Eduroam debugging
Gurvinder Singh and Gunnar Bøe,
Campus Networks and Systems, UNINETT
AMRES Wireless workshop
Belgrade, 12 September 2011
connect • communicate • collaborate
Eduroam in Norway
connect • communicate • collaborate
Eduroam Architecture
Top level
RADIUS
Nation A
Radsec Proxy
Inst. A1
Inst. A2
Nation B
Radsec Proxy
Inst. B2
Inst. B1
connect • communicate • collaborate
Issues



User unable to connect while roaming.
How to locate the problem ?
Is it at the client device, station ID,
visiting institution's radius server,
national proxy or home radius server ?
connect • communicate • collaborate
Challenges





Distributed architecture
Inter-institution/international
roaming
Heterogeneous environment
(FreeRadius, Microsoft radius server
etc..)
Encrypted traffic
Privacy issues
connect • communicate • collaborate
History
•Radius log files are nice, BUT….
•Debugging eduroam is complicated
•Lack of access to radius logs on other
levels
•The guys who did something about it
Gurvinder
Singh
Jardar Leira
Tore
Kristiansen
Kolbjorn
Barmen
6
Gunnar Boe
connect • communicate • collaborate
Edudbg Design
Due to the mentioned challenges, edudbg monitors the
request logs at national radsec proxy level.
Parse and store the information in a easily accessible and
searchable way to help in finding the problem at hand.
connect • communicate • collaborate
Edudbg's Components




Edudbg-logger

Parse & store the radsec proxy log file in to
the database.
Edudbg-webservice

Reads the database for search and make it
easily accessible for users/administrators.
Authentication plug-in
Authorisation plug-in
connect • communicate • collaborate
Privacy issues
Access to RADIUS logs on higher level can expose information (who,
where, when) about people from other organisations
Solution:
Supports federated security systems e.g. Feide.
Only grant access to information related to your own organisation
No more information exposed than you already have access to
9
connect • communicate • collaborate
Edudbg Architecture
Federated
login
connect • communicate • collaborate
Edudbg-webservice


Reads the database and allows user to access debug
information in user friendly way.
Hides the complexity caused by eduroam architecture
and makes debugging easy.
connect • communicate • collaborate
Edudbg Usage scenario


Edudbg can be used to detect the connection failure.
It can also be used by administrators for proactive
maintenance e.g. detecting radius server loops.
connect • communicate • collaborate
Demo interface


file:///F:/all/GigaCampus/Mobilitet/edudbg/documentatio
n%20examle.htm
http://eduroam.no
connect • communicate • collaborate
Eduroam Architecture
Top level
RADIUS
Nation A
Radsec Proxy
Inst. A1
Inst. A2
Nation B
Radsec Proxy
Inst. B2
Inst. B1
connect • communicate • collaborate
Use cases (missing realm)


Missing realm name causes the national proxy to forward
the request to local radius server.
Whereas the given user does not belong to this
organization, where request has been rejected.
connect • communicate • collaborate
Use cases (incorrect realm)

Misspelled realm name causes the national proxy to forward
the request to top level servers and thus request has been
rejected.
connect • communicate • collaborate
Use cases (incorrect password)


The contents of request seems to be fine and request has
been routed to correct home server.
The reason for getting access-reject is at the home
institution side and most likely is incorrect password.
connect • communicate • collaborate
Use cases (Radius Server Loop)



The contents of request seems to be fine and request has
been routed to correct home server.
But the request comes from the same institution and routed
back to the same.
This should not happen, as institution should forward
request to national proxy only if the user is from another
institution.
connect • communicate • collaborate
Edudbg Experience



Our experience from running the edudbg service till
yet shows that almost 70 - 80% issues occurs due to
incorrect information sent in request e.g. misspelled
username, password or incorrect realm.
Edudbg helps in debugging of the mentioned cases.
To get more deep in to the problem, it requires log
information from local institution which requires further
discussion.
connect • communicate • collaborate
Discussion



Should we deploy at national proxy level or institutional
level.
Should log information be in fixed format or default
format.
For how long should such information records be kept
in database.
connect • communicate • collaborate
Useful links
•
•
Wireless best practice:
•
http://www.terena.org/activities/campus-bp/bpd.html
Slides from this workshop:
•
https://ow.feide.no/geantcampus:wireless_sept_2011
connect • communicate • collaborate
More information / Contact
GEANT3 NA3 Task 4: Campus Best Practice
http://www.geant.net/About_GEANT/Campus_Best_Practice/Pages/home.aspx
http://http://www.terena.org/activities/campus-bp/
gn3campus@uninett.no
Look out for more BPDs coming along…
Subscribe to announcements
campus-bp-announcements@terena.org
22
connect • communicate • collaborate
Thank you!
Contact:
campus@uninett.n
o
connect • communicate • collaborate