230 likes | 364 Views
Future developments in eduroam. Klaas Wierenga TERENA offices, 11th July 2007. Intro eduroam The European eduroam confederation More robustness Integration with other federations Summary. Contents. eduroam. “open your laptop and be online” or
E N D
Future developments in eduroam Klaas Wierenga TERENA offices, 11th July 2007
Intro eduroam The European eduroam confederation More robustness Integration with other federations Summary Contents
“open your laptop and be online” or To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources The goal of eduroam
eduroam Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB Guest piet@university_b.nl SURFnet Commercial VLAN Employee VLAN Central RADIUS Proxy server Student VLAN • Trust based on RADIUS plus policy documents • 802.1X • (VLAN assigment) signalling data
(virtual) eduroam root . . . . European root APAN root (America’s root) .nl .au .edu . . . .ac.uk . . . . . . .jp .us .dk .pt .es Eduroam hierarchy • Issues: • Legal / Policy • Robustness / Security • Static routing based on realm parsing • Credentials pass through intermediate systems • Transitive trust based on shared secrets • Dead peers hard to detect • Authorisation
Enable the sharing of educational resources Network eduroam Applications Shibboleth, PAPI, A-Select, Liberty Federated with eduGAIN Require agreement on: Responsibilities Privacy Liability Technology Language Standards Federations in European education
Regions have their own stage of development and pace Regions have their own regional policies (with delegation to national federations) Policies will be aligned as much as possible eduroam confederations
Mutual access Home institutions are/remain responsible for their users abroad Members are European NRENs Members guarantee required security levels by their participants Members promote eduroam in their countries European eduroam may peer with other regions Set of technical recommendations (SSID!) 802.1X Implemented by the eduroam service activity in Géant2 Contains hooks to national policies The European eduroam policy
Radius packet format Transport: TCP (or SCTP) Encryption: TLS (optional) TLS => PKI DNSROAM combines RadSec with DNS for dynamically locating the peer RadSec RFC is being worked on RadSec/DNSROAM
Fully hierarchical • First mixed mode • Later DNSROAM?
The eduGAIN model Metadata Query MDS Metadata Publish Metadata Publish R-FPP H-FPP R-BE H-BE AA Interaction AA Interaction AA Interaction Resource(s) Id Repository(ies) Lingua Franca: SAML
Deploying Authorization Mechanisms for Federated Services in eduroam DAME is a project that builds upon: eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, Shibboleth and eduGAIN NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards. DAMe
Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB eduroam Central RADIUS Proxy server 1st: Extension of eduroam with authZ Policy Decision Point Source Attribute Authority XACML Gast piet@university_b.nl • User mobility controlled by assertions and policies expressed in SAML and XACML Signaling data SAML
2nd: eduGAIN AuthN+AuthZ backend • Link between the AAA servers (now acting as Service Providers) and eduGAIN
3d: Universal Single Sign On • Users will be authenticated once, during the network access control phase • The eduGAIN authentication would be bootstrapped from the NAS-SAML • New method for delivering authentication credentials and new security middleware • 4th goal: integrating applications, focusing on grids.
The proposal is functionally equivalent to the one discussed in SALSA-FWNA for RADIUS-SAML integration Compatibility and convergence are the natural way forward NAS-SAML is From the inter-realm view, a Diameter binding for SAML Already available, thus allowing for fast evaluation of ideas Agree in the basics Data exchanged in RADIUS space Relevant attributes eduroam+NAS-SAML in Context
Educational federations are happening And suffering their first growing pains Getting more robust RADSec Convergence to (small number of) standards 802.1X+ RADIUS The SAML orbit International confederations are emerging eduroam Géant2 AAI (eduGAIN) The twain will ever meet Using the same principles and standards Summary
More info: Klaas.Wierenga@surfnet.nl Thank you!