EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

Slides:



Advertisements
Similar presentations
Inter WISP WLAN roaming
Advertisements

Authentication.
Joining eduroam Wireless Roaming for Education and Research.
RadSec – A better RADIUS protocol
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Internet Protocol Security (IP Sec)
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Eduroam-ng TF-Mobility, Barcelona, 6 September 2005.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.
EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols
Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.
802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Lecture 12: WLAN Roaming Communities EDUROAM TM. eduroam TM eduroam (education roaming) is the secure, world-wide roaming access service developed for.
What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
NETWORKS – NETWORK FUNDAMENTALS. How do computers connect to each other? Wired vs. Wireless Network cards Special device on computer that lets the computer.
Wireless ambitions Frans Panken I2 Spring meeting 24 april 2012.
EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.
Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Connect. Communicate. Collaborate Combining RADIUS with Secure DNS for Dynamic Trust Establishment between Domains Henk Eertink †, Arjan Peddemors †, Roy.
Altai Certification Training Backend Network Planning
Education roaming Secure Wireless Service for Research and Education.
70-411: Administering Windows Server 2012
BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.
High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.
Internet Goes Mobile Alper Yegin KIOW 2003 at APNIC 16 August 19th, Seoul, Korea.
Michal Procházka, Jan Oppolzer CESNET.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005
802.1X in SURFnet 22 May 2003.
High-quality Internet for higher education and research TF-Mobility, Zagreb, 2 February 2006 eduroam-ng architecture Test results and way forward
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Security fundamentals Topic 10 Securing the network perimeter.
Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.
Security for (Wireless) LANs 802.1X workshop 30 & 31 March 2004 Amsterdam.
Workshop roaming services: eduroam / govroam
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
19 May 2003 © The JNT Association Terena Technical Advisory Council Terena Mobility Task Force
INFSO-RI Enabling Grids for E-sciencE NPM Security Alistair K Phipps (NeSC) JRA4 Face To Face, CERN, Geneva.
RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.
Security fundamentals
10 Years of eduroam (from an idea to a product)
Virtual Private Network (VPN)
Virtual Private Network (VPN)
TF-Mobility update TF-EMC2, Barcelona 9 September 2005.
The DAMe’s First Steps: eduroam and NAS-SAML
Presentation transcript:

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

2 Contents Past Present Future

Past Why did we do it?

4 Threats (Kismet+Airsnort) tcpdump -n -i eth1 19:52: > : icmp: echo request 19:52: > : icmp: echo reply 19:52: > : icmp: echo request 19:52: > : icmp: echo reply 19:52: > : icmp: echo request 19:52: > : icmp: echo reply ^C

5 Opportunities Access Provider POTS Institution A WLAN Institution B WLAN Access Provider ADSL International connectivity Access Provider WLAN Access Provider GPRS SURFnet backbone

6 Requirements definition Enable NREN users to use the Internet (WLAN and wired) everywhere in Europe with: –Minimal administrative overhead (per roaming user) –Good usability –Maintaining required security for all partners. –Scalable! Results –Web: Scalable, Unsafe –VPN: Not Scalable, Safe –802.1X: Safe, Scalable…. but new

7 EduRoam RADIUS server Institution B RADIUS server Institution A Internet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest Student VLAN Guest VLAN Employee VLAN data signalling Trust fabric based on RADIUS 802.1X and EAP (802.1Q VLAN assignment)

8 Tunneled Authentication (TTLS/PEAP) Uses TLS tunnel to protect data –The TLS tunnel is established using the Server certificate, automatically authenticating the server and preventing man-in-the-middle attacks Allows use of dynamic session keys for line encryption © Alfa&Ariss

Present Where are we now?

10 EduRoam participants June 2004: 275 participating institutions Soon: USA and Australia

11 EduRoam.nl

Future What’s next?

13 EduRoam - Limitations European Server.nl uva.nl Access Point Access Point.ac.uk….es uclm.es User database AA traffic goes through all intermediate entries All links are peer-to-peer agreements / static routes Authentication = authorization

14 RADIUS server RADIUS server proxy for other realms client e.g access point Alternative – RADIUS / PKI visiting visit.org user account db home home.org user account db infra p2p 1 authenticate / authorize OK roam.org visit.org home.org Certificate Authority 2a 4 verify certificate radius.home.org setup IPSEC / TLS connection 2b 2c 2d verify certificate radius.visit.org All parties in the roaming domain use certificates issued by the roam.org CA © Telematica Instituut

15 Alternative Solutions - DIAMETER visiting client e.g access point DIAMETER server relay for other realms visit.org user account db home DIAMETER server home.org user account db infra static route 1 authenticate / authorize 6 OK roam.org visit.org home.org DIAMETER server redirector (broker) 3 4 redirect to diameter.home.org See section of RFC 3588 “Diameter Base Protocol” static route dynamic route; setup secure conn. All connections between entities secured with IPSEC or TLS (using shared secret, PKI, …) © Telematica Instituut

16 Alternative - RADIUS-DNSSEC visiting client e.g access point RADIUS server proxy for other realms visit.org user account db home RADIUS server home.org user account db infra DNS server authoritative for roam.org p2p 1 authenticate / authorize OK roam.org visit.org home.org DNS server caching forwarder secure lookup radius server associated with home.org.roam.org 7 establish connection dynamically 89 A: CERT:key=a;sd98yhq3ra secure lookup radius server associated with home.org.roam.org © Telematica Instituut

17 EduRoam – Authorization? European Server.nl Elsevier.nl uclm.es User database Will you authenticate Rodrigo for access to Elsevier? Has Diego passed his PAPI exam? In general: How to pass attributes back and forth (SAML?)

18 EduRoam – Access to applications? European Server.nl uva.nl Shibboleth A-Select.ac.uk….es uclm.es PAPI Resource How do all these applications communicate? (SAML?) But the user tries to connect to the remote resource, not to the home Shibboleth…. How can you protect credentials? Tunneled authentication?

19 Conclusions Europe goes EduRoam The USA and Asian-Pacific region will follow Infrastucture not perfect but… –It works ™ –It is ready for the future –Changes affect the ‘backplane’ not the institutional part So………

20 Time to join…...es More information: or /

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.