1 / 23

Future developments in eduroam

Future developments in eduroam. Klaas Wierenga TERENA offices, 11th July 2007. Intro eduroam The European eduroam confederation More robustness Integration with other federations Summary. Contents. eduroam. “open your laptop and be online” or

vashon
Download Presentation

Future developments in eduroam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Future developments in eduroam Klaas Wierenga TERENA offices, 11th July 2007

  2. Intro eduroam The European eduroam confederation More robustness Integration with other federations Summary Contents

  3. eduroam

  4. “open your laptop and be online” or To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources The goal of eduroam

  5. eduroam Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB Guest piet@university_b.nl SURFnet Commercial VLAN Employee VLAN Central RADIUS Proxy server Student VLAN • Trust based on RADIUS plus policy documents • 802.1X • (VLAN assigment) signalling data

  6. (virtual) eduroam root . . . . European root APAN root (America’s root) .nl .au .edu . . . .ac.uk . . . . . . .jp .us .dk .pt .es Eduroam hierarchy • Issues: • Legal / Policy • Robustness / Security • Static routing based on realm parsing • Credentials pass through intermediate systems • Transitive trust based on shared secrets • Dead peers hard to detect • Authorisation

  7. The European eduroam confederation

  8. Enable the sharing of educational resources Network eduroam Applications Shibboleth, PAPI, A-Select, Liberty Federated with eduGAIN Require agreement on: Responsibilities Privacy Liability Technology Language Standards Federations in European education

  9. Regions have their own stage of development and pace Regions have their own regional policies (with delegation to national federations) Policies will be aligned as much as possible eduroam confederations

  10. Mutual access Home institutions are/remain responsible for their users abroad Members are European NRENs Members guarantee required security levels by their participants Members promote eduroam in their countries European eduroam may peer with other regions Set of technical recommendations (SSID!) 802.1X Implemented by the eduroam service activity in Géant2 Contains hooks to national policies The European eduroam policy

  11. Robustness and security

  12. Radius packet format Transport: TCP (or SCTP) Encryption: TLS (optional) TLS => PKI DNSROAM combines RadSec with DNS for dynamically locating the peer RadSec RFC is being worked on RadSec/DNSROAM

  13. Fully hierarchical • First mixed mode • Later DNSROAM?

  14. Integration with eduGAIN

  15. The eduGAIN model Metadata Query MDS Metadata Publish Metadata Publish R-FPP H-FPP R-BE H-BE AA Interaction AA Interaction AA Interaction Resource(s) Id Repository(ies) Lingua Franca: SAML

  16. Deploying Authorization Mechanisms for Federated Services in eduroam DAME is a project that builds upon: eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, Shibboleth and eduGAIN NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards. DAMe

  17. Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB eduroam Central RADIUS Proxy server 1st: Extension of eduroam with authZ Policy Decision Point Source Attribute Authority XACML Gast piet@university_b.nl • User mobility controlled by assertions and policies expressed in SAML and XACML Signaling data SAML

  18. 2nd: eduGAIN AuthN+AuthZ backend • Link between the AAA servers (now acting as Service Providers) and eduGAIN

  19. 3d: Universal Single Sign On • Users will be authenticated once, during the network access control phase • The eduGAIN authentication would be bootstrapped from the NAS-SAML • New method for delivering authentication credentials and new security middleware • 4th goal: integrating applications, focusing on grids.

  20. The proposal is functionally equivalent to the one discussed in SALSA-FWNA for RADIUS-SAML integration Compatibility and convergence are the natural way forward NAS-SAML is From the inter-realm view, a Diameter binding for SAML Already available, thus allowing for fast evaluation of ideas Agree in the basics Data exchanged in RADIUS space Relevant attributes eduroam+NAS-SAML in Context

  21. Summary

  22. Educational federations are happening And suffering their first growing pains Getting more robust RADSec Convergence to (small number of) standards 802.1X+ RADIUS The SAML orbit International confederations are emerging eduroam Géant2 AAI (eduGAIN) The twain will ever meet Using the same principles and standards Summary

  23. More info: Klaas.Wierenga@surfnet.nl Thank you!

More Related