1 / 23

AAI@EduHr (From Radius Hierarchy to AAI)

AAI@EduHr (From Radius Hierarchy to AAI). Miroslav Milinović University Computing Centre - Srce <miro@srce.hr> EuroCAMP Ljubljana, March 2006. Contents. History hrEdu radius/LDAP hierarchy AAI@EduHr project hrEdu schemas AOSI (adding AAI flavour) AAI@EduHr today

betrys
Download Presentation

AAI@EduHr (From Radius Hierarchy to AAI)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAI@EduHr(From Radius Hierarchy to AAI) Miroslav Milinović University Computing Centre - Srce <miro@srce.hr> EuroCAMP Ljubljana, March 2006

  2. Contents • History • hrEdu radius/LDAP hierarchy • AAI@EduHr project • hrEdu schemas • AOSI (adding AAI flavour) • AAI@EduHr today • Future development (PKI@EduHr?)

  3. History • Directories and directory services • http://ds.carnet.hr • Netfind, Whois++, X.500  LDAP • killer application needed • Network access • AAA for dial-up access • introducing radius instead of tacacs+ • (highly) distributed user community •  200 member institutions (variable size of institution and amount of ICT resources) • expert knowledge is not equaly distributed/available

  4. We started with ... • (hrEdu) radius/LDAP hierarchy • limited function, primarily for dial-up access • LDAP schema development started • AAI foreseen as a long-term goal / dial-up as a killer application for LDAP deployment • fully operational radius/LDAP hierarchy since Feb. 2003 • eduroam member since the very begining

  5. hrEdu radius/LDAP hierarchy Dial-up access (CMU) resource user ID: user.realm (Lucent Navis) proxy radius server(s) central LDAP server for backup Radius proxy service Network Home Org X Home org X Home Org Y Home Org Z ≈ 200 (170) Home orgs ≈ 180000users SW: FreeRadius & OpenLDAP Radius Radius Radius server server server LDAP server LDAP server LDAP server

  6. Missusing the radius attributes • Use of radius in AA(A) process: • AuthN • AuthZ = AuthN + “few simple attributes” • We use: • Connect-Info  hrEduPersonExpireDate • Class  hrEduPersonUniqueID (hrEduPersonUniqueNumber) • Configuration-Token  hrEduPersonPrimaryAffiliation • but actually ... not good enough

  7. Project AAI@EduHr • raising demands (network access & applications) • Radius/LDAP hierarchy is not good enough • project started in May 2004 • main goals: • define HrEdu schema(s) • set up IdPs • Set up the AAI for EduHr • Shibboleth was found as too complex • idea: add AAI flavour to the existing radius/LDAP infrastructure • http://www.aaiedu.hr/

  8. hrEdu hierarchy evolved Dial-up access (CMU) StuDOM (8149 “student beds” connected) Wireless/wired access (Srce, CARNet, ...) eduroam (http://www.eduroam.org) UNIX/Linux PAM resource user (ID: user.realm) ID: user@realm.hr (Lucent Navis) proxy radius server(s) (central LDAP server for backup) ( radius ) proxy service Network Home Org X Home org X Home Org Y Home Org Z ≈200 (170) Home orgs ≈ 180000users SW: FreeRadius & OpenLDAP Radius Radius Radius server server server LDAP server LDAP server LDAP server

  9. hrEdu schemas • hrEduPerson • HrEduOrg • registry: http://schema.aaiedu.hr • transition/migration from earlier versions • all LDAPs at the same version since Feb. 2006 • more work to do: harmonisation (with SCHAC, ...)

  10. AOSI – adding AAI flavour • AOSI is: • an application for maintaing the content of the LDAP directory • an access tool for LDAP (e.g. local AAI component) • AOSI has two parts: • web service (core AOSI) • client application (“only” proof of concept; any other client can be used localy) • FWS/HLS = central (AOSI) service • AOSI  “ShibLite”

  11. AOSI-WS LDAP dir. AOSI System Home org AAI@EduHr AOSI Client Schema (XML) Codes, ... (XML) User access Data (XML) Administrator access

  12. LDAP dir. AOSI System (2) Home org AAI@EduHr AOSI Client Schema (XML) PHP Codes, ... (XML) .Net Java Data (XML) AOSI-WS

  13. AAI@EduHr user@realm Federation WS “routing” information Organization B AOSI Directory FWS in AAI@EduHr Organization A Application

  14. AAI@EduHr user@realm Federation WS “routing” information Organization B AOSI Directory HLS in AAI@EduHr Organization A Application

  15. AOSI WS and FWS • Currently based on Perl; FWS to be implemented in Java • Local AOSI WS: • Local service is described in http://ldaphost.homeorg.hr/aosi/aosi.wsdl • Generally runs at https://ldaphost.homeorg.hr:1443/AOSI • Client platforms working with service: • Perl • PHP • .Net • Java • FWS/HLS: • Based on AOSI • http://www.aaiedu.hr/fws/fws.wsdl • Documentation: • http://www.aaiedu.hr/aosi/aosi_wsdl.html • http://www.aaiedu.hr/fws/fws_wsdl.html

  16. Resource Home Org AAI Component AAI Component Directory Entry Point AAI@EduHr today 197 (166) Home orgs FreeRadius AOSI WS Open LDAP Central AAI@EduHrServices(proxy, FWS/HLS...) User: uid@realm.hr

  17. AAI@EduHr in real life • in full operation since Feb. 2006 • basic monitoring (http://www.aaiedu.hr/status_li.php) • 197 Home organisations (IdPs) • number of services: • Network access: dial-up, wireless & wired (eduroam, 802.1x) • www.eduroam.hr (fully operational by the end of April) • Application access: Web-based aplications, WebCT, Moodle, ...

  18. PAP to EAP/TTLS Bridge • Improving security • multithreaded UDP server • based on TinyRadius Radius server API, (http://tinyradius.sourceforge.net/) and eapol_test (http://hostap.epitest.fi/) • works on Linux (we still work on Solaris version)

  19. PAP  EAP/TTLS Converts PAP to EAP/TTLS and back PAP Radiusproxy NAS Radius (EAP /TTLS) Bridge Radius(PAP)

  20. An example: CARNet mobile service XYZ client Mobile CARNet AAA Home org. XYZ APN Mobile CARNet radius server RADIUS server Mobile AAA DB LDAP dir. uid@realm.hr CARNet AAI@EduHr radius proxy

  21. An example: CARNet mobile service (2) HTTP client Mobile CARNet AAA Home org. Mobile CARNet Web Mobile CARNet radius server RADIUS server Mobile AAA DB LDAP dir. uid@realm.hr CARNet AAI@EduHr radius proxy FWS/HLS

  22. Future work • become a “real” federation (policies, policies, ...) • central (vs. local) login page in production • resource registry (based on SWITCH solution) • certficates for services from TERENA SCS (provided by CARNet) • improved monitoring • start “speaking” SAML • Add ARP functionality to AOSI • “Shib gateway” in production • interoperate with eduGAIN • SSO • PKI@EduHr? (SX project)

  23. AAI@EduHrhttp://www.aaiedu.hr/team@aaiedu.hraosi@aaiedu.hr

More Related