eduroam Operational Experiment
description
Transcript of eduroam Operational Experiment
eduroam.useduroam.usOperational Experiment Operational Experiment
Kevin Miller • Duke UniversityKevin Miller • Duke [email protected]@duke.edu
Andy Rosenzweig • Merit NetworkAndy Rosenzweig • Merit [email protected]@merit.edu
ESCC/Internet2 Joint Techs ESCC/Internet2 Joint Techs WorkshopWorkshop
February 2006February 2006
Federated Wireless Auth VisionFederated Wireless Auth Vision
Enable members of one institution to Enable members of one institution to authenticate to the wireless network authenticate to the wireless network at another institution using their at another institution using their home credentialshome credentials– Reduce the need for guest IDsReduce the need for guest IDs– Simplify authentication when roamingSimplify authentication when roaming
The “roaming scholar” problemThe “roaming scholar” problem
Potential UsersPotential Users
Multi-campus college/universityMulti-campus college/universitySchool with decentralized authNSchool with decentralized authNSchool systemSchool systemRegional consortia: GigaPoP, state Regional consortia: GigaPoP, state networknetworkEtc…Etc…
FWNA Project ProgressFWNA Project Progress
Determined basic specsDetermined basic specs– RADIUS hierarchy modeled after current RADIUS hierarchy modeled after current
European eduroam networkEuropean eduroam network– Requires use of 802.1xRequires use of 802.1x
Experimental service in placeExperimental service in place– Top level servers at UTK, MeritTop level servers at UTK, Merit– Connecting servers to Europe, AsiaConnecting servers to Europe, Asia
Finalizing “registration” systemFinalizing “registration” system– Web-based service that will allow new Web-based service that will allow new
institutions to easily connectinstitutions to easily connect
Building blocksBuilding blocks
802.1x required as wireless access 802.1x required as wireless access method (no captive portal)method (no captive portal)
Home institutions selects EAP Home institutions selects EAP methods appropriate for themmethods appropriate for them
RADIUS used to transport auth RADIUS used to transport auth requests from visited to home siterequests from visited to home site
Top-level servers route RADIUS Top-level servers route RADIUS requests between sitesrequests between sites
Top-Level Server 1
Top-Level Server 2
RADIUS server at visited
institution
RADIUS server at
home institution
Wireless net at visited institution
Userid store at home
institution
eduroam.us RADIUS routingeduroam.us RADIUS routing
802.1x802.1x, , RADIUSRADIUS and and EAPEAP
Top-Level Server 1
RADIUS server at visited
institutionRADIUS server at
home institution
Userid store at home
institution
EAP client
AP
802.1x802.1x, , RADIUSRADIUS and and EAPEAP
802.1x and RADIUS serve as 802.1x and RADIUS serve as transport mechanisms for EAP transport mechanisms for EAP authenticationauthentication
1x and RADIUS facilitate a 1x and RADIUS facilitate a conversation between two items conversation between two items controlled by the user and his controlled by the user and his organization: EAP client and campus organization: EAP client and campus RADIUS serverRADIUS server
Top-level server interactionTop-level server interaction
Top-Level Server 1
Top-Level Server 2
RADIUS configuration and routing
data
Top-level servers draw configs from a central store of data, Top-level servers draw configs from a central store of data, based on registrationbased on registration
Thus they remain in synch, but do not otherwise directly Thus they remain in synch, but do not otherwise directly communicatecommunicate
Connections to othersConnections to others
USTop-Level Server 2
USTop-Level Server 1
EuropeTop-Level
Server
Austr.Top-Level
Server
Etc..Top-Level
Server
Each top-level server knows the top-level Each top-level server knows the top-level realms handled by the othersrealms handled by the others
FWNA Policy workFWNA Policy work
How are visiting users notified of How are visiting users notified of eduroam.us service availability?eduroam.us service availability?
What if the home institution’s policies What if the home institution’s policies vary from the visited institution?vary from the visited institution?
How do we notify the user if they are a How do we notify the user if they are a guest?guest?
What kinds of federations need to be What kinds of federations need to be built?built?
What information is logged, by whom?What information is logged, by whom?
Things to considerThings to consider
Can your campus adopt 802.1x?Can your campus adopt 802.1x?
Would your wireless authentication Would your wireless authentication structure allow for authenticating foreign structure allow for authenticating foreign realms?realms?
Would you allow visiting users onto your Would you allow visiting users onto your normal wireless network?normal wireless network?
……or onto a segregated virtual network if or onto a segregated virtual network if authenticated?authenticated?
Would doing so solve a problem, or Would doing so solve a problem, or enhance learning?enhance learning?
How to take partHow to take part
If you want to be an experiment site, If you want to be an experiment site, send email to:send email to:– [email protected]@internet2.edu
Must be willing to experiment; Must be willing to experiment; nothing is plug and playnothing is plug and play
Important for experimenters to give Important for experimenters to give feedback by way of pointers, local feedback by way of pointers, local cookbooks, EAP trial info, etc.cookbooks, EAP trial info, etc.
Join the FWNA GroupJoin the FWNA Group
Project website:Project website:http://security.internet2.edu/fwnahttp://security.internet2.edu/fwna
Biweekly Conference CallsBiweekly Conference Calls– Thursdays 11am-12pmThursdays 11am-12pm– Next on 2/23/06Next on 2/23/06
salsa-fwna @ internet2 listsalsa-fwna @ internet2 list– ““subscribe salsa-fwna” to sympa @ subscribe salsa-fwna” to sympa @
internet2internet2