Download presentation
Presentation is loading. Please wait.
Published byHilary James Modified over 9 years ago
1
eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006
2
The issue: Roaming users need Internet access Grief for roaming users: –Need to arrange/agree network access in advance. –Need to remember temporary account details. Grief for visited sites: –Create temporary/guest accounts (management overhead, security concerns, etc.). –Users accessing resources may be effectively anonymous.
3
A solution: eduroam Formalised approach to educational roaming. Uses existing user accounts and authentication mechanisms: –Users don't have to remember details of another account. –No need for temporary/guest accounts at visited sites. –Users not anonymous (= more accountable). The eduroam infrastructure is based on mutual trust between sites. eduroam is a GN2 (Joint Research Activity 5) project.
4
eduroam maps
5
The national eduroam gateway Dell 2850 server with gigabit network interface, located on network backbone (hosting facility at Servecentric). FreeRadius running on Debian Linux. Configured to communicate with european gateways (operated by SURFnet). Configured to communicate with each Irish eduroam member institution. Installed and maintained by HEAnet.
6
Authentication elements 802.1X elements: –Supplicant: Software on client device. –Authenticator: Wireless AP. –Authentication Server: The home Radius server. Realm: The domain portion of username. Resource Provider: Visited site. Identity Provider: Home institution.
7
Authentication architecture
8
How do I join? Integrate local authentication server into Irish eduroam infrastructure –Facilitates your roaming users at other eduroam sites. Implement wireless LAN access at your site for roaming users –Facilitates visiting eduroam users at your site.
9
Integrate authentication server into eduroam Register your Radius server with national gateway. Radius server may be existing authentication server or new server which proxies to it. Consider where server sits within local network topology. Should install public SSL certificate on Radius server. Maintain accounting logs of own user sessions. Radius server options: Freeradius, Radiator, CiscoACS Server, etc.
10
Implement wireless LAN Wireless AP's must support 802.1X. Web redirect and VPN access are deprecated. SSID should be 'eduroam‘. Can provide eduroam service via existing wireless access network (multiple SSID's and VLAN per SSID). Define policy for user access. Maintain accounting logs of visiting user sessions.
11
Sample site architectures
12
Security Radius server –Secret key shared with national gateway. –Restrict access to local Radius server (harden OS, ACL's, firewall, monitoring, etc.). Wireless LAN –802.1X (restrict layer 2 access to wireless AP's). –EAP (“hides” user authentication details from all but supplicant and authenticating server). –TLS/TTLS (SSL certificate on server, and potentially on clients too). –Authentication can be via password, token, client certificate, etc.
13
Requirements on client device Device may be a laptop, mobile phone, PDA, etc. Client software must support 802.1X. Client software must support cipher in use at visited site. Examples of clients: –WinXP wireless client –MacOS wireless client –wpa_supplicant (Linux, BSD, Windows) –SecureW2 (EAP-TTLS client)
14
Future directions for eduroam Current model is inflexible and doesn’t scale well. Desirable features: –Peer discovery (DNS, DNSSEC). –Trust establishment (PKI, DNSSEC). Various technologies: DIAMETER, RadSec, etc. eduroam-NG (eduroam Next Generation). Possible integration with eduGAIN (European AAI).
15
Other resources www.eduroam.ie – Info for Irish sites. www.eduroam.org – Info on the eduroam project as a whole. www.eduroam.edu.au –Info on Australian implementation, with some useful documentation relevant to any eduroam site. heanet-clients-tech@listserv.heanet.ie –Mailing list of HEAnet clients technical staff.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.