eduroam in Asian countries - - benefits, and 4ps for opera4on - -

36th APAN Mee4ng Aug. 22, 2013, Daejeon, Korea eduroam in Asian countries - - benefits, and 4ps for opera4on - - Hideaki Goto, Tohoku University, Japan Motonori Nakamura, NII, Japan Hideaki Sone, Tohoku University, Japan 1

Welcome to eduroam! New members in Asia- Pacific Korea Singapore India 2

Campus wireless network (WLAN) What do we need from the universi>es points of view? Secure and easy- to- use Wi- Fi Secure data encryp4on - - Web- auth is terrible! User authen4ca4on - - Shared- key is insecure! Collabora4on with university s ID mgt. system Easy- to- deploy/operate system Standard and popular system Out- sourcing of opera4on (op4onal) Interna4onal roaming 3

Campus wireless network (WLAN) (contd.) Free campus WLAN at conference sites, cafes, etc. Collabora4on with ISPs Virtual campus expansion Large capacity Fast and high- capacity access points Supports for lectures, trainings, conferences, etc. Sophis4cated access controls Separa4on of home/guest user networks Easy and efficient access to services at home Wi- Fi service for ci4zens (op4onal) Public Wi- Fi service by ISP in campus 4

What is eduroam? eduroam (educa>on roaming) is the secure, world- wide roaming access service developed for the interna>onal research and educa>on community. eduroam allows students, researchers and staff from par>cipa>ng ins>tu>ons to obtain Internet connec>vity across campus and when visi>ng other par>cipa>ng ins>tu>ons by simply opening their laptop. hbp://www.eduroam.org/ Inst. A students / staff Home inst. Inst. B Internet 5 eduroam promo4on video by AARNet

eduroam global opera4on The eduroam service started as a pilot under the auspices of TERENA. About 60 countries worldwide 11 members in Asia Pacific GeGC (Global eduroam Governance Commibee) since 2010. 11 members: EU(4), US, CA, AP(2), La4n America(2), Africa Compliance Statement has been compiled and made available in 2011. service defini4ons, technical standards 6

Benefits of eduroam One account (issued at home ins>tu>on), free Wi- Fi at member ins>tu>ons worldwide De- facto standard of campus Wi- Fi Plenty of informa4on on the Net Easy to use, and also easy to ask people for help Secure authen>ca>on, secure data encryp>on Based on IEEE802.1X standard Low opera>onal cost Much less work for issuing guest accounts (as many people already have their own accounts) 7

country (territory) eduroam deployments in Asia- Pacific joined inst. #total univ.+col. deployment rate Australia 39+10 39+61? 100% (AP regional server 1) Hong Kong 9 9 100% (AP regional server 2) China? 1,700+? Taiwan 217 170+? Japan 51 1,200+ 4.3% New Zealand 7+2 8 87.5% hosted by AARNet PNG 1 6? hosted by AARNet Macau 1? India 2? Korea 2? Singapore 3 8 37.5% Some others (incl. Thailand) are coming soon?? Hos4ng by a nearby country works well as an incubator. Hos4ng is quite beneficial for countries having a small number of ins4tu4ons. 8

The world becomes virtual campus! 130+ eduroam hotspots at rental mee4ng rooms, cafes, etc. in the central area of Tokyo eduroam at airports, train sta4ons, etc. in Sweden eduroam on HotCity (municipal Wi- Fi) in Luxemburg eduroam at 19 airports in Norway (pilot project) and more? 9

Roaming mechanism in eduroam Top level RADIUS proxy (Europe, Asia-Pacific) Visited institution A AU B C JP D Home institution National RADIUS proxy Institutional RADIUS server AP WLAN access point user@institution-d.jp RADIUS Access-Request RADIUS Access-Accept 10

How to join eduroam? Countries / territories Consult TERENA (or us). Organize a NRO (Na4onal Roaming Operator) in charge of the eduroam opera4on in the territory. (typically NREN operator acts as NRO) Sign the Compliance Statement. Setup na4onal RADIUS proxy server(s). Ins4tu4ons / ISPs Consult the local NRO. Organize a RO (Roaming Operator) body in charge of eduroam opera4on. Setup RADIUS IdP/proxy and connect to the na4onal proxy. Build WLAN system. 11

TIPS in eduroam opera4on Home / guest users network separa>on (recommended) Conven4onal architecture (IdP at every inst.) or Centralized/cloud eduroam IdP (op4onal)? Reduce the deployment and opera4onal burdens at both NRO and RO. eg. Delegate Authen4ca4on System (DEAS) eg. Shibboleth- based eduroam account issuer Quite useful for countries having a large number of ins4tu4ons World eduroam access point map (op4onal) 12

Network design Without guest network separa4on? Visitors could gain access to local servers (security threat) Visitors could use outer services such as Electronic Journals Inst. A Inst. B Local server Campus LAN Local servers Internet Publishers Gateway registered for outer services 13

Network design (contd.) Guest network only Visitors cannot gain access to local servers or EJs Home users cannot gain access to local servers or EJs (low usability) Inst. A Guest network Inst. B Local server Publishers Campus LAN Gateway registered for outer services 14

Network design (contd.) Network separa4on by Dynamic VLAN (switch by realm) Visitors cannot gain access to local servers or EJs High usability for home users In Japan, SINET provides a small /30 guest network for each ins4tu4on. (NAPT is required) Inst. A Campus LAN Dynamic VLAN Inst. B Local server Publishers Gateway registered for outer services 15

Easy- to- join eduroam system Delegate Authentication System (DEAS) or Shibboleth-based eduroam account issuer national RADIUS national IdP service <secret key 2> <secret key 1> auth requests RADIUS IdP Institution s RADIUS server RADIUS proxy access points AP system by ISP/carrier 16

Benefits of DEAS / eduroam- Shib Large RADIUS network can be replaced with a single RADIUS which works as an SP for member ins4tu4ons Higher stability and reliability Low deployment and opera4onal costs A au B C jp D A au B C jp IdP DEAS D SP No fed. or Shib. IdP AP RADIUS User@D.jp IdP eduroam RADIUS tree AP User 17 Centralized RADIUS

Cloud- based, disaster- tolerant DEAS http://eduroam.jp/ Sendai city Tokyo na4onal DEAS (master) National RADIUS 2 Data replica>on for higher availability. na4onal DEAS (replica) National RADIUS 1 ( Asia-Pacific ) eduroam Top-level servers eduroam Global 18

eduroam access point map Help people to find nearby eduroam sites Every NRO is recommended to provide map data in XML. Na4onal realm informa4on (realm.xml) Ins4tu4ons informa4on including AP loca4ons (ins4tu4on.xml) hbps://www.eduroam.org/index.php?p=where Map on the website eduroam Companion by Janet, UK Android and ios 19

End of presenta4on

Supplementary slides

eduroam JP Na4onal eduroam opera4on and promo4on 51 ins4tu4ons (4.3% of 1,200) joined (Aug. 2013) 38 (2012), 27 (2011), 17 (2010), 9 (2009) Tutorial & technical documents R&D Easy deployment and opera4on Loca4on privacy, etc. Collabora4on with commercial W- ISPs eduroam on commercial hotspots Shared hotspots on campus New architecture and business models for next- genera4on commercial / academic WLAN services 22

Federated Delegate Authen4ca4on System Account Issuer as a Shibboleth SP of Japan s GakuNin federa4on (f.k.a. UPKI federa4on) Centralized / Clustered eduroam IdP to simplify the RADIUS proxy tree 3 types depending on the needs and federa4on level Authen4cated access with pseudo- anonymized, fixed- term, and traceable roaming IDs 23

eduroam in disaster- affected campuses Borderless eduroam helped suffering staff Nomadic network in temporary evacua4on campus Tohoku University faced the big earthquake in March. Many buildings were severely damaged. Staff moved to other buildings where networks are operated by different departments. eduroam is an effec4ve rescue for them to use network - - - Inter- department roaming network Eduroam APs Damaged depts Center Network ID Additional APs