Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.

Published byLora Reynolds Modified over 9 years ago

Similar presentations

Presentation on theme: "Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007."— Presentation transcript:

1 Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007

2 Contents -Intro -eduroam -The European eduroam confederation -eduGAIN -DAMe -Summary

3 Federations in European education -Enable the sharing of educational resources -Applications -Shibboleth, PAPI, A-Select, Liberty -Federated with eduGAIN -Network -eduroam -Both require agreement on: -Responsibilities -Privacy -Liability -Technology -Language -Standards

4 eduroam

5 The goal of eduroam “open your laptop and be online” or To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources

6 eduroam RADIUS server University B RADIUS server University A SURFnet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest piet@university_b.nl Student VLAN Commercial VLAN Employee VLAN data signalling Trust based on RADIUS plus policy documents 802.1X (VLAN assigment)

7 Eduroam interactions RADIUS@visited RADIUS@home Id Repository Resource (AP) RADIUS + TLS Channel(s) Tue Oct 10 00:05:15 2006: DEBUG: Packet dump: *** Received from 145.99.133.194 port 1025.... Code: Access-Request Identifier: 1 Authentic: k D Attributes: User-Name = "Klaas.Wierenga@guest.showcase.surfnet.nl" NAS-IP-Address = 145.99.133.194 Called-Station-Id = "001217d45bc7" Calling-Station-Id = "0012f0906ccb" NAS-Identifier = "001217d45bc7" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 EAP-Message = - Klaas.Wierenga@guest.showcase.surfnet.nl Message-Authenticator = `- y. I<218 > \ Tue Oct 10 00:17:32 2006: DEBUG: Handling request with Handler 'TunnelledByTTLS= 1, Realm=/guest.showcase.surfnet.nl/i' Tue Oct 10 00:17:32 2006: DEBUG: Deleting session for Klaas.Wierenga@guest.show case.surfnet.nl, 145.99.133.194, Tue Oct 10 00:17:32 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-ID Tue Oct 10 00:17:32 2006: DEBUG: Reading users file /etc/radiator/db/showcase-gu est-users Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE looks for match with Klaas.Wie renga@guest.showcase.surfnet.nl [Klaas.Wierenga@guest.showcase.surfnet.nl] Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE ACCEPT: : Klaas.Wierenga@guest.showcase.surfnet.nl [Klaas.Wierenga@guest.showcase.surfnet.nl] Tue Oct 10 00:17:32 2006: DEBUG: AuthBy FILE result: ACCEPT, Tue Oct 10 00:17:32 2006: DEBUG: Access accepted for Klaas.Wierenga@guest.showca se.surfnet.nl Tue Oct 10 00:17:32 2006: DEBUG: Returned TTLS tunnelled Diameter Packet dump: Code: Access-Accept eduroam hierarchy

8 -Single technology -RADIUS -802.1X -EAP -Authentication = authorisation European eduroam confederation

9 eduGAIN

10 Id Repository(ies) Resource(s) MDS R-FPP Metadata Publish R-BE Metadata Query AA Interaction H-FPP Metadata Publish H-BE AA Interaction AA Interaction The eduGAIN model Lingua Franca: SAML

11 RequesterResponder Id Repository Resource TLS Channel(s) MDS TLS Channel https://mds.geant.net/ ?cid=someURN <EntityDescriptor... entityID= ”urn:geant2:..:responder">... <SingleSignOnService... Location= “https://responder.dom/” />... <samlp:Request... RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”>... <samlp:Response... ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”>...  urn:geant2:...:responder urn:geant2:...:requester  eduGAIN interactions

12 DAMe

13 -Deploying Authorization Mechanisms for Federated Services in eduroam -DAME is a project that builds upon: -eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, -Shibboleth and eduGAIN -NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards. -Universities of Murcia and Stuttgart within Géant2 JRA5

14 Gast piet@university_b.nl RADIUS server University B RADIUS server University A eduroam Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant data User mobility controlled by assertions and policies expressed in SAML and XACML XACML Policy Decision Point SAML Source Attribute Authority Signaling 1st: Extension of eduroam with authZ

15 2nd: eduGAIN AuthN+AuthZ backend -Link between the AAA servers (now acting as Service Providers) and eduGAIN

16 3d: Universal Single Sign On -Users will be authenticated once, during the network access control phase -The eduGAIN authentication would be bootstrapped from the NAS-SAML -New method for delivering authentication credentials and new security middleware -4th goal: integrating applications, focusing on grids.

17 eduroam+NAS-SAML in Context -The proposal is functionally equivalent to the one discussed in I2 SALSA-FWNA for RADIUS-SAML integration -Compatibility and convergence are the natural way forward -NAS-SAML is -From the inter-realm view, a Diameter binding for SAML -Already available, thus allowing for fast evaluation of ideas - Agree in the basics -Data exchanged in RADIUS space -Relevant attributes

18 Independent AuthZ

19 Summary

20 -Convergence to (small number of) standards -802.1X+ RADIUS -The SAML orbit -International confederations are emerging -eduroam -Géant2 AAI (eduGAIN) -The twain will ever meet -Using the same principles and standards

21 Thank you! More info: http://dame.inf.um.es/ Klaas.Wierenga@surfnet.nl

Download ppt "Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Why eduroam sucks, and how to fix it.

Why eduroam sucks, and how to fix it.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
SALSA-NetAuth SALSA-FWNA BoF Kevin Miller Duke University Internet2 Member Meeting May 2005.

SALSA-NetAuth SALSA-FWNA BoF Kevin Miller Duke University Internet2 Member Meeting May 2005.
Www.ja.net/roaming Copyright JNT Association 2006 The JANET Roaming Service.

Copyright JNT Association 2006 The JANET Roaming Service.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.

TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.
EduRoam ESA workshop 17 December 2004 Utrecht.

EduRoam ESA workshop 17 December 2004 Utrecht.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Similar presentations

Ads by Google