Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Joining eduroam

advertisement 
Joining eduroam
Wireless Roaming for Higher
Education and Research
chris.myers@grangenet.net
EuroCAMP ver 2.7
Global working Group
Global Working Group
A Global Working Group has been
setup.
There is an open email list to share
The first meeting was at EuroCAMP
2005
The second meeting was held after
the I2 members meeting.
The third meeting was yesterday
We have a conference call when
required.
Global Working Group
What are we doing.
Working on standards and systems
for safe roaming internationally.
eduroam NG (next generation).
Peering policies and frameworks.
There are representatives from
Europe, USA and ASIA PAC
Global Working Group
• Current eduroam
environment
• Hierarchy of radius
proxies
• shared key security
• Manual configuration of
all links
Global Working Group
• Future eduroam
environment
• Radius discovery
• PKI secured links
• Via radiator, diameter or
FreeRADIUS versions
• Possible SHIB attribute
passing.
The APAN Region
Future direction and update
What is eduroam’s core
requirement?
eduroam allows roving researchers to login, with their usual “user name/password”, to
wireless networks at participating campuses
around the world and transparently get
access to resources.
This is the mission statement
This is what we needs to be delivered
Eduroam in APAN Region
• Federated
– Australia
• 17 sites
– Taiwan
• 51 sites
• Interest in
–
–
–
–
–
Japan
China
Korea
New Zealand
AU University in Vietnam
National Science and Technology
Program for Telecommunications
Global Cross-Campus WLAN Roaming
based on Distributed Authentication
Mechanism
Project Members:
Yung-Chi Yang
c00ycy00@nchc.org.tw
Ko-Chung Tang
kevin@nchc.org.tw
Wei-Hung Huang
a00whl00@nchc.org
Wei-Wen Chen
c00cyw00@nchc.org.tw
Roaming Platform Participants
(Updated at 2005-10-30)
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)
12)
13)
14)
15)
16)
17)
18)
19)
20)
21)
22)
23)
24)
25)
National Taiwan University
National Cheng-chi University
National Chiao-Tung University
National Tsing-Hua University
National Central University
National Cheng-Kung University
National Chi-Nan University
National Chung-Hsing University
National Dong Hwa University
National Taipei University
National Yang-Ming University
National Taiwan Normal University
National Chung-Cheng University
National Taiwan Ocean University
National United University
National Hsinchu University of Education
National University of Tainan
National University of Kaohsiung
National Ilan University
National Taitung University
National Taiwan University of Science and Technology
National Yunlin University of Science and Technology
National Kaohsiung First University of Science and Technology
Northern Taiwan Institute of Science and Technology
Taipei Medical University
26)
27)
28)
29)
30)
31)
32)
33)
34)
35)
36)
37)
38)
39)
40)
41)
42)
43)
44)
45)
46)
47)
48)
49)
50)
51)
Tamkang University
Feng Chia University
I-Shou University
Soochou University
Wufeng Institute of Technology
Vanung University
Huafan University
Kaohsiung Medical University
Ming Chuan University
Providence University
Da-Yeh University
Shih Hsin University
Yuan Ze University
Chung Hua University
Chinese Culture University
Hsiuping Institute of Technology
Ling Tung University
Lunghwa University of Science and Technology
Takming College
Jin Wen Institute of Technology
Fooyin University
Tatung University
Mingdao University
St. John’s University
Yuanpei Institute of Science and Technology
Tunghai University
Can roaming between 51 universities
in Taiwan.
And over 500,000 user accounts
are being served.
WLAN Roaming Architecture
Roaming Server – Software Architecture
RADIUS Server
(in campus)
VPN TUNNEL
Roaming Center
(NCHC)
•
Firewall
OpenVPND
RADIUS Server with Proxy
( FreeRadius, SNMP enabled )
Roaming Server
(Linux Red Hat/Fedora)
•
•
•
The “FreeRADIUS” implements the RADIUS
protocol and uses the RADIUS-Proxy to
communication with Roaming Center.
The “Firewall” controls the access right to
Roaming Server.
The “OpenVPND” builds the secure tunnel
between Roaming Server and Roaming Center.
Roaming Center uses the “SNMP” to monitor
the status of Roaming Server.
Eduroam in APAN Region
• Top Level servers
– Server 1
• Australia
• coming on-line soon
– Server 2
• Looking for a home.
Eduroam in APAN Region
• This will be run as a service.
– (in this region)
• Which means
–
–
–
–
–
–
–
Security
Education
Monitoring
Granular Control
Policies
Service Levels
IPv6
What does Security mean?
• Minimum standards
– 802.1x
– WPA TKIP on AP’s
– EAP TTLS Auth
• Why
– The security level of this
service is only as strong as
the weakest site.
• Wavers will be available for
fixed times.
What does Security mean?
• Future standards
–
–
–
–
802.11i
WPA2 AES on AP’s
EAP SAML ?
The next wave of magic
• Integration with
– Shib
– A-Select
– Or Other
What does Security mean?
• Why not web redirect
– We don’t share our password with others
• (Not Secure )
• Why not VPN
– Which VPN ?
– ACL / XML lists of how long
• (1006 sites x 2 VPN x 16 firewall rules = 32192 lines)
• (not Scalable)
What does Security mean?
• Why WPA TKIP
– Open
– WEP
– WPA and TKIP
all traffic is clear.
is hacked (all traffic is clear).
is in most AP’s now a good
level of security.
• Why EAP-TTLS
– Secure PAP password exchange
– Many supplicants are available.
• 802.1x is worth the pain.
What does Education mean?
•
•
•
•
Skills can be imported
Training
Support
Debugging
Site Visits
What does Monitoring mean?
• Servers
– What’s up?
– What’s down?
– What’s the impact?
– Who to contact?
(this is only half the story)
What does Monitoring mean?
• Service
– Is Auth up?
– Is Auth down? (where)
– What’s the impact?
– Who to contact?
– Must be end to end.
• I like to know this before the clients
What does Granular Control mean?
• How do we identify.
• How do we suspend access.
• How can a client obtain their
roaming data.
• This will empower users and
providers
What does Policies mean?
• Policies support and protect.
– The service
– The provider
– The client
– The Australian Policy is complete.
• (Ratification is in its final stages)
– This work has been completed by
– James Sankar of AARNet
What does Service Levels mean?
• As a service
– We need to define the
service.
– We need to set response
times.
– We need to supply a level
of service to our clients.
What does IPv6 mean?
• IPv6 is fundamental in this region.
– All eduroam type services need to work on v6.
• (not all sites but the service)
– We will be looking closely at v6 mobility.
– And also IPsec for secure roaming.
What You Need to play
International eduroam portals
Local NREN eduroam Portal.
Elements of a portal
•Local information
•Services
•Participants
•Policies
•Technology
•International links
•Information for roaming
•Mail lists
•How to contact Groups
Local NREN eduroam Portal.
Data Mining
•Who’s interested.
•Where are they from.
•Are you hitting your targets
Local NREN eduroam Portal.
•Did any one read the news release
•Put links in your news release (this helps)
•How can I exploit this information
Local NREN eduroam Portal.
Feed Back and help.
•Feed back is important.
•for the program.
•for the NREN.
•for the Institute.
•For the user.
WIKI forum page
•Use detailed user guides on portal
•Put in links to the WIKI forum.
•The user that can help themselves don’t call. 
Team Requirements
What people are required for EduRoam
– The wireless people
• Basic wireless administration skills.
– The directory people
• Average Radius administrative skills.
– The security people.
• Average firewall/ACL skills
– The desktop support.
• Basic to Average skills
• Its not about the technology that’s easy.
Team Requirements
What the people require from EduRoam
– Trust.
• Policy.
• Reactive, collaborative, community.
• Policy.
– For the NREN.
• See people
• Its all about the People.
Local Wireless Implementation
802.1x Tools
• SecureW2 Alfa & Ariss
– SecureW2 for Windows platforms is the cost
effective and most robust client solution for
deploying 802.1X networks. The SecureW2
Client enables EAP-TTLS using the standard
Microsoft IEEE 802.1X Client currently available
for Windows 2000, Windows XP and Pocket PC
2003.
• Now open source
Local Wireless Implementation
Cisco 1200 Series Access Point setup for EduRoam
• Under Security, Encryption
Manager.
• Select VLAN in drop down
box under Set Encryption
Mode and Key for VLAN.
• Select Cipher in
Encryption Modes.
• Select TKIP in Cipher drop
down box.
• Clear Encryption keys.
• Select Encryption key 2.
Local Wireless Implementation
• Under Security, SSID
Manager.
• Select eduroam SSID.
• Under Authentication Settings,
Methods Accepted.
• Select open Authentication
with EAP in the drop box.
• Select Network EAP.
• Under Authentication Settings,
Server Properties.
• Select Customize.
• Under Priority 1 select your
RADIUS servers address.
Radius Implementation
• Create National radius server.
• Federate to international server.
– Good service selling point.
• Create institutional Radius services.
• Create test accounts.
– On all sites
• Radius Tools
– Free RADIUS - A most excellent free radius
server
Radius Implementation
• Deliver cookie cuts. (AUS example)
– config for end user to connect to national server
– realm DEFAULT {
–
type = radius
–
authhost
= 203.22.212.134:1812
–
accthost
= 203.22.212.134:1813
–
secret
= XXXXXXXXXXXX
–
nostrip
– }
– client 203.22.212.134 {
–
shortname
= national-au-eduroam1
–
secret
= XXXXXXXXXX
– }
Layer 8
Layer 8
– Can be your friend.
• They want the service.
• They can see the business drivers.
• Will divert resources to the project.
– Can be your enemy.
• They Can have unrealistic expectations.
• The work policy triggers lawyers.
• Lawyer means money and long documents.
Layer 8
Know your Landscape
– What is out there.
– What does the community want.
– Can you meet there requirements.
– Can you control expectation.
– Can you deliver the service.
– Were can you go for help
eduroam Links
eduroam AU Site
http://www.eduroam.edu.au
APAN eduroam Site
http://www.apaneduroam.edu.au
Eduroam Global Working Group
http://www.eduroam.edu.au/gwg-eduroam
Global working group email list
gwg-eduroam@eduroam.edu.au
Email Enquiries
enquiries@eduroam.edu.au
join@eduroam.au
Joining eduroam
Thankyou
Please Join eduroam
http://www.eduroam.org
http://www.eduroam.edu.au
Acknowledgments
Surfnet, TF Mobility TERENA,UNI-C & AARNet
TECH chris.myers@grangenet.net
Policy james.sankar@aarnet.edu.au
Related documents
Slide 0 - Terena
Slide 0 - Terena
GN3 Mobile Feasibility Study
GN3 Mobile Feasibility Study
90-eduroam-and-Atlas
90-eduroam-and-Atlas
What is Identity Management?
What is Identity Management?
Eduroam
Eduroam
PPTX - Terena
PPTX - Terena
Download
advertisement