eduroam AU: Status and Directions - CAUDIT library/Resources and... · Wireless (IdP) Access Point...
Transcript of eduroam AU: Status and Directions - CAUDIT library/Resources and... · Wireless (IdP) Access Point...
eduroam AU: Status and Directions
Neil Witheridge Authentication & Authorisation Services
Technical Manager AARNet
Theta 2015
ThisworkislicensedunderaCrea veCommonsA ribu on4.0Interna onalLicense.
#THETA
2015
eduroam AU: Status and Directions
Neil Witheridge Authentication & Authorisation Services
Technical Manager AARNet
SSLIDELIDE 22 -- CCOPYRIGHTOPYRIGHT 20152015
Quick Recap: “What is eduroam”
1st May 2015 eduroam AU Status and Directions - THETA2015 2 of 16
Visited
Institution
eduroam = common SSID “eduroam”, 802.1x, RADIUS using Realms for Remote Authentication
National
Roaming
Operator
End-user
Device
Service
Provider
(SP)
username
password
griffith.edu.au uq.edu.au
eduroam User-Name
is institutional username
+ user’s ‘realm’
Home
Institution
Identity
Provider
(IdP) Wireless
Access Point
Institutional
RADIUS
Server
National
RADIUS
Server
Institutional
RADIUS
Server
1. Authentication
2. Access
@uq.edu.au
Wireless
Access Point
SSLIDELIDE 33 -- CCOPYRIGHTOPYRIGHT 20152015
Quick Recap: “What is eduroam”
1st May 2015 eduroam AU Status and Directions - THETA2015 3 of 16
Regional
Roaming
Operator
Visited
Institution
National
Roaming
Operator
End-user
Device
Service
Provider
(SP)
password
griffith.edu.au oxford.ac.uk
eduroam User-Name
is institutional username
+ user’s ‘realm’
Home
Institution
Identity
Provider
(IdP) 1. Authentication
2. Access
Institutional
RADIUS
Server
National
Roaming
Operator
Top-Level
RADIUS
Server
Top-Level
RADIUS
Server
National
RADIUS
Server
APAN EU
AU UK
Wireless
Access Point
National
RADIUS
Server
Institutional
RADIUS
Server
eduroam = common SSID “eduroam”, 802.1x, RADIUS using Realms for Remote Authentication
SSLIDELIDE 44 -- CCOPYRIGHTOPYRIGHT 20152015
• Identity Federation – Institutional identity management and authentication
trusted based on policy compliance
• Eduroam – Education Roaming – WPA2-Enterprise, 802.1x – RADIUS, Tunneled EAP Protocol
• NRO – National Roaming Operator (AARNet) – NRS – National RADIUS Server – TLRS – Top Level (i.e. Regional) RADIUS Server
• Institutional Participants (IdP+SP, SP-only) – Identity Provider (IdP), user authentication – Service Provider (SP), provide network access
Quick Recap: “What is eduroam”
1st May 2015 eduroam AU Status and Directions - THETA2015 4 of 16
SSLIDELIDE 55 -- CCOPYRIGHTOPYRIGHT 20152015
Quick Recap: eduroam Protocols
• Use of tunneled EAP for secure authentication
Wireless
Access
Point
SP
Institution
RADIUS
Server
Regional/
National
RADIUS
Servers
Visited Institution eduroam Service Provider
Home Institution eduroam Identity Provider
WPA2/AES (wireless encryption)
IEEE 802.1x (on 802.11)
RADIUS
PEAP,TTLS (encrypted tunnel)
MSCHAPv2,PAP (user authentication)
Auth’n
User’s
mobile
device
IdP
Institution
RADIUS
Server
not visible (encrypted) username@realm
username@realm
password
password username@realm
password
User visits institution & connects to visited institution network via eduroam
Configured to
connect
automatically
to
“eduroam” SSID
outer-authentication
inner-authentication
1st May 2015 eduroam AU Status and Directions - THETA2015 5 of 16
SSLIDELIDE 66 -- CCOPYRIGHTOPYRIGHT 20152015
• eduroam AU uptake – Currently 58 IdP+SP + 8 SP-only participants – Universities (100% AU Universities)
– Research institutions (e.g. CSIRO, ANSTO)
– Research service providers (e.g. INTERSECT)
– Hospitals & Medical Research (e.g. NSW Health, SAHMRI)
– Also several Colleges, TAFEs, K-12 Schools
• Eduroam Advisory Group – Extending eduroam AU footprint to High Schools
• Eduroam usage statistics (graphs on next slides)
eduroam AU Current Status
1st May 2015 eduroam AU Status and Directions - THETA2015 6 of 16
SSLIDELIDE 77 -- CCOPYRIGHTOPYRIGHT 20152015
Life-time Trend (start->1Q2015)
15000
17000
1st May 2015 eduroam AU Status and Directions - THETA2015 7 of 16
IdP – remote authentications by ‘home’ institutions
SP – network accesses by visited institutions
Users travelling to AU institutions
Users travelling to OS institutions
Users from AU institutions
Users from OS institutions
SSLIDELIDE 88 -- CCOPYRIGHTOPYRIGHT 20152015
OS Visitors during 2014
HK
NZ
JP SG
MY
Total: 27312
1st May 2015 eduroam AU Status and Directions - THETA2015 8 of 16
SSLIDELIDE 99 -- CCOPYRIGHTOPYRIGHT 20152015
• eduroam is a Trust Federation – Trust is based on policy compliance
• eduroam Global Policy (“eduroam Compliance Statement”)
– Created by the Global eduroam Governance Committee • NROs must be a signatory and comply • Appendices describe technical req’s for IdPs and SPs
• eduroam AU Policy (current 4.2, not aligned with eCS)
– Requirements for AU IdPs and SPs
• Institution’s network Acceptable Use Policy (AUP) – Users must comply with their home institution AUP – AUP embodies AARNet Access Agreement
eduroam Governance & Policy
1st May 2015 eduroam AU Status and Directions - THETA2015 9 of 16
SSLIDELIDE 1010 -- CCOPYRIGHTOPYRIGHT 20152015
Secretary of GeGC: Brook Schofield (GEANT Association)
Africa: Samia El Haddout, CNRST/MARWAN Simeon Miteff, SANReN/TENET
Europe: Paul Dekkers, SURFnet Miroslav Milinovic, SRCE Scott Armitage, Loughborough Uni
Latin America: Leandro Marcos de Oliveira Guimares, RNP Alejandro Lara, REUNA
North America: Chris Phillips, CANARIE Philippe Hanset, Internet2 (ANYROAM LLC operates on behalf of Internet2)
Asia Pacific: Hideaki Goto, Tohoku University Neil Witheridge, AARNet Non-voting technical experts: Klaas Wierenga, Chair of TF-MNM (Mobility and Network Middleware) Stefan Winter, RESTENA Secretary of TF-MNM: Nicole Harris (GEANT Association)
Global eduroam Governance Committee
1st May 2015 eduroam AU Status and Directions - THETA2015 10 of 16
SSLIDELIDE 1111 -- CCOPYRIGHTOPYRIGHT 20152015
• Improvements targeted
eduroam AU Future Directions
1st May 2015 eduroam AU Status and Directions - THETA2015 11 of 16
SSLIDELIDE 1212 -- CCOPYRIGHTOPYRIGHT 20152015
• Restricted access is required for: – Administration – deployment data entry
– DjNRO Admin tool
– End-User Support • Institutional Device Configuration set-up
– Configuration Assistant Tool (CAT)
• Test authentications for Troubleshooting – Detailed Institutional Usage Metrics
• Who visited who, nationally & internationally
• Access via institution’s SAML IdP & AAF registration – Access via “AARNet Conext” (SURFnet’s OpenConext) – Use of VHO for admins without an IdP
Public vs Protected Info & Services
1st May 2015 eduroam AU Status and Directions - THETA2015 12 of 16
SSLIDELIDE 1313 -- CCOPYRIGHTOPYRIGHT 20152015
eduroam Technical Trends
1st May 2015 eduroam AU Status and Directions – THETA2015 13 of 16
• Improvements in both WiFi and eduroam protocols to avoid problems
• Leveraging evolution of WiFi Protocols – Hotspot 2.0 (in particular, IEEE 802.11u)
• eduroam Protocols – evolving to deliver scalability and lower admin burden – RADIUS/TCP + TLS
• TCP: avoid issues related to unreliable transport with UDP
• TLS: secure the communication at the transport layer – Dynamic Discovery
• Don’t rely on hierarchy defined in configuration
SSLIDELIDE 1414 -- CCOPYRIGHTOPYRIGHT 20152015
• AU/NZ participation – Started with eduroam Project Group (2007-10)
• APAC countries currently participating: Australia (.au), Hong Kong (.hk), India (.in), Japan (.jp), Korea (.kr), Macao (.mo), New Zealand(.nz), Taiwan (.tw), Singapore (.sg), Thailand (.th)
Pending eCS Signing: Philippines (.ph), Malaysia (.my),
Have shown interest: China (.cn), Papua New Guinea (.png)
Planning to participate via AARNet: Fiji/Oceania (USP) (.fj)
eduroam History in Asia Pacific (APAC)
1st May 2015 eduroam AU Status and Directions - THETA2015 14 of 16
SSLIDELIDE 1515 -- CCOPYRIGHTOPYRIGHT 20152015
• AARNet submission in response to TEIN request to lead a project collaboratively with regional eduroam participants to increase eduroam footprint in the Asia Pacific
• Also creating an APAC eduroam Confederation
• 5 TEIN beneficiary countries to be chosen as targets: candidates include Bangladesh, Cambodia, Indonesia, Pakistan, Sri Lanka, Vietnam
• Will also improve eduroam generally, and promote improved participation by existing APAC NROs: e.g. Malaysia, The Philippines, Thailand
TEIN funded project: XeAP Extending eduroam in the Asia Pacific
1st May 2015 eduroam AU Status and Directions - THETA2015 15 of 16
SSLIDELIDE 1616 -- CCOPYRIGHTOPYRIGHT 20152015
• eduroam AU Website & Wiki, institutional engagement
• Ancillary Services – Administration (using DjNRO) – Monitoring (IdP + SP, use of test accounts) – Metrics (aggregate and institutional) – Support (policy for provision by institutions)
• End-user device configuration – Configuration Assistant Tool (CAT)
• Troubleshooting via test accounts & log access – Templates & Checklists
• Institutional eduroam Website template • Operability Testing and Auditing checklists
• Protocol upgrades and XeAP project
Summary of Work over 2015/16
1st May 2015 eduroam AU Status and Directions - THETA2015 16 of 16