Embed Size (px)
Citation preview
eduroam – Roam In a Day
Louis Twomey, HEAnet Limited
HEAnet Conference 2006
9th November, 2006
The issue: Roaming users need Internet access
• Grief for roaming users:– Need to arrange/agree network access in advance.– Need to remember temporary account details.
• Grief for visited sites:– Create temporary/guest accounts (management overhead, security
concerns, etc.).– Users accessing resources may be effectively anonymous.
A solution: eduroam
• Formalised approach to educational roaming.• Uses existing user accounts and authentication mechanisms:
– Users don't have to remember details of another account.– No need for temporary/guest accounts at visited sites.– Users not anonymous (= more accountable).
• The eduroam infrastructure is based on mutual trust between sites.
• eduroam is a GN2 (Joint Research Activity 5) project.
eduroam maps
The national eduroam gateway
• Dell 2850 server with gigabit network interface, located on network backbone (hosting facility at Servecentric).
• FreeRadius running on Debian Linux.• Configured to communicate with european gateways
(operated by SURFnet).• Configured to communicate with each Irish eduroam member
institution.• Installed and maintained by HEAnet.
Authentication elements
• 802.1X elements:– Supplicant: Software on client device.– Authenticator: Wireless AP.– Authentication Server: The home Radius server.
• Realm: The domain portion of username.
• Resource Provider: Visited site.• Identity Provider: Home institution.
Authentication architecture
How do I join?
• Integrate local authentication server into Irish eduroam infrastructure– Facilitates your roaming users at other eduroam sites.
• Implement wireless LAN access at your site for roaming users– Facilitates visiting eduroam users at your site.
Integrate authentication server into eduroam
• Register your Radius server with national gateway.• Radius server may be existing authentication server or new
server which proxies to it.• Consider where server sits within local network topology.• Should install public SSL certificate on Radius server.• Maintain accounting logs of own user sessions.• Radius server options: Freeradius, Radiator, CiscoACS
Server, etc.
Implement wireless LAN
• Wireless AP's must support 802.1X.• Web redirect and VPN access are deprecated.• SSID should be 'eduroam‘.• Can provide eduroam service via existing wireless access
network (multiple SSID's and VLAN per SSID).• Define policy for user access.• Maintain accounting logs of visiting user sessions.
Sample site architectures
Security
• Radius server– Secret key shared with national gateway.– Restrict access to local Radius server (harden OS, ACL's, firewall,
monitoring, etc.).
• Wireless LAN– 802.1X (restrict layer 2 access to wireless AP's).– EAP (“hides” user authentication details from all but supplicant and
authenticating server).– TLS/TTLS (SSL certificate on server, and potentially on clients too).– Authentication can be via password, token, client certificate, etc.
Requirements on client device
• Device may be a laptop, mobile phone, PDA, etc.• Client software must support 802.1X.• Client software must support cipher in use at visited site.• Examples of clients:
– WinXP wireless client– MacOS wireless client– wpa_supplicant (Linux, BSD, Windows)– SecureW2 (EAP-TTLS client)
Future directions for eduroam
• Current model is inflexible and doesn’t scale well.• Desirable features:
– Peer discovery (DNS, DNSSEC).– Trust establishment (PKI, DNSSEC).
• Various technologies: DIAMETER, RadSec, etc.• eduroam-NG (eduroam Next Generation).• Possible integration with eduGAIN (European AAI).
Other resources
• www.eduroam.ie– Info for Irish sites.
• www.eduroam.org– Info on the eduroam project as a whole.
• www.eduroam.edu.au– Info on Australian implementation, with some useful documentation
relevant to any eduroam site.• [email protected]
– Mailing list of HEAnet clients technical staff.
