eduroam.useduroam.usOperational Experiment Operational Experiment

Kevin Miller • Duke UniversityKevin Miller • Duke Universitykevin.miller@duke.edukevin.miller@duke.edu

Andy Rosenzweig • Merit NetworkAndy Rosenzweig • Merit Networkandyr@merit.eduandyr@merit.edu

ESCC/Internet2 Joint Techs ESCC/Internet2 Joint Techs WorkshopWorkshop

February 2006February 2006

Federated Wireless Auth VisionFederated Wireless Auth Vision

Enable members of one institution to Enable members of one institution to authenticate to the wireless network authenticate to the wireless network at another institution using their at another institution using their home credentialshome credentials– Reduce the need for guest IDsReduce the need for guest IDs– Simplify authentication when roamingSimplify authentication when roaming

The “roaming scholar” problemThe “roaming scholar” problem

Potential UsersPotential Users

Multi-campus college/universityMulti-campus college/universitySchool with decentralized authNSchool with decentralized authNSchool systemSchool systemRegional consortia: GigaPoP, state Regional consortia: GigaPoP, state networknetworkEtc…Etc…

FWNA Project ProgressFWNA Project Progress

Determined basic specsDetermined basic specs– RADIUS hierarchy modeled after current RADIUS hierarchy modeled after current

European eduroam networkEuropean eduroam network– Requires use of 802.1xRequires use of 802.1x

Experimental service in placeExperimental service in place– Top level servers at UTK, MeritTop level servers at UTK, Merit– Connecting servers to Europe, AsiaConnecting servers to Europe, Asia

Finalizing “registration” systemFinalizing “registration” system– Web-based service that will allow new Web-based service that will allow new

institutions to easily connectinstitutions to easily connect

Building blocksBuilding blocks

802.1x required as wireless access 802.1x required as wireless access method (no captive portal)method (no captive portal)

Home institutions selects EAP Home institutions selects EAP methods appropriate for themmethods appropriate for them

RADIUS used to transport auth RADIUS used to transport auth requests from visited to home siterequests from visited to home site

Top-level servers route RADIUS Top-level servers route RADIUS requests between sitesrequests between sites

Top-Level Server 1

Top-Level Server 2

RADIUS server at visited

institution

RADIUS server at

home institution

Wireless net at visited institution

Userid store at home

institution

eduroam.us RADIUS routingeduroam.us RADIUS routing

802.1x802.1x, , RADIUSRADIUS and and EAPEAP

Top-Level Server 1

RADIUS server at visited

institutionRADIUS server at

home institution

Userid store at home

institution

EAP client

AP

802.1x802.1x, , RADIUSRADIUS and and EAPEAP

802.1x and RADIUS serve as 802.1x and RADIUS serve as transport mechanisms for EAP transport mechanisms for EAP authenticationauthentication

1x and RADIUS facilitate a 1x and RADIUS facilitate a conversation between two items conversation between two items controlled by the user and his controlled by the user and his organization: EAP client and campus organization: EAP client and campus RADIUS serverRADIUS server

Top-level server interactionTop-level server interaction

Top-Level Server 1

Top-Level Server 2

RADIUS configuration and routing

data

Top-level servers draw configs from a central store of data, Top-level servers draw configs from a central store of data, based on registrationbased on registration

Thus they remain in synch, but do not otherwise directly Thus they remain in synch, but do not otherwise directly communicatecommunicate

Connections to othersConnections to others

USTop-Level Server 2

USTop-Level Server 1

EuropeTop-Level

Server

Austr.Top-Level

Server

Etc..Top-Level

Server

Each top-level server knows the top-level Each top-level server knows the top-level realms handled by the othersrealms handled by the others

FWNA Policy workFWNA Policy work

How are visiting users notified of How are visiting users notified of eduroam.us service availability?eduroam.us service availability?

What if the home institution’s policies What if the home institution’s policies vary from the visited institution?vary from the visited institution?

How do we notify the user if they are a How do we notify the user if they are a guest?guest?

What kinds of federations need to be What kinds of federations need to be built?built?

What information is logged, by whom?What information is logged, by whom?

Things to considerThings to consider

Can your campus adopt 802.1x?Can your campus adopt 802.1x?

Would your wireless authentication Would your wireless authentication structure allow for authenticating foreign structure allow for authenticating foreign realms?realms?

Would you allow visiting users onto your Would you allow visiting users onto your normal wireless network?normal wireless network?

……or onto a segregated virtual network if or onto a segregated virtual network if authenticated?authenticated?

Would doing so solve a problem, or Would doing so solve a problem, or enhance learning?enhance learning?

How to take partHow to take part

If you want to be an experiment site, If you want to be an experiment site, send email to:send email to:– salsa-fwna-ops@internet2.edusalsa-fwna-ops@internet2.edu

Must be willing to experiment; Must be willing to experiment; nothing is plug and playnothing is plug and play

Important for experimenters to give Important for experimenters to give feedback by way of pointers, local feedback by way of pointers, local cookbooks, EAP trial info, etc.cookbooks, EAP trial info, etc.

Join the FWNA GroupJoin the FWNA Group

Project website:Project website:http://security.internet2.edu/fwnahttp://security.internet2.edu/fwna

Biweekly Conference CallsBiweekly Conference Calls– Thursdays 11am-12pmThursdays 11am-12pm– Next on 2/23/06Next on 2/23/06

salsa-fwna @ internet2 listsalsa-fwna @ internet2 list– ““subscribe salsa-fwna” to sympa @ subscribe salsa-fwna” to sympa @

internet2internet2