Presentation is loading. Please wait.

Presentation is loading. Please wait.

(From Radius Hierarchy to AAI) Miroslav Milinović University Computing Centre - Srce EuroCAMP Ljubljana, March 2006.

Published byLucas Robertson Modified over 9 years ago

Similar presentations

Presentation on theme: "(From Radius Hierarchy to AAI) Miroslav Milinović University Computing Centre - Srce EuroCAMP Ljubljana, March 2006."— Presentation transcript:

1 AAI@EduHr (From Radius Hierarchy to AAI) Miroslav Milinović University Computing Centre - Srce EuroCAMP Ljubljana, March 2006

2 EuroCAMP, Ljubljana 2006: 2/23 Contents  History  hrEdu radius/LDAP hierarchy  AAI@EduHr project  hrEdu schemas  AOSI (adding AAI flavour)  AAI@EduHr today  Future development (PKI@EduHr?)

3 EuroCAMP, Ljubljana 2006: 3/23 History  Directories and directory services  http://ds.carnet.hr  Netfind, Whois++, X.500  LDAP  killer application needed  Network access  AAA for dial-up access  introducing radius instead of tacacs+  (highly) distributed user community   200 member institutions (variable size of institution and amount of ICT resources)  expert knowledge is not equaly distributed/available

4 EuroCAMP, Ljubljana 2006: 4/23 We started with...  (hrEdu) radius/LDAP hierarchy  limited function, primarily for dial-up access  LDAP schema development started  AAI foreseen as a long-term goal / dial-up as a killer application for LDAP deployment  fully operational radius/LDAP hierarchy since Feb. 2003  eduroam member since the very begining

5 EuroCAMP, Ljubljana 2006: 5/23 hrEdu radius/LDAP hierarchy ≈ 200 (170) Home orgs ≈ 180000 users SW: FreeRadius & OpenLDAP Dial-up access (CMU) ID: user.realm (Lucent Navis) proxy radius server(s) central LDAP server for backup Home Org X Radius server LDAP server Radius server Radius server LDAP server Network Home Org ZHome Org YHome org X Radius proxy service user resource

6 EuroCAMP, Ljubljana 2006: 6/23 Missusing the radius attributes  Use of radius in AA(A) process:  AuthN  AuthZ = AuthN + “few simple attributes”  We use:  Connect-Info  hrEduPersonExpireDate  Class  hrEduPersonUniqueID (hrEduPersonUniqueNumber)  Configuration-Token  hrEduPersonPrimaryAffiliation  but actually... not good enough

7 EuroCAMP, Ljubljana 2006: 7/23 Project AAI@EduHr  raising demands (network access & applications)  Radius/LDAP hierarchy is not good enough  project started in May 2004  main goals:  define HrEdu schema(s)  set up IdPs  Set up the AAI for EduHr Shibboleth was found as too complex idea: add AAI flavour to the existing radius/LDAP infrastructure http://www.aaiedu.hr/

8 EuroCAMP, Ljubljana 2006: 8/23 hrEdu hierarchy evolved ≈ 200 (170) Home orgs ≈ 180000 users SW: FreeRadius & OpenLDAP Dial-up access (CMU) StuDOM (8149 “student beds” connected) Wireless/wired access (Srce, CARNet,...) eduroam (http://www.eduroam.org) UNIX/Linux PAM (ID: user.realm) ID: user@realm.hr (Lucent Navis) proxy radius server(s) (central LDAP server for backup) Home Org X Radius server LDAP server Radius server Radius server LDAP server Network Home Org ZHome Org YHome org X (radius)proxy service user resource

9 EuroCAMP, Ljubljana 2006: 9/23 hrEdu schemas  hrEduPerson  HrEduOrg  registry: http://schema.aaiedu.hrhttp://schema.aaiedu.hr  transition/migration from earlier versions  all LDAPs at the same version since Feb. 2006  more work to do: harmonisation (with SCHAC,...)

10 EuroCAMP, Ljubljana 2006: 10/23 AOSI – adding AAI flavour  AOSI is:  an application for maintaing the content of the LDAP directory  an access tool for LDAP (e.g. local AAI component)  AOSI has two parts:  web service (core AOSI)  client application (“only” proof of concept; any other client can be used localy)  FWS/HLS = central (AOSI) service  AOSI  “ShibLite”

11 EuroCAMP, Ljubljana 2006: 11/23 Home org AOSI System LDAP dir. AOSI-WS AOSI Client AAI@EduHr Schema (XML) Codes,... (XML) Data (XML) User access Administrator access

12 EuroCAMP, Ljubljana 2006: 12/23 Home org AOSI System (2) LDAP dir. AOSI-WS AOSI Client AAI@EduHr Schema (XML) Codes,... (XML) Data (XML) PHP.Net Java

13 EuroCAMP, Ljubljana 2006: 13/23 Organization A Application AAI@EduHr Federation WS FWS in AAI@EduHr Organization B AOSI Directory “routing” information user@realm

14 EuroCAMP, Ljubljana 2006: 14/23 Organization A Application AAI@EduHr Federation WS HLS in AAI@EduHr Organization B AOSI Directory “routing” information user@realm

15 EuroCAMP, Ljubljana 2006: 15/23 AOSI WS and FWS  Currently based on Perl; FWS to be implemented in Java  Local AOSI WS:  Local service is described in http://ldaphost.homeorg.hr/aosi/aosi.wsdl  Generally runs at https://ldaphost.homeorg.hr:1443/AOSI  Client platforms working with service:  Perl  PHP .Net  Java  FWS/HLS:  Based on AOSI  http://www.aaiedu.hr/fws/fws.wsdl http://www.aaiedu.hr/fws/fws.wsdl  Documentation:  http://www.aaiedu.hr/aosi/aosi_wsdl.html http://www.aaiedu.hr/aosi/aosi_wsdl.html  http://www.aaiedu.hr/fws/fws_wsdl.html http://www.aaiedu.hr/fws/fws_wsdl.html

16 EuroCAMP, Ljubljana 2006: 16/23 Resource Entry Point AAI Component AAI@EduHr today Central AAI@EduHr Services (proxy, FWS/HLS...) User: uid@realm.hr Home Org AAI Component Directory 197 (166) Home orgs FreeRadius AOSI WS Open LDAP

17 EuroCAMP, Ljubljana 2006: 17/23 AAI@EduHr in real life  in full operation since Feb. 2006  basic monitoring (http://www.aaiedu.hr/status_li.php)http://www.aaiedu.hr/status_li.php  197 Home organisations (IdPs)  number of services:  Network access: dial-up, wireless & wired (eduroam, 802.1x)  www.eduroam.hr (fully operational by the end of April) www.eduroam.hr  Application access: Web-based aplications, WebCT, Moodle,...

18 EuroCAMP, Ljubljana 2006: 18/23 PAP to EAP/TTLS Bridge  Improving security  multithreaded UDP server  based on TinyRadius Radius server API, (http://tinyradius.sourceforge.net/) and eapol_test (http://hostap.epitest.fi/)http://tinyradius.sourceforge.net/http://hostap.epitest.fi/  works on Linux (we still work on Solaris version)

19 EuroCAMP, Ljubljana 2006: 19/23 PAP  EAP/TTLS NAS Bridge Radius proxy PAP Radius (PAP) Radius (EAP / TTLS) Converts PAP to EAP/TTLS and back

20 EuroCAMP, Ljubljana 2006: 20/23 An example: CARNet mobile service RADIUS server Mobile CARNet radius server CARNet AAI@EduHr radius proxy XYZ APN Mobile AAA DB LDAP dir. XYZ client uid@realm.hr Mobile CARNet AAAHome org.

21 EuroCAMP, Ljubljana 2006: 21/23 An example: CARNet mobile service (2) RADIUS server Mobile CARNet radius server CARNet AAI@EduHr radius proxy FWS/HLS Mobile AAA DB LDAP dir. HTTP client uid@realm.hr Mobile CARNet AAAHome org. Mobile CARNet Web

22 EuroCAMP, Ljubljana 2006: 22/23 Future work  become a “real” federation (policies, policies,...)  central (vs. local) login page in production  resource registry (based on SWITCH solution)  certficates for services from TERENA SCS (provided by CARNet)  improved monitoring  start “speaking” SAML  Add ARP functionality to AOSI  “Shib gateway” in production  interoperate with eduGAIN  SSO  PKI@EduHr? (SX project)

23 EuroCAMP, Ljubljana 2006: 23/23 AAI@EduHr http://www.aaiedu.hr/ team@aaiedu.hr aosi@aaiedu.hr

Download ppt "(From Radius Hierarchy to AAI) Miroslav Milinović University Computing Centre - Srce EuroCAMP Ljubljana, March 2006."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Federated access to e-Infrastructures worldwide

Federated access to e-Infrastructures worldwide
Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,

Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,
Www.ja.net/roaming Copyright JNT Association 2006 The JANET Roaming Service.

Copyright JNT Association 2006 The JANET Roaming Service.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.

EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
EduShib VA What is EduShib VA? EduShib VA (Virtual Appliance) is a image based implementation tool for eduroam and Shibboleth.

EduShib VA What is EduShib VA? EduShib VA (Virtual Appliance) is a image based implementation tool for eduroam and Shibboleth.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.

EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
AAI with simpleSAMLphp

AAI with simpleSAMLphp

Similar presentations

Ads by Google