Transcript eduroam towards a pan-European research and education

eduroam: a pan-European research and
education federation
RELARN 2007, N. Novgorod-Moscow
[email protected]
Contents
- Federations for education
- Federated network access: eduroam
- Conclusions
Federations
Federations
- Federations enable the sharing of
resources
- A federation is constituted by a set of
agreements between peers
- In a federation there needs to be a
common language
- Federations can be part of bigger
federations
- Federations can cooperate with other
federations
First life was easy
University of
Moscow
Fysics
Network
Arts
E-learning website
Student Vladimir
Social Sciences
Inter-faculty
collaboration
University of
Moscow
Fysics
Network
Arts
E-learning website
Student Vladimir
Social Sciences
Network
E-learning website
Student Jelena
Inter-institution
collaboration
University of Wladiwostok
University of Moscow
Fysics
Fysics
Network
Arts
E-learning website
Arts
Social Sciences
Social Sciences
Network
Student Vladimir
E-learning website
Network
E-learning website
Network
Student Jelena
E-learning website
Life becomes easy
again
federation
University of Moscow
University of Wladiwostok
Student Vladimir
Resource
eduroam
Why eduroam?
Source: Sigmund, Peter de Wit
The goal of eduroam
“open your laptop and be online”
or
• To build an interoperable, scalable
and secure authentication
infrastructure that will be used all
over the world enabling seamless
sharing of network resources
eduroam
Access Point
University A
University B
User
DB
Guest
piet@university_b.nl
SURFnet
Trusted 3d party
(federation)
•
eduroam enables (federated) network access
•
A trusted 3d party exists that guarantees that both peers are ‘trustworthy’ and allowing
for scalability
Requirements
- Identify users uniquely at the edge of the network
- No session hijacking
- Enable guest usage
- Scalable
- Local user administration and authentication
- Easy to install and use
- At the most one-time installation by the user
- Open
- Secure
Secure access to the
network with 802.1X
Supplicant
Authenticator
RADIUS server
(AP or switch)
University A
User
DB
[email protected]_a.nl
Internet
Employee
VLAN
Commercial
VLAN
Student
VLAN
• 802.1X
signaling
data
• (VLAN assigment)
eduroam
Supplicant
Authenticator
(AP or switch)
RADIUS server
RADIUS server
User
DB
University A
Gast
University B
SURFnet
piet@university_b.nl
Employee
VLAN
Commercial
VLAN
Central RADIUS
Student
VLAN
Proxy server
•
Trust based on RADIUS plus policy
documents
signalling
•
802.1X
data
•
(VLAN assigment)
User
DB
Tunneled authentication
(PEAP/TTLS)
- Uses TLS/SSL tunnel to protect data
- The TLS tunnel is set up using the server
certificate, thus authenticating the server and
preventing man-in-the-middle attacks
- The user sends his credentials through the secure
tunnel to the server, thus authenticating the user
User authentication
Protected by Tunnel
Server authentication
TLS tunnel
`
802.1X Client
EAP RADIUS Server
- Can use dynamic session keys for ‘in the air’ encryption
© Alfa&Ariss
eduroam status
- Over 500 institutions in Europe, Australia, Asia
and USA participate today
Conclusions
Conclusions
-
Eduroam
Eduroam
Eduroam
Eduroam
is here
works
is safe
is easy
- Eduroam is cool!
- So join……
More information
-
eduroam in SURFnet
- http://www.eduroam.nl
-
eduroam in Europa
- http://www.eduroam.org
-
TERENA TF-Mobility
- http://www.terena.nl/mobility
-
Géant2 Joint Research Activity 5 (authorisation and roaming)
- http://www.geant2.net/ (click on research)
-
The unofficial IEEE802.11 security page
- http://www.drizzle.com/~aboba/IEEE