eduroam(radius based Federation)

Similar documents
Standardisation of eduroam Testing, Monitoring, Metrics and Support Tools

eduroam in Asian countries - - benefits, and 4ps for opera4on - -

Belnet Networking Conference 2013

IdentiFi and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE

2.1.1 This policy and any future changes requires ratification by CAUDIT.

Secure WiFi Access in Schools and Educational Institutions. WPA2 / 802.1X and Captive Portal based Access Security

Using Windows NPS as RADIUS in eduroam

Licia Florio Project Development Officer Identity Federations in Europe

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Developing Network Security Strategies

EAP-SIM Authentication using Interlink Networks RAD-Series RADIUS Server

Eduroam wireless network - Windows 7

Joint Research Activity 5 Task Force Mobility

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

OpenFlow-based authorization mechanism for Wi-Fi roaming systems

How To Set Up An Ipa 1X For Aaa On A Ipa 2.1X On A Network With Aaa (Ipa) On A Computer Or Ipa (Ipo) On An Ipo 2.0.1

Network Access Security It's Broke, Now What? June 15, 2010

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Eduroam wireless network Windows Vista

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

IDENTITY MANAGEMENT OF USERS IN eduroam

The Ultimate WLAN Management and Security Solution for Large and Distributed Deployments

An Infocard-based proposal for unified SSO to eduroam

A practical guide to Eduroam

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Eduroam wireless network Apple Mac OSX 10.5

RadSec RADIUS improved. Stig Venaas

Mobility, Network Access Control and Convergence for Voice, Video and Data Applications on Corporate Wireless & Wired Networks. UCOPIA White Paper

MSC-131. Design and Deploy AirDefense Solutions Exam.

WLAN Information Security Best Practice Document

UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU

Penn State Wireless 2.0 and Related Services for Network Administrators

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks

Particularities of security design for wireless networks in small and medium business (SMB)

Application Note Secure Enterprise Guest Access August 2004

The All-in-One, Intelligent WLAN Controller

Eduroam wireless network Apple Mac OSX 10.4

Canterbury College Eduroam Wi-Fi Guide

A Dynamic Extensible Authentication Protocol for Device Authentication in Transport Layer Raghavendra.K 1, G. Raghu 2, Sumith N 2

Aerohive Private PSK. solution brief

vwlan External RADIUS 802.1x Authentication

The All-in-One, Intelligent WLAN Controller

Network Access Control ProCurve and Microsoft NAP Integration

Cisco WAP321 Wireless-N Selectable-Band Access Point with Single Point Setup

Design and Implementation Guide. Apple iphone Compatibility

Cisco WAP4410N Wireless-N Access Point: PoE/Advanced Security. Cisco Small Business Access Points

NXC5200/ NWA5000-N Series Wireless LAN Controller/ a/b/g/n Managed Access Point

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

Edith Cowan University Information Technology Services Centre

WIRELESS SECURITY IN (WI-FI ) NETWORKS

Palo Alto Networks User-ID Services. Unified Visitor Management

VLANs. Application Note

Solving the Sticky Client Problem in Wireless LANs SOLVING THE STICKY CLIENT PROBLEM IN WIRELESS LANS. Aruba Networks AP-135 and Cisco AP3602i

Ruckus-Bradford Interop Setup

Wi-Fi Security. More Control, Less Complexity. Private Pre-Shared Key

Deploy WiFi Quickly and Easily

CISCO WIRELESS SECURITY SUITE

Wireless Network Configuration Guide

APPENDIX 3 LOT 3: WIRELESS NETWORK

Authentication Integration

ClickShare Network Integration

The All-in-One, Intelligent NXC Controller

Cisco WAP4410N Wireless-N Access Point: PoE/Advanced Security Cisco Small Business Access Points

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

Network Services One Washington Square, San Jose, CA

Server Certificate Practices in eduroam

WatchGuard SSL 2.0 New Features

Deploy and Manage a Highly Scalable, Worry-Free WLAN

Cellular Data Offload. And Extending Wi-Fi Coverage. With Devicescape Easy WiFi

Intelligent WLAN Controller with Advanced Functions

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

Single Sign On. SSO & ID Management for Web and Mobile Applications

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

WIRELESS SETUP FOR WINDOWS 7

Cisco 526 Wireless Express Mobility Controller

Mobility Task Force. Deliverable D. Inventory of 802.1X-based solutions for inter-nrens roaming

Wireless Technology Seminar

Aruba-Certified Design Expert (ACDX) Study Guide

Software-Defined Networking for Wi-Fi White Paper

Ebonyi State University Abakaliki 2 Department of Computer Science. Our Saviour Institute of Science and Technology 3 Department of Computer Science

Authentication and Security in IP based Multi Hop Networks

How To Unify Your Wireless Architecture Without Limiting Performance or Flexibility

Best Practices for Outdoor Wireless Security

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

Virtuelle WLAN Controller Alcatel Lucent Wireless LAN Instant AP

Transcription:

eduroam(radius based Federation) Deokjai Choi (Chonnam National University, Korea) 2015. 8. 18

WHAT IS eduroam? eduroam: EDUcation ROAMing Provides secure internet access for academic roamers. User experience - Open your laptop and be online.

WHY eduroam? Researchers: Travel with WLAN-enabled notebooks. Want transparent, secure network access. Want similar experience at visited institution as home. Experience facilitated by seamless sharing of network resources. Better for roamers, easier for administrators.

History of eduroam Europe - 2003: Started as pilot under TERENA TF-Mobility - Since Sept 2004: ops&dev of European eduroam funded by GEANT. - 2007: European eduroam confederation policy agreed, & Operation Team (OT) formed OT deployed eduroam global database, support services - 2008: Production service commenced 17th September AARNet eduroam 4 of 10

History of eduroam APAN 2006: eduroam Project Group commenced 2008: eduroam AU (incl. NZ) Pilot Service commenced eduroam NROs in Hong Kong, Japan, Macao, Taiwan 2011: eduroam production service commenced 2014: REANNZ became eduroam NZ NRO 17th September AARNet eduroam 5 of 10

History of eduroam Canada US - 2010 (BCNet), transferred responsibility to CANARIE 2011-2012 Internet2 announced offering eduroam service to US institutions > 2012: Africa, South America 17th September AARNet eduroam 6 of 10

Global eduroam 현황 Number of independent sovereign states in the world 195 Number of countries listed by GeGC * GeGC : Global eduroam Governance Committee 85 Number of signatory NROs Globally 67 -> 69 Number of NROs in global database Number of service locations registered in eduroam db Number of NROs being monitored by monitor.eduroam.org Number of Institutions using F-Ticks 66 11492 46 (all under EU TLRS except CA) 36 (all under EU TLRS except CA) Number of Institutions using CAT 587 - From NWitheridge s presentation at TNC 2014 -

Asia-Pacific eduroam 현황 NRS KOREA KISTI Asia-Pacific Confederation is being prepared.

AUTHENTICATION AND 802.1x User EAPOL EAP over RADIUS f.i. LDAP Authenticator (AP or switch) RADIUS server Institution A User DB jan@hangook.ac.kr Internet 교직원 VLAN 학생 VLAN Guest VLAN signalling data

HOW DO THE PIECES FIT TOGETHER? AN EXAMPLE User Authenticator (AP or switch) RADIUS server University A User DB RADIUS server University B User DB user joe@hangook.ac.kr XYZnet 교직원 VLAN 학생 VLAN Guest VLAN Central RADIUS Proxy server Trust: RADIUS & policy documents signalling data 802.1X + EAP (VLAN assignment)

802.1x Authentication(EAP-PEAP/EAP-TTLS)

MAIN COMPONENTS OF eduroam Network Access Server (NAS): Wireless Access Point or 802.1x compatible wired switch. Client with configured supplicant. Hierarchy of RADIUS Authentication Servers (AS). IEEE 802.1x. IEEE 802.1q. Standard for VLAN assignment.

eduroam service KEY Points Eduroam value proposition realized - becoming increasingly global Global expansion brings challenges - Trust (importance of Policy & Proof of Compliance) - Scalability of infrastructure Resourcing - Shoe-string budgets Ease of deployment & participation Global collaboration - Shared effort in development of ancillary services

Understanding Roles 1. NRO(National Roaming Operator) KISTI = Korea NRO 2. RO(Roaming Operator) For colleges and universities in Korea Chonnam National University 3. IdP(Identity Provider) Each university will provide Idp service for its users. Normally, each university will play roles of Idp and SP. 4. SP(Service Provider) Visiting university will play a role of SP for the visitor. * Telecommunication provider which provides Aps for the campus will play a role of SP only.

NRO : Things to do Entity which is approved by RC(Roaming Confederation). If there is no RC, it should be approved by GeGC. NRO has a responsibility to take care of eduroam service for the country. RC(Roaming Confederation) : a set of NROs which locate nearby, and approved by GeGC such as Europe RC. GeGC(Global eduroam Governance Committee) : consists of NROs and RCs, and operated by TERENA - Responsibility for eduroam service for the country. - Determines each IDP is legally registered education/research organization for the country. - Determines each SP is adequate or not. - Should have communication channel with other NRO - Should publicize the available SP accoridng to the GeGc guideline. - Should have communication channel with all SPs to solve the problems or needs. - Should put technical people, available eduroam sites, Idp lists, RC policy etc through web - Should maintain enough log information to track users. - Should register eduroam name and logo to its own country.

RO 역할(eduroam 서비스 구성도) *.kr에 대해 KISTI로 전달 eduroam Korea RO KISTI 기 연동된 KAIST, GIST 등 을 제외한 *.ac.kr에 대해 교육기관RO로 전달 Federation level 교육기관 RO에 속하지 않은 요청에 대해 KISTI로 전달 통신사 USIM 정보를 이용한 접속 필터링.com / co,kr 등 렐름 필터링 루핑 방지를 위한 룰 설정 전국대학 RO 전남대 1 2 Institutional level 전남대 Keduroam으로 서비스 중인 35개 대학 eduroam 으로 SSID 변경 KAIST GIST

IdP Roles Entity which manages user ID and provides authentication for its users. Idp should be also SP, and it is called home organization. - Should agree to global policy as well as domestic policy - Should understand its own authentication servers (product name, version, functions) - Should open firewall to other RO s authentication server - Should set aside staffs for eduroam, helpdesk, security - Should configure or modify radius server according to the RO s guide. - Should prepare test account for automatic monitoring by RO. - Should guide how to use to its own member, and provide web link to NRO. - Should notify the logging items and usage of those loging information

SP Roles Entity which provides WLAN service to the valid user, and called visiting organization. Normally, each member university will be a SP as well as Idp. Sometimes, telecommunication provider can play a role of SP only. - Should agree to global as well as domestic policy. - It is recommended to use VLAN to separate visitors traffic (very important) - Should broadcast eduroam SSID - Should keep the log file to defend itself from security issues. - Should notify the logging information and the reason of the logging

Trends Next generation roaming service - Next generation i.e RADIUS over TCP using TLS - Dynamic Discovery - Seek advice from GeGC Moonshot : ID Federation based on Radius - authentication : Radius / for rich authorisation semantics - From only wi-fi to various services

Moonshot technologies Moonshot builds on the eduroam technologies EAP (RFC 3748): strong mutual authentication RADIUS (RFC 2865): federation between domains To this, Moonshot adds SAML, for rich authorisation semantics Integration using operating system security APIs SSPI: Windows GSS-API (RFC 2078): Other operating systems SASL (RFC 4422): Windows and other operating systems 20

Deployment requirements Most Higher Education organisations are nearly Moonshot-ready today A connection to eduroam A RADIUS server (any modern RADIUS product should support pre-production testing today). There is also an experimental capability to integrate FreeRADIUS with the Shibboleth IdP Moonshot client and server plug-in Linux: packaging available for Debian & RHEL; Scientific Linux soon Windows: native support using prototype plugin Mac: Packaging almost complete for Snow Leopard and Lion Moonshot Identity Selector to facilitate the selection of an identity to use, for GUI environments (Windows, Mac & Linux)

Architecture (1) Credentialing (6) SSH session (5) Attributes (3) Authentication (2) SSH negotiation (4) RADIUS SSH client SSH server RADIUS server OpenSSH used as example of application; many others also apply 22

Application support Most modern applications use at least one of the security APIs supported by Moonshot Correctly written applications will just work without modification or recompilation Less correctly written applications may require minor modifications Project Moonshot is testing applications and sending patches upstream 23

24 PuTTY OpenSSH

25 IE Apache

26 Outlook 2010 Exchange 2010

Q & A Ερωτήσεις και απαντήσεις 質 問 と 回 答 Fragen und Antworten 질문과 답변 問 題 與 解 答 Questions et réponses Questions and Answers Domande e risposte أسئلة وأجوبة Quaestiones et Answers Frågor och svar Вопросы и ответы 감사합니다!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information