High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005 [email protected]

High-quality Internet for higher education and research

AAI from the NREN perspective

Schiphol, October 17, [email protected]


Contents

• NRENs and AAI• Federations for Network Access

– eduroam• Federations for Application (Web) Access

– AuthN– AuthZ– eduGAIN

• Supporting Services– SCHAC– PKI’s– SCS– TACAR

• Questions


The AAI domain

Authentication Systems

Administrative Systems

Autorisation Systems

Applications

login


NREN’s and AAI

• In the beginning there were:– Network access solutions– Web single sign-on solutions– Identity management systems– Authorisation engines– PKI’s– Directories

• Then: need for collaboration beyond institutional borders:

Federations

• Now: need for collaboration beyond national borders:

Confederations


Federated network access: eduroam

• Security– IEEE 802.1X

• Roaming– RADIUS

• Trust– Policies


eduroam architecture

RADIUS server

University B

RADIUS server

University A

SURFnet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

Gast

piet@university_b.nl

StudentVLAN

CommercialVLAN

EmployeeVLAN

data

signalerling

• Trust based on RADIUS plus policy documents

• 802.1X

• (VLAN assigment)


Tunneled authentication (PEAP/TTLS)

• Uses TLS/SSL tunnel to protect data– The TLS tunnel is set up using the server certificate, thus

authenticating the server and preventing man-in-the-middle attacks

– The user sends his credentials through the secure tunnel to the server, thus authenticating the user

• Can use dynamic session keys for ‘in the air’ encryption

© Alfa&Ariss

`

802.1X Client EAP RADIUS Server

TLS tunnel

User authentication

Protected by TunnelServer authentication


Status of eduroam

• Over 400 institutions in Europe and Australia

• USA, Taiwan will follow shortly


Federated application (Web) access

• A number of web single sign-on solutions exist– Shibboleth (Australia, Finland, Switzerland, UK etc.)– PAPI (Spain, UK)– A-Select (Netherlands, Australia)– FEIDE/Moria (Norway)

• Authorisation Systems– PERMIS– SPOCP

• Single technology federations are or have been built

• Now through the Geant2 JRA5 project these will be integrated.


Web AuthN: A-Select

•“Black box” that:

•Accepts many authentication methods

•Interfaces with many applications

•Allows an institution to take authN out of the application


Web AuthZ: Shibboleth

• Allows institutions that belong to the same federation to share resources

• Lingua Franca: SAML

© SWITCH


eduGAIN

• Goal: to federate federations

• Web-services and SAML based

• As much as possible Shibboleth compatible

• 4 basic interactions:– AuthnReq/Resp– HLSReq/Resp– AttrReq/Resp– AuthZReq/Resp

• Defining parameters, protocols and profiles


Supporting services: SCHAC

• SChema HArmonisation Committee • Find agreement on a set of minimal attributes to

facilitate inter-institutional and international data-exchange

• An initial list of attributes has been agreed • Let the schema evolve as time goes by and needs

arise• Work is ongoing to define a formal LDAP schema• SCHAC would help the Bologna process


Supporting services: PKI’s

• PKI’s are complex• “Pop-up problem”• Path validation problems• Cross certification tedious• NREN’s never managed to distribute client certificates on a

large scale• Server certificates cost money

• But the GRID community seem to have pulled this thing off!


Supporting services: Server Certificate Service (SCS)

• Flat-fee• Pop-up free• Server certificates only!• Rooted in commercial CA provider• National RA’s• Pilot funded by ACONET, CARNet, CESNET,

CRU(RENATER), RedIRIS, SURFnet, SWITCH and UNI-C

• Currently in procurement procedure


Supporting services: TACAR

• Trusted repository of verified root-CA certificates for NRENs and not for profit research projects rooted in academic community.

• Currently containing:– AustrianGridCA, CERN CA, CESNET CA, DFN PCA, DOEGrids,

DutchGrid, EGCA, EuroPKI, Grid Canada CA, Grid-Ireleand CA, GridKa CA, GRNET, HellasGrid CA, IGC CRU, INFN CA, LIP CA, NIIF CA, RedIRIS, SURFnet, SWITCH, SwUPKI, UK e-Science CA, University of Thessaloniki

• Root of trust for International Grid Trust Federation (IGTF)

• Notice all the GRID certificates, it seems that we have found each other here already!


Questions

• Is there life beyond certificates in the GRID?• How do you do authorisation?• How do you overcome the Grid infrastructure

scalability problems? – Certificates deployment and life cycle management– Sources of authority “VO” (many VOs and users

belonging to many of them) – Plug-and-play, Plug-and-be-played

• How may we help you? • How can you help us?


More information• eduroam

– http://www.eduroam.org

• TERENA TF-Mobility– http://www.terena.nl/tech/task-forces/mobility/

• TERENA TF-EMC2– http://www.terena.nl/tech/task-forces/tf-emc2/– http://www.terena.nl/tech/task-forces/tf-emc2/schac.html

• TACAR– http://www.tacar.org

• Géant2 Joint Research Activity 5 (authorisation and roaming)– http://www.geant2.net/server/show/nav.758

Documents

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005 [email protected]