Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications

PPTX - Terena

advertisement 
Deploying eduroam
Deyan Stoykov, BREN
E-infrastructure Autumn Workshops
8 September, 2014
Introduction to eduroam
eduroam is a secure international roaming service for members of the
European eduroam Confederation (eduroam Service Definition, July
2012)
provides consistent and secure wireless access across research and
education institutions
based on a hierarchy of RADIUS servers
username is in user@realm format
Connect | Communicate | Collaborate
2
eduroam infrastructure elements
European Top-level RADIUS servers (ETLRS)
operated by the eduroam Operations Team (OT)
located in Denmark and Netherlands
hub for the European Confederation
provide inter-federation roaming
Federation-level RADIUS servers (FLRS)
operated by the National Roaming Operators (NROs)
provide intra-federation roaming
in case of inter-federation roaming, forward the request to an ETLR
Connect | Communicate | Collaborate
3
eduroam infrastructure elements #2
Service providers (SPs)
provide network access to local or visiting users
receive RADIUS requests from NAS devices (wireless APs,
switches)
forward the request to user’s IdP
grant or reject access
Identity providers (IdPs)
responsible for authenticating the users in a specific domain(realm)
receive RADIUS access request from SPs
consult a user database
grant or reject access
Access points / switches
Supplicants
Connect | Communicate | Collaborate
4
eduroam infrastructure – static routing
Connect | Communicate | Collaborate
5
eduroam infrastructure – dynamic routing
Connect | Communicate | Collaborate
6
eduroam infrastructure – dynamic routing
Connect | Communicate | Collaborate
7
Protocols
RADIUS
provides AAA (authentication, authorization and accounting)
– accounting is generally not used in eduroam
relies on shared secrets for mutual authentication
gradually superseded by RADSEC (RADIUS over TCP/TLS)
802.1x
EAP
EAP-TLS (authentication with TLS certificate)
PEAP (EAP-MSCHAPv2)
EAP-TTLS (PAP, CHAP, MS-CHAP)
Outer and inner tunnel
– Allows usage of anonymous identity
– Outer tunnel: anonymous@realm
– Inner tunnel: username@realm
Connect | Communicate | Collaborate
8
RADIUS server software
FreeRADIUS
open source license
most popular RADIUS server
version 3 includes RADSEC support and other improvements
Radiator
commercial license
targeting telco and other high-end market segments
Radsecproxy
open source license
only supports proxying, not usable for an IdP
Microsoft IAS/NPS
Connect | Communicate | Collaborate
9
NRO requirements/recommendations
Sign the eduroam policy
Maintain a web-site at www.eduroam.[cc]
Provide user support form
Allow requests from the eduroam monitoring service
Configure logging with F-Ticks
Maintain the eduroam database
Keep logs for at least 6 month
Connect | Communicate | Collaborate
10
eduroam database
Aggregated automatically from predefined locations
www.eduroam.[cc]/general/realm.xml
www.eduroam.[cc]/general/institution.xml
institution.xml is populated in a federation-specific method, usually
manually
Used for contact data and coverage map
Connect | Communicate | Collaborate
11
F-ticks
Collects statistics for roaming authentication requests within the
confederation to a central location
FreeRADIUS configuration
linelog f_ticks {
filename = syslog
format = ""
reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
f_ticks {
Access-Accept = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BG#CSI=%{CallingStation-Id}#RESULT=OK#"
Access-Reject = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BG#CSI=%{CallingStation-Id}#RESULT=FAIL#"
}
}
rsyslog configutation
msg, contains, "F-TICKS" @1.2.3.4
Connect | Communicate | Collaborate
12
Setting up an IdP
Choosing EAP method
PEAP (EAP-MSCHAPv2)
EAP-TTLS (PAP, CHAP, MS-CHAP)
Authentication backend support
– PEAP: plaintext password or NT hash available
– TTLS: any (with PAP)
OS support
– PEAP: Windows Vista/7/8, iOS, Android
– TTLS: Windows 8, iOS, Android
Connect | Communicate | Collaborate
13
Setting up an IdP
Generate EAP certificates
Current recommendation is to
set up a private CA specifically
for eduroam
Use a long enough validity
period (20 years?)
Commercial CA doesn’t provide
additional security for EAP
Connect | Communicate | Collaborate
14
Setting up an IdP
Provide assistance to users
eduroam CAT
– http://cat.eduroam.org
web-site with instructions
Promo materials at
www.eduroam.org
Connect | Communicate | Collaborate
15
greatidp.aq.
43200 IN
NAPTR 100 10 "s" "x-eduroam:radius.tls" "" _radsec._tcp.eduroam.aq.
Setting up an IdP
Enabling dynamic discovery
DNS records for dynamic discovery
example.com.
43200
IN
"" _radsec._tcp.example.com.
NAPTR
_radsec._tcp.example.com. 43200
_radsec._tcp.example.com. 43200
IN
IN
00 10 "s" "x-eduroam:radius.tls"
SRV
SRV
10 0 2083 radius.example.com.
5 0 2083 radius.example.com.
Additionally, a PKI layer will verify the realm/domain is owned by a
research/education institution.
Currently in pilot state in 10 NRENs
Connect | Communicate | Collaborate
16
Setting up a SP
Wireless equipment choice and setup
Controller-based or standalone APs
Controller-based solutions provide centralized management and
other benefits such as better roaming experience
Standalone APs require smaller initial investment
Client isolation
General wireless networking best practices (coverage, channel
selection, etc.)
Extra SSID for initial setup (eduroam-help)
Connect | Communicate | Collaborate
17
Setting up a SP
Dynamic VLAN assignment
# VLAN for staff
if ( Realm == "uni-ruse.bg" ) {
update reply {
Tunnel-type := VLAN
Tunnel-Medium-Type := 802
Tunnel-Private-Group-ID := 29
}
}
# VLAN for students
if ( Realm == "stud.uni-ruse.bg" ) {
update reply {
Tunnel-type := VLAN
Tunnel-Medium-Type := 802
Tunnel-Private-Group-ID := 31
}
}
Connect | Communicate | Collaborate
18
Setting up a SP
Establish and publish policy
Keep authentication logs for at least 6 months
Set the Operator-Name attribute
authorize {
update request {
Operator-Name := "1yourdomain.tld"
}
What NOT to do:
don’t use web logins
not recommended to do port restrictions
– port 25 can still be blocked (465 and 587 are on the minimum
list)
not recommended to use transparent proxies or force users to
configure their systems to use a proxy
not recommended to use NAT
Connect | Communicate | Collaborate
19
Further references
http://www.eduroam.org/
http://monitor.eduroam.org/
https://wiki.terena.org/display/H2eduroam
https://tools.ietf.org/html/draft-wierenga-ietf-eduroam-04
Connect | Communicate | Collaborate
20
Question time
Questions?
Connect | Communicate | Collaborate
21
Thank you!
Connect | Communicate | Collaborate
www.geant.net
www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv
Connect | Communicate | Collaborate
22
Related documents
GN3 Mobile Feasibility Study
GN3 Mobile Feasibility Study
Eduroam debugging - UNINETT Openwiki
Eduroam debugging - UNINETT Openwiki
Slide 0 - Terena
Slide 0 - Terena
90-eduroam-and-Atlas
90-eduroam-and-Atlas
Joining eduroam
Joining eduroam
eduroam Forum NWS41 - NAPTR - Log in to request membership
eduroam Forum NWS41 - NAPTR - Log in to request membership
Proposal for eduroam enabling Grid community
Proposal for eduroam enabling Grid community
EduRoam federation policy
EduRoam federation policy
3-uncompahgre-com-ron-bell
3-uncompahgre-com-ron-bell
on campus students - University of Leicester
on campus students - University of Leicester
yolanda_rugg - Hertfordshire Grid for Learning
yolanda_rugg - Hertfordshire Grid for Learning
Norwegian eduroam policy
Norwegian eduroam policy
Géant-TrustBroker
Géant-TrustBroker
2.6 Related Rates notes
2.6 Related Rates notes
Download
advertisement