Transcript Federated peering the NREN way: eduGAIN and eduroam

Future developments in eduroam
Klaas Wierenga
TERENA offices, 11th July 2007
Contents
-
Intro
eduroam
The European eduroam confederation
More robustness
Integration with other federations
Summary
eduroam
The goal of eduroam
“open your laptop and be online”
or
• To build an interoperable, scalable and
secure authentication infrastructure that
will be used all over the world enabling
seamless sharing of network resources
eduroam
Supplicant
Authenticator
(AP or switch)
RADIUS server
RADIUS server
User
DB
University A
Guest
University B
SURFnet
piet@university_b.nl
Employee
VLAN
Commercial
VLAN
Central RADIUS
Student
VLAN
Proxy server
•
Trust based on RADIUS plus policy
documents
signalling
•
802.1X
data
•
(VLAN assigment)
User
DB
Eduroam hierarchy
(virtual) eduroam root
European root
..
APAN root
.nl
.dk
(America’s root)
.au
.edu
...
...
.jp
.us
.ac.uk
...
..
.pt
Issues:
.es
•
Legal / Policy
•
Robustness / Security
•Static routing based on realm parsing
•Credentials pass through intermediate systems
•Transitive trust based on shared secrets
•Dead peers hard to detect
•
Authorisation
The European
eduroam
confederation
Federations in European
education
-
Enable the sharing of educational resources
- Network
- eduroam
- Applications
- Shibboleth, PAPI, A-Select, Liberty
- Federated with eduGAIN
-
Require agreement on:
- Responsibilities
- Privacy
- Liability
- Technology
- Language
- Standards
eduroam confederations
- Regions have their own stage of development and pace
- Regions have their own regional policies (with delegation
to national federations)
- Policies will be aligned as much as possible
The European eduroam
policy
- Mutual access
- Home institutions are/remain responsible for their users
abroad
- Members are European NRENs
- Members guarantee required security levels by their
participants
- Members promote eduroam in their countries
- European eduroam may peer with other regions
- Set of technical recommendations (SSID!)
- 802.1X
- Implemented by the eduroam service activity in Géant2
- Contains hooks to national policies
Robustness and security
RadSec/DNSROAM
- Radius packet format
- Transport: TCP (or SCTP)
- Encryption: TLS (optional)
- TLS => PKI
- DNSROAM combines RadSec with DNS for
dynamically locating the peer
- RadSec RFC is being worked on
Fully hierarchical
EU hierarchy root
RadSec
EU-level
RadSec
RadSec
Country-level
RadSec
RadSec
RadSec
RadSec
RADIUS
• First mixed mode
• Later DNSROAM?
RadSec
Integration with
eduGAIN
The eduGAIN model
Metadata
Query
Metadata
Publish
MDS
R-FPP
R-BE
AA
Interaction
Resource(s)
Lingua Franca: SAML
Metadata
Publish
H-FPP
AA Interaction
H-BE
AA
Interaction
Id Repository(ies)
DAMe
- Deploying Authorization Mechanisms for Federated
Services in eduroam
- DAME is a project that builds upon:
- eduroam, which defines an inter-NREN roaming
architecture based on AAA servers (RADIUS) and
the 802.1X standard,
- Shibboleth and eduGAIN
- NAS-SAML, a network access control approach for
AAA environments, developed by the University of
Murcia (Spain), based on SAML (Security Assertion
Markup Language) and XACML (eXtensible Access
Control Markup Language) standards.
1st: Extension of
eduroam with authZ
Policy Decision Point
Source Attribute Authority
XACML
Supplicant
Authenticator
(AP or switch)
RADIUS server
University A
RADIUS server
User
DB
User
DB
University B
Gast
piet@university_b.nl
eduroam
•
User mobility controlled by
assertions and policies expressed
in SAML and XACML
Signaling
Central RADIUS
data
Proxy server
SAML
2nd: eduGAIN
AuthN+AuthZ backend
-
Link between the AAA servers (now acting as Service Providers) and eduGAIN
3d: Universal Single
Sign On
-
Users will be authenticated once, during the network access control phase
The eduGAIN authentication would be bootstrapped from the NAS-SAML
New method for delivering authentication credentials and new security middleware
4th goal: integrating applications, focusing on grids.
eduroam+NAS-SAML in
Context
- The proposal is functionally equivalent to the one discussed in
SALSA-FWNA for RADIUS-SAML integration
- Compatibility and convergence are the natural way forward
- NAS-SAML is
- From the inter-realm view, a Diameter binding for SAML
- Already available, thus allowing for fast evaluation of ideas
- Agree in the basics
- Data exchanged in RADIUS space
- Relevant attributes
Summary
Summary
- Educational federations are happening
- And suffering their first growing pains
- Getting more robust
- RADSec
- Convergence to (small number of) standards
- 802.1X+ RADIUS
- The SAML orbit
- International confederations are emerging
- eduroam
- Géant2 AAI (eduGAIN)
- The twain will ever meet
- Using the same principles and standards
Thank you!
More info: [email protected]