310 likes | 541 Views
eduroam: a managed European service. Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, G É ANT2 <miro@srce.hr> NORDUnet 2008, Espoo, Finland. Contents. Roaming acitivity in GEANT2 (JRA5, SA5) eduroam technology eduroam service organisation infrastructure elements
E N D
eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 <miro@srce.hr> NORDUnet 2008, Espoo, Finland
Contents • Roaming acitivity in GEANT2 (JRA5, SA5) • eduroam technology • eduroam service • organisation • infrastructure elements • supporting elements • Current status and plans
GEANT2 & roaming • JRA5: Roaming and Authorisation • How to organise access to resources in the research and education area in a sufficiently safe and easy to handle way? • activities: roaming (eduroam), AAI (eduGAIN), uSSO • JRA5 roaming vision:To build a roaming infrastructure enabling full mobility of members of the scientific community in Europe • SA5: eduroam service activity • continue on JRA5 results in order to build and maintain reliable European eduroam service • provide: “open your laptop and be online”
Federations • Federations enable sharing of resources(synergy effects, joining a federation instead of many bilateral agreements) • A federation is constituted by a set of agreements between members (peers) • In a federation (agreement) there needs to be a common set of rules (organisational and technical) • Federations can be part of bigger federations • Federations can be interconnected • Confederation = federation of federations(federating principles applied to federations themselves)
Roaming requirements • Identify users uniquely at the edge of the network • Enable guest usage • Scalable • local user administration and authentication • Easy to install and use • at the most one-time installation by the user • Open • Secure
eduroam technology • Security based on 802.1X • Integration with VLAN assignment • Protection of credentials • Authentication based on EAP • Different authentication mechanisms possible by using EAP (Extensible Authentication Protocol) • Roaming based on RADIUS proxying • Remote Authentication Dial In User Service • Transport-protocol for authentication information • Trust fabric based on: • Technical: RADIUS hierarchy • Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the respective federation
Connect. Communicate. Collaborate eduroam architecture: ubiquitous network access Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB user joe@university_b.hr XYZnet Commercial VLAN Employee VLAN Central RADIUS Proxy server Student VLAN • Trust: RADIUS & policy documents • 802.1X + EAP • (VLAN assignment) signalling data
Connect. Communicate. Collaborate eduroam confederationRADIUS hierarchy
eduroam goes global http://www.eduroam.org
(European) eduroam service • eduroam user experience: “open your laptop and be online” • To provide secure network access inside the confederation boundaries (to the end users) • eduroam is a secure international roaming service for members of the European eduroam confederation (a confederation of autonomous roaming services) • First steps in transition to service: • Service Definition and Implementation Plan • Policy
European eduroam confederation principles • Members are European NRENs/NROs • Members sign European eduroam policy commiting to the organisational and technical requirements • Mutual access – no fees • Authentication at home - Authorisation at visited institution • Home institutions are/remain responsible for their users abroad • Members promote eduroam in their countries • European eduroam may peer with other regions (confederation level)
Confederated eduroam service • Encompasses all the elements necessary to support the Service • confederation infrastructure • establishing trust between the member federations • monitoring and diagnostic facilities • central data repository (eduroam database) • confederation level user support
eduroam service (governed by SA5) eduroam confederation service(provided by OT) national eduroam service(provided by NREN/NRO) ... national eduroam service(provided by NREN/NRO) eduroam service model
eduroam service elements • Technology infrastructure • Supporting infrastructure • monitoring and diagnostics • eduroam web site (http://www.eduroam.org) • eduroam database • trouble ticketing system (TTS) • mailing lists
Monitoring: problem definition • Monitor functionality of the eduroam infrastructure • servers • infrastructure • user experience • It is not enough to know that host is accessible • Ultimate goal is to test real users experience • (very) different workflows at RADIUS servers for Accept and Reject • perform both accept and reject logic tests
Monitoring: concept • Monitoring client is RADIUS client capable of sending various types of RADIUS request (PAP, EAP, …) • RADIUS Proxy Server is monitored server • IdP RADIUS Server is the server that issues the response thus acting as loop-back server. It’s function is to close the tunnel and create standard well format and specified response. This function might be realized on the monitored server (RADIUS proxy server)
Monitoring: process • Monitoring proces is performed in two stepsREJECT test and ACCEPT test • Both steps include : • Monitoring client creates RADIUS attributes specific for monitoring purpose • Monitoring client creates RADIUS request based on selected AuthN type (now EAP/TTLS) • Monitoring client sends RADIUS request, and starts measuring response time • Monitored RADIUS Proxy Server handles request and sends back the response • Monitoring client evaluates received response and updates database. • Monitored server is marked OK if it fulfills both testing steps. • Monitored data, saved in database: • is monitoring request accepted by RADIUS proxy server ? (yes/no) • is request properly routed? (currently to eduroam.<tld>) • type of RADIUS request (currently only EAP/TTLS) • is response well formed (equal to expectations)? • response time
Monitoring servers TLRS monitoring client monitoring database FLRS
Monitoring infrastructure TLRS(s) TLRS(s) monitoring client monitoring database FLRS(s) FLRS(s)
Testing on demand realm A FLRS(s) monitoring client TLRS(s) TLRS(s) monitoring database realm B FLRS(s)
eduroam database • The information stored in the eduroam database includes: • NRO representatives and respective contacts • Local-institutions (both SP and IdP) official contacts • Information about eduroam hot spots (SP location, technical info) • Monitoring information • Information about the usage of the service • NROs: • should provide respective data (general and usage data) • in the defined XML format available at the specified URL address • should be accessible only from the eduroam database server
User support: problem escalation scenario (1) home federation OT visited federation fed.-level admin. local institution admin. fed.-level admin. 3 local institution admin. 1,2 4 user
User support: problem escalation scenario (2) home federation OT visited federation 4b 4a fed.-level admin. 4 local institution admin. 3 fed.-level admin. 5 local institution admin. 1,2 6 user
Sep07 M37 Dec07 M40 Jan08 M41 Feb08 M42 M43 Mar08 M44 Apr08 Aug08 M48 M54 Feb09 Implementation plan service definition & policy monitoring web site TTS eduroam database
eduroam current status:connected to the TLRSs • 33 countries • 2 TLRSs
eduroam current status:monitored TLRS/FLRS • monitoring service is in place • will be publicly available via www.eduroam.org(end of April 2008) • further development is planned
eduroam current status:demographics/user maps • demographics info: • no of SPs, IdPs • location of SPs • usage • coverage • contacts • user oriented maps • based on eduroam database • will be publicly available via www.eduroam.org(end of April 2008) • further development is planned ?