
Attributes: Tue Oct 10 00:17:32 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-ID
Tue Oct
10 00:17:32 2006: DEBUG: Reading users file /etc/radiator/db/showcase-gu
User-Name
= "[email protected]"
est-users = 145.99.133.194
NAS-IP-Address
Tue Oct 10=00:17:32
2006: DEBUG: Radius::AuthFILE looks for match with Klaas.Wie
Called-Station-Id
"001217d45bc7"
[email protected]
[[email protected]]
Calling-Station-Id
= "0012f0906ccb"
Tue
Oct
10
00:17:32
2006: DEBUG: Radius::AuthFILE ACCEPT: : Klaas.Wierenga@guest
NAS-Identifier = "001217d45bc7"
.showcase.surfnet.nl
[[email protected]]
NAS-Port
= 55
Tue Oct
10 00:17:32 2006: DEBUG: AuthBy FILE result: ACCEPT,
Framed-MTU
= 1400
Tue Oct 10
00:17:32 2006: DEBUG: Access accepted for [email protected]
NAS-Port-Type
= Wireless-IEEE-802-11
se.surfnet.nl
EAP-Message
= <2><0><0>-<1>[email protected]
Tue
Oct
10
00:17:32
2006: DEBUG: Returned TTLS tunnelled Diameter Packet dump:
Message-Authenticator
= <27>`Code:
Access-Accept
y<208><232><252><177>.<160><230><177>I<218
><243>\
RADIUS@visited
RADIUS + TLS Channel(s)
RADIUS@home
eduroam hierarchy
Resource (AP)
Hoogwaardig internet voor hoger onderwijs en onderzoek
Id Repository
Eduroam hierarchy
(virtual) eduroam root
European root
..
APAN root
.nl
.ac.uk
...
..
(America’s root)
.au
.edu
...
...
.cn
.dk
.pt
...
.es
Hoogwaardig internet voor hoger onderwijs en onderzoek
.us
The European eduroam
confederation
Hoogwaardig internet voor hoger onderwijs en onderzoek
Federations in European
education
• Enable the sharing of educational resources
– Network
• eduroam
– Applications
• Shibboleth, PAPI, A-Select, Liberty
• Federated with eduGAIN
• Require agreement on:
– Responsibilities
– Liability
– Technology
– Language
– Standards
Hoogwaardig internet voor hoger onderwijs en onderzoek
As Federations Grow
• The risk of dying of success
• Different communities, different needs
– Not even talking about international collaboration
– Different (but mostly alike) solutions
• Different =/= wrong, but….
• Further standardisation is imperative!
Hoogwaardig internet voor hoger onderwijs en onderzoek
Policy and Legal Matters
• The PMA model has proven extremely useful
– Consensual set of guidelines
– Peer-reviewed accreditation
• Legal matters: Hic sunt leones
– For techies like us
– Privacy
– Liability
– More or less manageable in the case of (national)
federations
Hoogwaardig internet voor hoger onderwijs en onderzoek
eduroam confederations
•
•
•
Regions have their own stage of development and pace
Regions have their own regional policies (with delegation to national
federations)
Policies will be aligned as much as possible
Hoogwaardig internet voor hoger onderwijs en onderzoek
The European eduroam policy
• Mutual access
• Home institutions are/remain responsible for their
users abroad
• Members are European NRENs
• Members guarantee required security levels by their
participants
• Members promote eduroam in their countries
• European eduroam may peer with other regions
• Set of technical recommendations (SSID!)
• Implemented by the eduroam service activity in
Géant2
Hoogwaardig internet voor hoger onderwijs en onderzoek
National Policies
• Mutual access
• Members are connected institutions
• Home institution is/remains responsible for its users
behaviour.
• Home institution is responsible for proper user
management
• Home and visited institution must keep sufficient
logdata
• Appropriate security levels
Hoogwaardig internet voor hoger onderwijs en onderzoek
Institutional policy
I have to implement SSID eduroam!
I have to implement SSID eduroam!
I have to implement SSID eduroam!
I have to implement SSID eduroam!
I have to implement SSID eduroam!
I have to implement SSID eduroam!
I have to implement SSID eduroam!
I have to implement SSID eduroam!
I have to implement SSID eduroam!
I have to implement SSID eduroam!
I have to implement SSID eduroam!
I have to implement SSID eduroam!
I have to implement SSID eduroam!
Hoogwaardig internet voor hoger onderwijs en onderzoek
Integration with
eduGAIN
Hoogwaardig internet voor hoger onderwijs en onderzoek
The eduGAIN model
Metadata
Query
Metadata
Publish
MDS
R-FPP
R-BE
Metadata
Publish
H-FPP
AA Interaction
AA
Interaction
Resource(s)
Lingua Franca: SAML
Hoogwaardig internet voor hoger onderwijs en onderzoek
H-BE
AA
Interaction
Id Repository(ies)
eduGAIN interactions
https://mds.geant.net/
MDS
<EntityDescriptor . . .
?cid=someURN
<samlp:Request ......
<samlp:Response
entityID=
ResponseID=”092e50a08…”
RequestID=”e70c3e9e6…”
”urn:geant2:..:responder">
IssueInstant=“2006-06…”>
InResponseTo=“e70c3e9e…”>
. . .
. . .
<SingleSignOnService . . .
</samlp:Request>
</samlp:Response>
Location=
“https://responder.dom/” />
. . .
urn:geant2:...:requester
Requester
TLS Channel(s)
Responder
urn:geant2:...:responder
Resource
Hoogwaardig internet voor hoger onderwijs en onderzoek
Id Repository
Deploying Authorization Mechanisms
for Federated Services in eduroam
(DAMe)
• DAME is a project that builds upon:
– eduroam, which defines an inter-NREN roaming
architecture based on AAA servers (RADIUS) and the
802.1X standard,
– Shibboleth and eduGAIN
– NAS-SAML, a network access control approach for
AAA environments, developed by the University of
Murcia (Spain), based on the SAML (Security
Assertion Markup Language) and the XACML
(eXtensible Access Control Markup Language)
standards.
Hoogwaardig internet voor hoger onderwijs en onderzoek
First Goal: extending eduroam using
NAS-SAML
Policy Decision Point
Source Attribute Authority
XACML
Supplicant
Authenticator
(AP or switch)
RADIUS server
RADIUS server
User
DB
University A
User
DB
University B
Gast
piet@university_b.nl
SURFnet
•
User mobility controlled by
assertions and policies expressed
in SAML and XACML
Signaling
Central RADIUS
data
Proxy server
SAML
Hoogwaardig internet voor hoger onderwijs en onderzoek
Second: eduGAIN as AuthN and AuthZ
backend
• Link between the AAA servers (now acting as Service Providers) and
eduGAIN
Hoogwaardig internet voor hoger onderwijs en onderzoek
Finally: Universal Single Sign On
•
Users will be authenticated once, during the network access control phase
•
The eduGAIN authentication would be bootstrapped from the NAS-SAML
•
New method for delivering authentication credentials and new security middleware
•
4th goal: integrating applications, focusing on grids.
Hoogwaardig internet voor hoger onderwijs en onderzoek
Summary
Hoogwaardig internet voor hoger onderwijs en onderzoek
Summary
• Educational federations are happening
– And suffering their first growing pains
• Convergence to (small number of) standards
– 802.1X+ RADIUS
– The SAML orbit
• International confederations are emerging
– eduroam
– Géant2 AAI (eduGAIN)
– The twain will ever meet
– Using the same principles and standards
Hoogwaardig internet voor hoger onderwijs en onderzoek
Thank you!
More info: [email protected]
Hoogwaardig internet voor hoger onderwijs en onderzoek