1 / 101

Setting up an eduroam Service Provider

Setting up an eduroam Service Provider. COURSE OBJECTIVES. By the end of the training, you will be able to: Describe eduroam services and technology. Implement a Service Provider in accordance with eduroam policy. Deliver eduroam training to other organisations within your country.

kemal
Télécharger la présentation

Setting up an eduroam Service Provider

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Setting up an eduroam Service Provider

  2. COURSE OBJECTIVES • By the end of the training, you will be able to: • Describe eduroam services and technology. • Implement a Service Provider in accordance with eduroam policy. • Deliver eduroam training to other organisations within your country. • The training will also give you the opportunity to provide feedback about eduroam and the eduroam service.

  3. COURSE OUTLINE • Module 1 – eduroam Overview. • Module 2 – Setting up an eduroam Service Provider. • Module 3 – Log Files, Statistics and Incidents. • Module 4 – Participant Feedback about eduroam Technology and Services.

  4. Module 1: eduroam Overview

  5. WHAT IS eduroam? eduroam: Stands for EDUcation ROAMing. Provides secure internet access for academic roamers. User experience - “Open your laptop and be online.”

  6. WHY eduroam? Researchers: Travel with WLAN-enabled notebooks. Want transparent, secure network access. Want similar experience at visited institution as home. Experience facilitated by seamless sharing of network resources. Better for roamers, easier for administrators.

  7. A BRIEF HISTORY OF eduroam (1) Initially developed out of the TERENA Mobility Task Force. Now part of the GÉANT2 project: Joint Research Activity 5 (JRA5). Roaming and Authorisation. Aim: Research and develop roaming infrastructure enabling full mobility for European scientific community.

  8. A BRIEF HISTORY OF eduroam (2) Service Activity 5 (SA5). eduroam Service Activity. Build on JRA5 work. Roll-out and maintain operational pan-European eduroam service. Realise “Open Your laptop and be online”.

  9. HIGH-LEVEL REQUIREMENTS The eduroam design: Enables guest usage of visited networks. Guarantees reasonable security and data integrity. Identifies users uniquely at the network’s edge. Complies with privacy regulations. Is verifiable. Is open. Is scalable, robust, easy to install and use. Local user administration and authentication.

  10. eduroam: AUTHENTICATION AND AUTHORISATION Authentication: Is the user who they say they are? Carried out by user’s home institution. Authorisation: What network access should the user be granted? Determined by visited institution.

  11. TERMINOLOGY AND CONCEPTS Home institution = Identity Provider. Provides identity management database. Responsible for user authentication. Visited institution = Service Provider. Provides network infrastructure (e.g. Access points, VLANS, internet access, RADIUS servers). Responsible for user authorisation.

  12. AUTHENTICATION AND 802.1x (1) eduroam uses IEEE 802.1x. Layer 2 port-based Network Access Control standard. Detects user at network’s edge. Network’s edge = a port on Network Access Server (NAS). NAS could be: A Wireless Access Point. An 802.1x compatible wired switch.

  13. AUTHENTICATION AND 802.1x (2) Until identity is proven: Allows only 802.1x Extensible Authentication Protocol (EAP) traffic to enter the network. All other traffic (e.g. DHCP, HTTP) blocked at data link layer.

  14. AUTHENTICATION AND 802.1x (3) Advantages of 802.1x: Uses EAP, allows several authentication methods. Therefore compatible with range of authorisation protocols E.g.: TLS, TTLS, PEAP. Secure: Encrypts all data using dynamic keys. Easy to integrate with dynamic VLAN assignment (802.1q). Scalable: RADIUS back-end re-uses existing trust relationships. 802.1x supplicants (clients) easy to find and configure: MAC OSX, Windows XP, 2000, VISTA: built-in supplicants. UNIX and Linux: supplicants readily available.

  15. AUTHENTICATION AND 802.1x (3) f.i. LDAP EAP over RADIUS EAPOL Supplicant Authenticator (AP or switch)‏ RADIUS server Institution A User DB jan@student.institution_a.nl Internet Guest VLAN Employee VLAN Student VLAN signalling data

  16. THE AUTHENTICATION PROCESS (1) Steps: User opens laptop in range of Network Access Server (NAS). Attempts to connect to SSID ‘eduroam’. NAS detects new supplicant. Port enabled and set to ‘unauthorised’. Only 802.1x traffic allowed; other traffic blocked.

  17. THE AUTHENTICATION PROCESS (2) Steps (Continued): NAS sends out Extensible Authentication Protocol (EAP) request. Supplicant returns credentials in EAP response. Logs on using same credentials as at home. NAS forwards credentials to user’s Identity Provider. Identity Provider validates credentials against local user database. Validation forwarded to Service Provider. Port set to ‘authorized’. Normal traffic is allowed.

  18. FORWARDING THE USER’S CREDENTIALS (1) • User’s credentials forwarded via hierarchy of RADIUS servers:

  19. FORWARDING THE USER’S CREDENTIALS (2) Realm-based proxying: User names in format: “user@realm’s DNS-like domain name”. Used to forward request to next hop in hierarchy. Institution’s RADIUS server only communicates with: Its federation’s RADIUS server. Its institution’s NASs. Shared secrets authenticate other servers in hierarchy.

  20. FORWARDING THE USER’S CREDENTIALS (3) European confederation has Top-Level RADIUS servers (ETLRs): In the Netherlands, and In Denmark. Each has a list of connected country domains. .nl, .dk, .hr, .de etc. Each ETLRs: Accepts requests for its connected countries. Forwards them to appropriate Federation Level RADIUS server. Forwards requests for other countries to other ETLRs.

  21. FORWARDING THE USER’S CREDENTIALS (4) Federation Top Level RADIUS servers (FTLRs): One for each National Roaming Operator (NRO). Hold lists of connected institution servers and associated realms. Forwards requests to appropriate institution’s server, or Forwards requests to its ETLRs.

  22. FORWARDING THE USER’S CREDENTIALS (5) Institutional RADIUS Servers: Forwards requests from roamers to its FTLRs.

  23. ENSURING USER CREDENTIAL SECURITY Users’ credentials are tunnelled through the RADIUS hierarchy. User credential security is a necessity in eduroam. Recommended approach: EAP combined with TLS-type protocol. Mutual user-server authentication. Encrypted user credentials. Sending unencrypted credentials is prohibited.

  24. eduroam’s TECHNICAL INFRASTRUCTURE

  25. THE AUTHORISATION PROCESS • VLANs in Service Provider each have different permissions. • Each VLAN connected to different parts of campus. • When authentication is successful: • Service Provider’s RADIUS server sends configuration options to NAS. • NAS assigns client to a VLAN.

  26. MAIN COMPONENTS OF eduroam Network Access Server (NAS): Wireless Access Point or 802.1x compatible wired switch. Client with configured supplicant. Hierarchy of RADIUS Authentication Servers (AS). IEEE 802.1x. IEEE 802.1q. Standard for VLAN assignment.

  27. HOW DO THE PIECES FIT TOGETHER? AN EXAMPLE Supplicant Authenticator (AP or switch)‏ RADIUS server University A RADIUS server University B User DB User DB user joe@university_b.hr XYZnet Commercial VLAN Employee VLAN Central RADIUS Proxy server Student VLAN • Trust: RADIUS & policy documents • 802.1X + EAP • (VLAN assignment)‏ signalling data

  28. KEY eduroam TECHNOLOGIES (1) Security based on IEEE 802.1x: Standard for port-based network access control. Provides protection of credentials. Integrates with VLAN assignment through IEEE 802.1q: Standard for VLAN assignment. Authentication based on Extensible Authentication Protocol (EAP): Facilitates a variety of authentication mechanisms at users’ Identity Providers.

  29. KEY eduroam TECHNOLOGIES (2) Roaming based on RADIUS proxying. RADIUS = Remote Authentication Dial in User Service. A transport protocol for authentication information. Trust fabric based on: Hierarchy of RADIUS servers. The eduroam policy.

  30. THE eduroam CONFEDERATION POLICY What is the eduroam policy? Documents and contracts that define the responsibilities of: The European confederation. Federations / NRENS. Institutions. Users. A contract between the NRO and DANTE.

  31. LOCAL eduroam POLICIES In addition to the confederation’s policy, NROs may also have their own local eduroam policy. Allows for regional variations.

  32. THE EUROPEAN eduroam CONFEDERATION Hierarchical structure: Institutions with eduroam service points Belong to Federations – one for each country / NREN, Which belong to The European eduroam confederation, Which covers the whole of Europe. Provides the experience: “Open your laptop and be online”. Users given secure network access within the confederation.

  33. WHAT IS THE EUROPEAN eduroam CONFEDERATION? Members: Are European NRENs / NROs (National Roaming Operators). Must sign the European eduroam policy. Commits them to technological and organisational requirements.

  34. PRINCIPLES OF THE EUROPEAN eduroam CONFEDERATION Mutual network access without fees. Authentication at home; authorisation at Service Provider. Identity Providers remain responsible for roamers. Member NRENs promote eduroam in their countries. European confederation may peer with other international confederations.

  35. MAKING THE EUROPEAN SERVICE WORK The GÉANT2 Service Activity, SA5: Encompasses everything necessary to make the eduroam service work: Confederation technical infrastructure. Establishing trust between the member federations. Monitoring and diagnostic facilities. The eduroam database, a central data repository. The eduroam web site (www.eduroam.org). Confederation level user support. Trouble Ticketing System (TTS). Mailing Lists.

  36. THE eduroam SERVICE MODEL European eduroam service (governed by SA5)‏ eduroam confederation service (provided by the Operations Team – the O.T.)‏ national eduroam service(provided by NREN/NRO)‏ ... national eduroam service(provided by NREN/NRO)‏

  37. USER TYPES AND SERVICE ELEMENTS Service elements User group End user Inst. Level personnel Federation-level personnel Basic monitoring facilities Yes Yes Yes Full monitoring and diagnostics facilities No Yes (limited to the information regarding the respective inst.)‏ Yes Public access to the eduroam web site Yes Yes Yes Access to the internal eduroam web site No Yes (limited to the information regarding the respective inst.)‏ Yes Public access to the eduroam database Yes Yes Yes Access to the all information in the eduroam database No Yes (limited to the information regarding the respective inst.)‏ Yes TTS No Yes Yes SA5/OT Mailing lists No No Yes Support from OT No No Yes

  38. MONITORING eduroam What must be monitored? Servers. Are they accessible? Infrastructure. Is it working? User experience. Is it satisfactory?

  39. MONITORING CONCEPT: OVERVIEW RADIUS Proxy Server RADIUS requests (PAP, EAP etc.)‏ Monitoring Client RADIUS response IdP RADIUS Server (loopback server)‏

  40. THE MONITORING PROCESS (1) Monitoring is a two step process: Reject test. Accept test.

  41. THE MONITORING PROCESS (2) For both steps: Client creates RADIUS attributes. Client creates RADIUS request for selected AuthN type. Client sends RADIUS request. Starts measuring response time. Monitored RADIUS proxy handles request and returns response. Client evaluates response and updates database. Monitored server marked okay if it passes both tests.

  42. MONITORING SERVERS ETLRs monitoring client monitoring database FTLRs

  43. MONITORING INFRASTRUCTURE ETLRs(s)‏ TLRS(s)‏ monitoring client monitoring database FTLRs(s)‏ FTLRs(s)‏

  44. TESTING ON DEMAND realm A FTLRs(s)‏ monitoring client ETLRs(s)‏ TLRS(s)‏ monitoring database realm B FTLRs(s)‏

  45. THE eduroam DATABASE Database includes: National Roaming Operator (NRO) representatives and contact details. Local institutions official contacts. Both Service Provider (SP) and Identity Provider (IdP). Information about eduroam hot spots. SP location, technical information. Monitoring information. Information about the usage of the service.

  46. NROs AND THE eduroam DATABASE NROs: Should provide the necessary data (general and usage data). Data must be provided in the agreed XML format. Data will only be accessible from the eduroam database server.

  47. eduroam DATABASE: THE DATA MODEL

  48. THE eduroam WEB SITE www.eduroam.org will include private areas to support eduroam operations. E.g. Information from NROs: Contact details. Service coverage. Usage statistics. Number of eligible / active users. Infrastructure monitoring information.

  49. USER SUPPORT: PROBLEM ESCALATION SCENARIO 1 home federation OT visited federation fed.-level admin. local institution admin. fed.-level admin. 3 local institution admin. 1,2 4 user

  50. USER SUPPORT: PROBLEM ESCALATION SCENARIO 2 home federation OT visited federation 4b 4a fed.-level admin. 4 local institution admin. 3 fed.-level admin. 5 local institution admin. 1,2 6 user

More Related