Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
eduroam Supporting Services
Miroslav Milinovic, CARNet/Srce
2014 Technology Exchange, Indianapolis, USA
October 26-30, 2014
2 Connect | Communicate | Collaborate
eduroam service in a nutshell
objectives: build and maintain (European) education roaming service provide secure, consistent and uniform network access service (inside the boundaries of the confederation)
motto: “open your laptop and be online”
eduroam infrastructure:
technology infrastructure: – (E)TLRSs, FLRSs, IdPs and SP RADIUS servers,
network access elements (APs/switches)
supporting infrastructure supporting services suite – eduroam web site – eduroam database – monitoring and metering service – diagnostics, configuration assistance – ...
3 Connect | Communicate | Collaborate
It all started with ...
TERENA TF-mobility (inter-NREN) roaming requirements (http://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdf)
identify users uniquely at the edge of the network
enable guest usage
scalable
– local user administration and authentication
easy to install and use
– at the most one-time installation by the user
open
http://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdfhttp://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdfhttp://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdfhttp://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdfhttp://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdfhttp://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdf
4 Connect | Communicate | Collaborate
RADIUS server
University B
RADIUS server
University A
XYZnet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
user
joe@university_b.hr
Student VLAN
Commercial VLAN
Employee VLAN
data
signalling
• Trust: RADIUS & policy documents
• 802.1X + EAP
• (VLAN assignment)
The solution (eduroam™)
5 Connect | Communicate | Collaborate
(Basic) eduroam technology
security based on 802.1X integration with VLAN assignment
protection of credentials
authentication based on EAP different authentication mechanisms possible by using EAP (Extensible Authentication Protocol)
roaming based on RADIUS proxying Remote Authentication Dial In User Service
transport-protocol for authentication information
trust fabric based on: technical: RADIUS hierarchy
policy: documents/contracts that define the responsibilities of user, institution, (N)RO
6 Connect | Communicate | Collaborate
From a pilot to a service
TF-Mobility started work on eduroam in 2002
GN2: JRA5 (2004) SA5 (2007)
European eduroam Policy v .1.0 (January 2008)
supporting services
service officially started on September 1, 2008
http://www.eduroam.org
GN3 (2009-2013) / GN3plus (2013-2015) GN4 (2015 - …)
European eduroam Policy v .2.0 (July 2012)
https://www.eduroam.org/index.php?p=docs
further development of infrastructure and supporting services
44 countries
GeGC (Global eduroam Governance Committee) (2011 - )
global governance
eduroam Compliance Statement (October 2011) https://www.eduroam.org/downloads/docs/eduroam_Compliance_Statement_v1_0.pdf
6 continents (70 countries)
http://www.eduroam.org/https://www.eduroam.org/index.php?p=docshttps://www.eduroam.org/downloads/docs/eduroam_Compliance_Statement_v1_0.pdf
7 Connect | Communicate | Collaborate
Global eduroam
8 Connect | Communicate | Collaborate
eduroam in numbers
10+ years after:
70 countries (44 in Europe)
>12000 (>10000 in Europe) service locations registered in the
eduroam database (http://monitor.eduroam.org/user_map/)
GeGC members from 6 continents
new countries interested to join ...
F-ticks - cumulative stats from 30 European countries (September 2014)
total of ≈140 million successful authN
ETRLS servers logs (September 2014):
33.800.000+ successful international authN
4.400.000+ CSI (device)
eduroam SSID is widely known
http://www.wigle.net/gps/gps/main/ssidstats
http://monitor.eduroam.org/user_map/http://www.wigle.net/gps/gps/main/ssidstats
9 Connect | Communicate | Collaborate
European eduroam authN traffic
≈30 participating countries
0
5
10
15
20
25
30
35
40
0
20
40
60
80
100
120
140
2013-04
2013-05
2013-06
2013-07
2013-08
2013-09
2013-10
2013-11
2013-12
2014-01
2014-02
2014-03
2014-04
2014-05
2014-06
2014-07
2014-08
2014-09
Inte
rnati
on
al
au
thN
in
Millio
ns
Nati
on
al
au
thN
in
Millio
ns
National authN* International authN**
* National authN = total number of authN in the same country counted via f-ticks
** International authN=number of international (cross-border) authN counted in the logs of etrs servers
10 Connect | Communicate | Collaborate
(European) eduroam service model
national eduroam
service
(provided by
NREN/NRO)
national eduroam
service
(provided by
NREN/NRO)
eduroam confederation
service
(provided by OT)
eduroam service (governed by eduroam SG)
...
11 Connect | Communicate | Collaborate
(European) eduroam service “stack”
end users
institution-level personnel
federation-level personnel
operational team
12 Connect | Communicate | Collaborate
User support:
problem escalation scenario (1)
visited federation
fed.-level admin.
local institution
admin.
user
home federation
fed.-level admin.
local institution
admin.
OT
1,2
3
4
13 Connect | Communicate | Collaborate
User support:
problem escalation scenario (2)
visited federation
fed.-level admin.
local institution
admin.
user
home federation
fed.-level
admin.
local
institution
admin.
OT
1,2
3
6
4a
5
4b
4
14 Connect | Communicate | Collaborate
Supporting services suite (1)
fed.op.
support
SP
support
IdP
support
enduser
support
general
public
?
eduroam
db
core services
15 Connect | Communicate | Collaborate
Supporting services suite (2)
based on the concept known as OSS (operations support system)
supporting apps. portfolio to meet the needs of all user groups
end-users, IdP-admins, SP-admins, fed-admins, OT
general public
eduroam db as a core data source
completeness (?)
open data (?)
currently available
public sites:
– http://monitor.eduroam.org: with maps, monitoring and metering information (f-ticks)
– https://cat.eduroam.org: Configuration Assistant Tool (CAT) protected sites (eduGAIN + social networks based AuthN)
– eduroam db web interface, testing on demand, CAT for admins, ...
(new) supporting services portal: http://monitor.eduroam.org
to be lauched in November 2014
http://monitor.eduroam.org/https://cat.eduroam.org/http://monitor.eduroam.org/
16 Connect | Communicate | Collaborate
eduroam database
authoritative data source for all supporting services
(including contact pages on www.eduroam.org and eduroam
companion tool for smartphones)
currently holds info from 55 countries
more info at http://monitor.eduroam.org/database
available maps:
http://monitor.eduroam.org/user_map
http://monitor.eduroam.org/eduroam_map.php?type=all
a tool for service administration / for (N)ROs
DJNRO (http://djnro.grnet.gr/)
http://www.eduroam.org/http://monitor.eduroam.org/databasehttp://monitor.eduroam.org/user_maphttp://monitor.eduroam.org/eduroam_map.php?type=allhttp://djnro.grnet.gr/
17 Connect | Communicate | Collaborate
Maps: examples
http://monitor.eduroam.org/user_maphttp://monitor.eduroam.org/eduroam_map.php?type=all
18 Connect | Communicate | Collaborate
Monitoring: problem definition
monitor functionality of the eduroam infrastructure:
servers
infrastructure
user experience
ultimate goal is to test real user experience
(very) different workflows at RADIUS servers for Accept and Reject
perform both accept and reject logic tests
a challenge: to build a WLAN probe
19 Connect | Communicate | Collaborate
Monitoring: status
http://monitor.eduroam.org
monitoring (E)TLRs and NRO
Servers (FLRSs)
3 monitoring scenarios:
monitoring servers
monitoring infrastructure
testing on demand
ongoing development:
new scenarios:
CUI / ON, RadSec, IPv6, ...
global monitoring
...
http://monitor.eduroam.org/
20 Connect | Communicate | Collaborate
Metering: F-Ticks
(new) way of collecting stats
simple, based on syslog
http://monitor.eduroam.org/f-ticks/
message formats:
basic: F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=HR
#CSI=%{Calling-Station-Id}#RESULT=OK#
extended: F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=HR
#VISINST=SP-Name#CSI=%{Calling-Station-Id}#RESULT=OK#
http://www.ietf.org/archive/id/draft-johansson-fticks-00.txt
http://monitor.eduroam.org/f-ticks/http://monitor.eduroam.org/f-ticks/http://monitor.eduroam.org/f-ticks/http://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txt
21 Connect | Communicate | Collaborate
CAT
Configuration Assistant Tool
http://cat.eduroam.org (in production since March 2013)
build to help users and IdP admins
generate “installers” to ease the client device configuration process
provides diagnostics functions for IdPs
software development homepage: http://forge.geant.net/CAT/
https://cat-test.eduroam.org – test version
http://cat.eduroam.org/http://forge.geant.net/CAT/https://cat-test.eduroam.org/https://cat-test.eduroam.org/https://cat-test.eduroam.org/
22 Connect | Communicate | Collaborate
Why eduroam CAT?
eduroam is a very secure roaming service
10.000+ hotspots
millions of users (close to 1 million downloads from CAT)
credentials will only be disclosed to the user’s “home” server (IdP)
no hotspot (eduroam SP) or any unauthorised rogue AP/server can
grab credentials …
… IF the user cares enough to verify that he is actually connecting to
his own eduroam IdP!
software on typical end-user devices makes it too easy to neglect
security – automation of the setup process is required.
23 Connect | Communicate | Collaborate
How does eduroam CAT help?
collects required setup parameters from the eduroam IdP
simple web interface
expert system verifies that information is complete and correct
transforms parameters into automated installation programs for the
eduroam Identity Provider’s end users:
“just click” and eduroam will be installed
– with all complexity hidden from the user – with full security enabled – digitally signed
for many operating systems:
– Windows XP, Vista, 7, 8, 8.1 – Mac OS X 10.6+, iOS – Linux
setup instructions in many languages
24 Connect | Communicate | Collaborate
How does eduroam CAT work?
1. End-User Interface
• selection of Identity Provider
• download and execution of Installer
2. Administrator Interface
• overview of settings
• deep-link to own download area
• expert system: setup verification
sign-up for IdPs –by invitation only:
eduroam Identity Providers should contact their eduroam National
Roaming Operator (NRO) and request access
they will receive a one-time authorisation token with a login link
25 Connect | Communicate | Collaborate
Conclusion & future work
supporting services are must
current tools
work well
[can be | are used] globally
future work
awareness, outreach & completeness
extend the tools portfolio
improve current tools
26 Connect | Communicate | Collaborate
http://www.eduroam.org
http://monitor.eduroam.org
https://cat.eduroam.org
http://www.eduroam.org/http://monitor.eduroam.org/https://cat.eduroam.org/mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]
27 Connect | Communicate | Collaborate
www.geant.net
www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv
Connect | Communicate | Collaborate
Thank you!