Connect. Communicate. Collaborate

eduroam: a managed European service

Miroslav Milinović, Srce, Zagreb, Croatiaeduroam SA, GÉANT2 <miro@srce.hr>

NORDUnet 2008, Espoo, Finland

Connect. Communicate. CollaborateContents

• Roaming acitivity in GEANT2 (JRA5, SA5) • eduroam technology• eduroam service

– organisation– infrastructure elements– supporting elements

• Current status and plans

Connect. Communicate. CollaborateGEANT2 & roaming

• JRA5: Roaming and Authorisation – How to organise access to resources in the research and

education area in a sufficiently safe and easy to handle way?– activities: roaming (eduroam), AAI (eduGAIN), uSSO– JRA5 roaming vision: To build a roaming infrastructure enabling

full mobility of members of the scientific community in Europe

• SA5: eduroam service activity– continue on JRA5 results in order to build and maintain reliable

European eduroam service– provide: “open your laptop and be online”

Connect. Communicate. CollaborateFederations

• Federations enable sharing of resources(synergy effects, joining a federation instead of many bilateral agreements)

• A federation is constituted by a set of agreements between members (peers)

• In a federation (agreement) there needs to be a common set of rules (organisational and technical)

• Federations can be part of bigger federations

• Federations can be interconnected

• Confederation = federation of federations(federating principles applied to federations themselves)

Connect. Communicate. CollaborateRoaming requirements

• Identify users uniquely at the edge of the network

• Enable guest usage

• Scalable– local user administration and authentication

• Easy to install and use– at the most one-time installation by the user

• Open

• Secure

Connect. Communicate. Collaborateeduroam technology• Security based on 802.1X

– Integration with VLAN assignment– Protection of credentials

• Authentication based on EAP– Different authentication mechanisms possible by using EAP

(Extensible Authentication Protocol)

• Roaming based on RADIUS proxying– Remote Authentication Dial In User Service– Transport-protocol for authentication information

• Trust fabric based on:– Technical: RADIUS hierarchy– Policy: Documents/contracts that define the responsibilities of user,

institution, NREN and the respective federation

Connect. Communicate. CollaborateConnect. Communicate. Collaborate

RADIUS server

University B

RADIUS server

University A

XYZnet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

user

joe@university_b.hr

StudentVLAN

CommercialVLAN

EmployeeVLAN

data

signalling

• Trust: RADIUS & policy documents

• 802.1X + EAP

• (VLAN assignment)

eduroam architecture: ubiquitous network access

Connect. Communicate. Collaborate

eduroam confederationRADIUS hierarchy Connect. Communicate. Collaborate

.DK .PT

inst-1 inst-2 inst-3 inst-4

tom@inst-1.dk

confederation level servers

federation (NREN) levelservers

institutional levelservers

Connect. Communicate. Collaborateeduroam goes global

http://www.eduroam.org

Connect. Communicate. Collaborate

(European) eduroam service

• eduroam user experience: “open your laptop and be online”

• To provide secure network access inside the confederation boundaries (to the end users)

• eduroam is a secure international roaming service for members of the European eduroam confederation (a confederation of autonomous roaming services)

• First steps in transition to service:– Service Definition and Implementation Plan– Policy

Connect. Communicate. Collaborate

European eduroam confederation principles

• Members are European NRENs/NROs

• Members sign European eduroam policy commiting to the organisational and technical requirements

• Mutual access – no fees

• Authentication at home - Authorisation at visited institution

• Home institutions are/remain responsible for their users abroad

• Members promote eduroam in their countries

• European eduroam may peer with other regions (confederation level)

Connect. Communicate. Collaborate

Confederated eduroam service

• Encompasses all the elements necessary to support the Service– confederation infrastructure– establishing trust between the member federations– monitoring and diagnostic facilities– central data repository (eduroam database)– confederation level user support

Connect. Communicate. Collaborate

eduroam service model

national eduroam service

(provided by NREN/NRO)

national eduroam service

(provided by NREN/NRO)

eduroam confederation service

(provided by OT)

eduroam service (governed by SA5)

...

Connect. Communicate. Collaborateeduroam service elements

• Technology infrastructure• Supporting infrastructure

– monitoring and diagnostics– eduroam web site (http://www.eduroam.org)– eduroam database– trouble ticketing system (TTS)– mailing lists

Connect. Communicate. CollaborateUsers vs. service elements

Service elements User group

End user Inst. Level personnel Federation-level personnel

Basic monitoring facilities Yes Yes Yes

Full monitoring and diagnostics facilities

No Yes (limited to the information regarding the respective inst.)

Yes

Public access to the eduroam web site

Yes Yes Yes

Access to the internal eduroam web site

No Yes (limited to the information regarding the respective inst.)

Yes

Public access to the eduroam database

Yes Yes Yes

Access to the all information in the eduroam database

No Yes (limited to the information regarding the respective inst.)

Yes

TTS No Yes Yes

SA5/OT Mailing lists No No Yes

Support from OT No No Yes

Connect. Communicate. Collaborateeduroam infrastructure

Top-level RADIUS Server(s)

Home Federation Remote Federation

Federation (National) top level RADIUS proxy Server(s)

HI IdP

Federation (National) top level RADIUS proxy Server(s)

RI SP

networkUser U access

RADIUS RADIUS

AuthN S

RADIUS RADIUS

HIRADIUS Server

RIRADIUS Server

RADIUS

Eduroam confederation infrastructure

Connect. Communicate. CollaborateMonitoring: problem definition

• Monitor functionality of the eduroam infrastructure– servers– infrastructure– user experience

• It is not enough to know that host is accessible

• Ultimate goal is to test real users experience – (very) different workflows at RADIUS servers for Accept and Reject– perform both accept and reject logic tests

Connect. Communicate. CollaborateMonitoring: concept

• Monitoring client is RADIUS client capable of sending various types of RADIUS request (PAP, EAP, …)

• RADIUS Proxy Server is monitored server

• IdP RADIUS Server is the server that issues the response thus acting as loop-back server. It’s function is to close the tunnel and create standard well format and specified response. This function might be realized on the monitored server (RADIUS proxy server)

Monitoring Client

IdP RADIUS Server

RADIUS Proxy Server

Connect. Communicate. CollaborateMonitoring: process• Monitoring proces is performed in two steps REJECT test and ACCEPT test• Both steps include :

– Monitoring client creates RADIUS attributes specific for monitoring purpose– Monitoring client creates RADIUS request based on selected AuthN type (now

EAP/TTLS)– Monitoring client sends RADIUS request, and starts measuring response time– Monitored RADIUS Proxy Server handles request and sends back the response– Monitoring client evaluates received response and updates database.– Monitored server is marked OK if it fulfills both testing steps.

• Monitored data, saved in database:– is monitoring request accepted by RADIUS proxy server ? (yes/no)– is request properly routed? (currently to eduroam.<tld>)– type of RADIUS request (currently only EAP/TTLS)– is response well formed (equal to expectations)?– response time

Connect. Communicate. CollaborateMonitoring servers

monitoringdatabase

monitoring client

TLRS

FLRS

Connect. Communicate. CollaborateMonitoring infrastructure

monitoringdatabase

monitoring client

TLRS(s)

FLRS(s)

TLRS(s)

FLRS(s)

Connect. Communicate. CollaborateTesting on demand

monitoringdatabase

monitoring client

TLRS(s)TLRS(s)

realm B

FLRS(s)

realm A

FLRS(s)

Connect. Communicate. Collaborateeduroam database

• The information stored in the eduroam database includes:– NRO representatives and respective contacts– Local-institutions (both SP and IdP) official contacts– Information about eduroam hot spots (SP location, technical info)– Monitoring information– Information about the usage of the service

• NROs:– should provide respective data (general and usage data)– in the defined XML format available at the specified URL address– should be accessible only from the eduroam database server

Connect. Communicate. Collaborateeduroam databasemon_ser_log

PK id

mon_serid mon_type status a_resp_time r_resp_time ts mon_logid

mon_creds

PK id

username password mon_realmid

mon_realm

PK id

tested_realm tested_country realmid mon_type_sel last_mon_logid ts

mon_ser

PK id

name mon_realmid ip port timeout retry secret stype reject_only radsec monitoring last_mon_logid ts

mon_realm_log

PK id

mon_realmid mon_type status a_resp_time r_resp_time mon_serid ts mon_logid

service_loc

PK id

institutionid longitude latitude address_street address_city contact_name contact_phone contact_email SSID enc_level port_restrict transp_proxy IPv6 NAT AP_no wired info_URL ts

institution

PK id

realmid type inst_realm org_name address_street address_city contact_name contact_email contact_phone info_URL policy_URL ts

general data

monitoring data

institution_usage

PK id

institutionid local_sn national_sn international_sn date

realm_data

PK id

realmid number_inst number_user number_id number_IdP number_SP number_SPIdP ts

usage data

mon_log

PK id

scheduled ts_scheduled ts_start ts_end type status

realm

PK id

country stype org_name address_street address_city contact_name contact_email contact_phone info_URL policy_URL ts

realm_usage

PK id

realmid national_sn international_sn date

Connect. Communicate. Collaborate

User support: problem escalation scenario (1)

visited federation

fed.-level admin.

local institution admin.

user

home federation

fed.-level admin.

local institution admin.

OT

1,2

3

4

Connect. Communicate. Collaborate

User support: problem escalation scenario (2)

visited federation

fed.-level admin.

local institution admin.

user

home federation

fed.-level admin.

local institution admin.

OT

1,2

3

6

4a

5

4b

4

Connect. Communicate. CollaborateImplementation plan

service

definition

& policy

monitoring

web site

TTS

eduroam

database

Sep07 Jan08Dec07 Mar08Feb08 Apr08 Aug08 Feb09

M37 M41M40 M43M42 M44 M48 M54

Connect. Communicate. Collaborate

eduroam current status:connected to the TLRSs

• 33 countries

• 2 TLRSs

Connect. Communicate. Collaborate

eduroam current status:monitored TLRS/FLRS

• monitoring service is in place

• will be publicly available via www.eduroam.org (end of April 2008)

• further development is planned

Connect. Communicate. Collaborate

eduroam current status:demographics/user maps

• demographics info:– no of SPs, IdPs– location of SPs– usage– coverage– contacts

• user oriented maps• based on eduroam database• will be publicly available via

www.eduroam.org (end of April 2008)

• further development is planned

Connect. Communicate. Collaborate

http://www.eduroam.org