Connect. Communicate. Collaborate

TERENA Networking Conference, 7 june 2005

Klaas.Wierenga@surfnet.nl

Eduroam: past, present, and future

Connect. Communicate. CollaborateContents

• What is Eduroam?• Current status of Eduroam• Is anything wrong with Eduroam?• Eduroam-ng and Géant 2• Conclusion

Connect. Communicate. CollaborateUsers are mobile

AccessProvide

rCable

University A

WLAN

University B

WLAN

AccessProvide

rADSL

International

connectivity

AccessProvide

rWLAN

AccessProvide

rGPRS/UMTS

SURFnet backbone

Eduroam enables them to roam seamlessly

Connect. Communicate. CollaborateEduRoam architecture• Security based on 802.1X (or web-based redirect)

– Identity-based networking– Different authentication mechanisms possible– Prevents session hijacking– Mutual authentication possible – Protection of credentials– Integration with VLAN assignment– Provides basis for new wireless security standards WPA and 802.11i

• Roaming based on RADIUS proxying– Remote Authentication Dial In User Service– Transport-protocol for authentication information

• Trust fabric based on:– Technical: RADIUS hierarchy– Policy: Documents/contracts that define the responsibilities of user,

institution, NREN and the EduRoam federation

Connect. Communicate. CollaborateEduRoam

RADIUS server

University B

RADIUS server

University A

SURFnet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

Gast

piet@university_b.nl

StudentVLAN

CommercialVLAN

EmployeeVLAN

data

signaling

• Trust based on RADIUS plus policy documents

• 802.1X

• (VLAN assigment)

Connect. Communicate. Collaborate

Tunneled authentication (PEAP/TTLS)

• Uses TLS/SSL tunnel to protect data– The TLS tunnel is set up using the server certificate, thus

authenticating the server and preventing man-in-the-middle attacks– The user sends his credentials through the secure tunnel to the

server, thus authenticating the user

• Can use dynamic session keys for ‘in the air’ encryption

© Alfa&Ariss

`

802.1X Client EAP RADIUS Server

TLS tunnel

User authentication

Protected by TunnelServer authentication

Connect. Communicate. CollaborateStatus of EduRoam

• Over 350 institutions in Europe and Australia

• USA will follow shortly

Connect. Communicate. CollaborateLimitations

• Technology– Static trust– Single points of failure– All authN and authZ traffic flows through hierarchy

• Policy– Not suitable for full service yet

• Usability– Eduroam comes in many flavours– Where are the access points?

• Management & Monitoring– Are all servers up and running?– Who is abusing the service?

• AAI– How to integrate with the European AAI

Connect. Communicate. Collaborate

Eduroam-ng

Connect. Communicate. CollaborateTechnology: bypassing the hierarchy overhead?

European Server

.nl .ac.uk …

uva.nl

.pl

Uni.torun.pl

Access Point Access Point User database

tomasz@uni.torun.pl

• AA traffic goes through all intermediate entries

• All links are peer-to-peer agreements / static routes / p2p secure

• DIAMETER? DNSsec? (See: Henk Eertink, Future directions in mobility)

Connect. Communicate. CollaborateRoaming policy

• Minimal security level• Levels of assertion• SLA’s• Incident response• Policy board

Connect. Communicate. Collaborate

Usability: standardisation, localisation, expansion

• Standardisation– Limited set of encryption and SSID choices

• Encryption: 802.1X+WEP, WPA+TKIP, WPA2• SSID: eduroam

• Localisation– Eduroam-around-the-corner (See: Martijn Arts)

• Expansion– Integration with commercial roaming services (See:

Martin Bech)

Connect. Communicate. Collaborate

Managing&Monitoring: usertracking & weathermap

(See also : Kostas Kalevras, Large scale WLAN deployments)

Connect. Communicate. CollaborateAAI Integration: offload AuthZ?

European Server

.nl .ac.uk …

uva.nl

.es

uclm.es

Access Point A-Select PAPI

diego@uclm.es UCLM user database

• How do all these applications communicate? (SAML?)

• Or should we do it inline?

(See: Diego Lopez, AAI Infratructures)

Connect. Communicate. CollaborateConclusions

• 802.1X plus RADIUS provide a secure and future proof solution for access to the institutional network

• Infra stucture not perfect yet but…– It works ™– It is ready for the future– Géant2 JRA5 will make it even better

• Joining EduRoam is a small step for administrator-kind but a giant leap for the users, so…..

Connect. Communicate. CollaborateTime to join…..

Connect. Communicate. CollaborateMore information

• EduRoam in SURFnet– http://www.eduroam.nl

• EduRoam in Europa– http://www.eduroam.org

• TERENA TF-Mobility– http://www.terena.nl/mobility

• Géant2 Joint Research Activity 5 (authorisation and roaming)– http://www.geant2.net/ (click on research)

• The unofficial IEEE802.11 security page– http://www.drizzle.com/~aboba/IEEE