eduroam Roam In a Day Louis Twomey

eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006

The issue: Roaming users need Internet access • Grief for roaming users: – Need to arrange/agree network access in advance. – Need to remember temporary account details. • Grief for visited sites: – Create temporary/guest accounts (management overhead, security concerns, etc. ). – Users accessing resources may be effectively anonymous.

A solution: eduroam • Formalised approach to educational roaming. • Uses existing user accounts and authentication mechanisms: – Users don't have to remember details of another account. – No need for temporary/guest accounts at visited sites. – Users not anonymous (= more accountable). • The eduroam infrastructure is based on mutual trust between sites. • eduroam is a GN 2 (Joint Research Activity 5) project.

eduroam maps

The national eduroam gateway • Dell 2850 server with gigabit network interface, located on network backbone (hosting facility at Servecentric). • Free. Radius running on Debian Linux. • Configured to communicate with european gateways (operated by SURFnet). • Configured to communicate with each Irish eduroam member institution. • Installed and maintained by HEAnet.

Authentication elements • 802. 1 X elements: – Supplicant: Software on client device. – Authenticator: Wireless AP. – Authentication Server: The home Radius server. • Realm: The domain portion of username. • Resource Provider: Visited site. • Identity Provider: Home institution.

Authentication architecture

How do I join? • Integrate local authentication server into Irish eduroam infrastructure – Facilitates your roaming users at other eduroam sites. • Implement wireless LAN access at your site for roaming users – Facilitates visiting eduroam users at your site.

Integrate authentication server into eduroam • Register your Radius server with national gateway. • Radius server may be existing authentication server or new server which proxies to it. • Consider where server sits within local network topology. • Should install public SSL certificate on Radius server. • Maintain accounting logs of own user sessions. • Radius server options: Freeradius, Radiator, Cisco. ACS Server, etc.

Implement wireless LAN • • Wireless AP's must support 802. 1 X. Web redirect and VPN access are deprecated. SSID should be 'eduroam‘. Can provide eduroam service via existing wireless access network (multiple SSID's and VLAN per SSID). • Define policy for user access. • Maintain accounting logs of visiting user sessions.

Sample site architectures

Security • Radius server – Secret key shared with national gateway. – Restrict access to local Radius server (harden OS, ACL's, firewall, monitoring, etc. ). • Wireless LAN – 802. 1 X (restrict layer 2 access to wireless AP's). – EAP (“hides” user authentication details from all but supplicant and authenticating server). – TLS/TTLS (SSL certificate on server, and potentially on clients too). – Authentication can be via password, token, client certificate, etc.

Requirements on client device • • Device may be a laptop, mobile phone, PDA, etc. Client software must support 802. 1 X. Client software must support cipher in use at visited site. Examples of clients: – – Win. XP wireless client Mac. OS wireless client wpa_supplicant (Linux, BSD, Windows) Secure. W 2 (EAP-TTLS client)

Future directions for eduroam • Current model is inflexible and doesn’t scale well. • Desirable features: – Peer discovery (DNS, DNSSEC). – Trust establishment (PKI, DNSSEC). • Various technologies: DIAMETER, Rad. Sec, etc. • eduroam-NG (eduroam Next Generation). • Possible integration with edu. GAIN (European AAI).

Other resources • www. eduroam. ie – Info for Irish sites. • www. eduroam. org – Info on the eduroam project as a whole. • www. eduroam. edu. au – Info on Australian implementation, with some useful documentation relevant to any eduroam site. • heanet-clients-tech@listserv. heanet. ie – Mailing list of HEAnet clients technical staff.