Post on 15-Jan-2016
description
Joining eduroam
Wireless Roaming for Higher Education and Research
chris.myers@grangenet.netEuroCAMP ver 2.7
Global working Group
Global Working GroupA Global Working Group has been
setup.
There is an open email list to share
The first meeting was at EuroCAMP 2005
The second meeting was held after the I2 members meeting.
The third meeting was yesterday
We have a conference call when required.
Global Working Group
What are we doing.
Working on standards and systems for safe roaming internationally.
eduroam NG (next generation).
Peering policies and frameworks.
There are representatives from Europe, USA and ASIA PAC
Global Working Group• Current eduroam
environment
• Hierarchy of radius proxies
• shared key security
• Manual configuration of all links
Global Working Group• Future eduroam
environment
• Radius discovery
• PKI secured links
• Via radiator, diameter or FreeRADIUS versions
• Possible SHIB attribute passing.
The APAN Region Future direction and update
What is eduroam’s core requirement?
eduroam allows roving researchers to log-in, with their usual “user name/password”, to wireless networks at participating campuses
around the world and transparently get access to resources.
This is the mission statement
This is what we needs to be delivered
• Federated– Australia
• 17 sites
– Taiwan• 51 sites
• Interest in– Japan– China– Korea– New Zealand– AU University in Vietnam
Eduroam in APAN Region
Project Members:
National Science and Technology Program for Telecommunications
Global Cross-Campus WLAN Roaming based on Distributed Authentication
Mechanism
Yung-Chi Yang c00ycy00@nchc.org.tw
Ko-Chung Tang kevin@nchc.org.tw
Wei-Hung Huang a00whl00@nchc.org
Wei-Wen Chen c00cyw00@nchc.org.tw
Roaming Platform Participants1) National Taiwan University
2) National Cheng-chi University
3) National Chiao-Tung University
4) National Tsing-Hua University
5) National Central University
6) National Cheng-Kung University
7) National Chi-Nan University
8) National Chung-Hsing University
9) National Dong Hwa University
10) National Taipei University
11) National Yang-Ming University
12) National Taiwan Normal University
13) National Chung-Cheng University
14) National Taiwan Ocean University
15) National United University
16) National Hsinchu University of Education
17) National University of Tainan
18) National University of Kaohsiung
19) National Ilan University
20) National Taitung University
21) National Taiwan University of Science and Technology
22) National Yunlin University of Science and Technology
23) National Kaohsiung First University of Science and Technology24) Northern Taiwan Institute of Science and Technology25) Taipei Medical University
26) Tamkang University27) Feng Chia University28) I-Shou University29) Soochou University30) Wufeng Institute of Technology31) Vanung University32) Huafan University33) Kaohsiung Medical University34) Ming Chuan University35) Providence University36) Da-Yeh University37) Shih Hsin University38) Yuan Ze University39) Chung Hua University40) Chinese Culture University41) Hsiuping Institute of Technology42) Ling Tung University43) Lunghwa University of Science and Technology44) Takming College45) Jin Wen Institute of Technology46) Fooyin University47) Tatung University48) Mingdao University49) St. John’s University50) Yuanpei Institute of Science and Technology51) Tunghai University
Can roaming between 51 universities in Taiwan.
And over 500,000 user accounts are being served.
(Updated at 2005-10-30)
WLAN Roaming Architecture
Roaming Server – Software Architecture
VPN TUNNEL
• The “FreeRADIUS” implements the RADIUS protocol and uses the RADIUS-Proxy to communication with Roaming Center.
• The “Firewall” controls the access right to Roaming Server.
• The “OpenVPND” builds the secure tunnel between Roaming Server and Roaming Center.
• Roaming Center uses the “SNMP” to monitor the status of Roaming Server.
RADIUS Server(in campus) Roaming Center
(NCHC)
Roaming Server(Linux Red Hat/Fedora)
Firewall
OpenVPND
RADIUS Server with Proxy( FreeRadius, SNMP enabled )
• Top Level servers– Server 1
• Australia• coming on-line soon
– Server 2• Looking for a home.
Eduroam in APAN Region
• This will be run as a service.– (in this region)
• Which means– Security– Education– Monitoring– Granular Control– Policies – Service Levels– IPv6
Eduroam in APAN Region
What does Security mean?• Minimum standards
– 802.1x – WPA TKIP on AP’s– EAP TTLS Auth
• Why– The security level of this
service is only as strong as the weakest site.
• Wavers will be available for fixed times.
What does Security mean?• Future standards
– 802.11i – WPA2 AES on AP’s– EAP SAML ?– The next wave of magic
• Integration with – Shib– A-Select– Or Other
What does Security mean?
• Why not web redirect– We don’t share our password with others
• (Not Secure )
• Why not VPN – Which VPN ?– ACL / XML lists of how long
• (1006 sites x 2 VPN x 16 firewall rules = 32192 lines)
• (not Scalable)
What does Security mean?• Why WPA TKIP
– Open all traffic is clear.– WEP is hacked (all traffic is clear).– WPA and TKIP is in most AP’s now a good
level of security.
• Why EAP-TTLS– Secure PAP password exchange – Many supplicants are available.
• 802.1x is worth the pain.
What does Education mean?• Training
• Support
• Debugging
• Site Visits
Skills can be imported
What does Monitoring mean?
• Servers– What’s up? – What’s down?– What’s the impact?– Who to contact?
(this is only half the story)
What does Monitoring mean?
• Service– Is Auth up? – Is Auth down? (where)– What’s the impact?– Who to contact?– Must be end to end.
• I like to know this before the clients
What does Granular Control mean?
• How do we identify.
• How do we suspend access.
• How can a client obtain their roaming data.
• This will empower users and providers
What does Policies mean?
• Policies support and protect.– The service– The provider– The client
– The Australian Policy is complete.• (Ratification is in its final stages)
– This work has been completed by– James Sankar of AARNet
What does Service Levels mean?
• As a service – We need to define the
service.
– We need to set response times.
– We need to supply a level of service to our clients.
What does IPv6 mean?
• IPv6 is fundamental in this region.– All eduroam type services need to work on v6.
• (not all sites but the service)
– We will be looking closely at v6 mobility.– And also IPsec for secure roaming.
What You Need to play
International eduroam portals
Local NREN eduroam Portal.Elements of a portal
•Local information •Services•Participants•Policies•Technology
•International links•Information for roaming
•Mail lists•How to contact Groups
Local NREN eduroam Portal.
Data Mining
•Who’s interested.
•Where are they from.
•Are you hitting your targets
Local NREN eduroam Portal.
•Did any one read the news release•Put links in your news release (this helps)
•How can I exploit this information
Local NREN eduroam Portal.
Feed Back and help.
•Feed back is important.•for the program.•for the NREN.•for the Institute.•For the user.
•Use detailed user guides on portal•Put in links to the WIKI forum.•The user that can help themselves don’t call.
WIKI forum page
Team RequirementsWhat people are required for EduRoam
– The wireless people• Basic wireless administration skills.
– The directory people• Average Radius administrative skills.
– The security people.• Average firewall/ACL skills
– The desktop support.• Basic to Average skills
• Its not about the technology that’s easy.
Team RequirementsWhat the people require from EduRoam
– Trust.• Policy.• Reactive, collaborative, community.• Policy.
– For the NREN.• See people
• Its all about the People.
Local Wireless Implementation802.1x Tools• SecureW2 Alfa & Ariss
– SecureW2 for Windows platforms is the cost effective and most robust client solution for deploying 802.1X networks. The SecureW2 Client enables EAP-TTLS using the standard Microsoft IEEE 802.1X Client currently available for Windows 2000, Windows XP and Pocket PC 2003.
• Now open source
Local Wireless Implementation
• Under Security, Encryption Manager.
• Select VLAN in drop down box under Set Encryption Mode and Key for VLAN.
• Select Cipher in Encryption Modes.
• Select TKIP in Cipher drop down box.
• Clear Encryption keys.• Select Encryption key 2.
Cisco 1200 Series Access Point setup for EduRoam
Local Wireless Implementation
• Under Security, SSID Manager.
• Select eduroam SSID.• Under Authentication Settings,
Methods Accepted.• Select open Authentication
with EAP in the drop box.• Select Network EAP.• Under Authentication Settings,
Server Properties.• Select Customize.• Under Priority 1 select your
RADIUS servers address.
Radius Implementation• Create National radius server.
• Federate to international server.– Good service selling point.
• Create institutional Radius services.
• Create test accounts.– On all sites
• Radius Tools– Free RADIUS - A most excellent free radius
server
Radius Implementation• Deliver cookie cuts. (AUS example)
– config for end user to connect to national server
– realm DEFAULT {– type = radius– authhost = 203.22.212.134:1812– accthost = 203.22.212.134:1813– secret = XXXXXXXXXXXX– nostrip– }
– client 203.22.212.134 {– shortname = national-au-eduroam1– secret = XXXXXXXXXX– }
Layer 8Layer 8
– Can be your friend.• They want the service.• They can see the business drivers.• Will divert resources to the project.
– Can be your enemy.• They Can have unrealistic expectations. • The work policy triggers lawyers.• Lawyer means money and long documents.
Layer 8
Know your Landscape– What is out there. – What does the community want.– Can you meet there requirements.– Can you control expectation. – Can you deliver the service.– Were can you go for help
eduroam Links
eduroam AU Sitehttp://www.eduroam.edu.au
APAN eduroam Sitehttp://www.apaneduroam.edu.au
Eduroam Global Working Grouphttp://www.eduroam.edu.au/gwg-eduroam
Global working group email listgwg-eduroam@eduroam.edu.au
Email Enquiries
enquiries@eduroam.edu.aujoin@eduroam.au
Joining eduroamThankyou
Please Join eduroamhttp://www.eduroam.org
http://www.eduroam.edu.au
AcknowledgmentsSurfnet, TF Mobility TERENA,UNI-C & AARNet
TECH chris.myers@grangenet.netPolicy james.sankar@aarnet.edu.au