EDUROAM

Michael Helm

ESnet/LBL

26 Mar 2006

Eduroam TAGPMA 27 Mar 2006 2

What Is Eduroam?

• The Roaming Scholar vs the Restricted Wireless Network– I am in a strange place, and I need to log in to your

network; you want me to do this, but how can you permit it?

– Need locally-usable credentials to authorize network services

– Typical application is wireless networking• Evolution of approaches

802.11 -> 802.1x– Web-based authentication (eg Hotels)– Distributed VPNs

Eduroam TAGPMA 27 Mar 2006 3

What Is Eduroam? (2)

• EU – Terena Mobility WG

• http://www.eduroam.org

• Hierarcy of RADIUS servers– RADIUS = RFC 2865– Widely deployed in campuses & industry– Eduroam root at SURFnet in NL– EU NRENs have national roots &c– Non EU – AU, US*, maybe other Asia

Eduroam TAGPMA 27 Mar 2006 4

Eduroam - current

Eduroam TAGPMA 27 Mar 2006 5

Eduroam - Current

Eduroam TAGPMA 27 Mar 2006 6

eduroam.usFWNA – I2

• Determined basic specs– RADIUS hierarchy modeled after current European

eduroam network– Requires use of 802.1x

• Experimental service in place– Top level servers at UTK, Merit– Connecting servers to Europe, Asia

• Finalizing “registration” system– Web-based service that will allow institutions to

connect easily

Eduroam TAGPMA 27 Mar 2006 7

802.1x, RADIUS and EAP

Top-Level Server 1

RADIUS server at visited

institutionRADIUS server at

home institution

Userid store at home institution

EAP client

Access Point

Eduroam TAGPMA 27 Mar 2006 8

802.1x, RADIUS and EAP

• 802.1x and RADIUS serve as transport mechanisms for EAP authentication

• 1x and RADIUS facilitate a conversation between two items controlled by the user and his organization: EAP client and campus RADIUS server

Eduroam TAGPMA 27 Mar 2006 9

Top-level server interaction

Top-Level Server 2

RADIUS configuration and routing

data

• Top-level servers draw configs from a central store of data, based on registration

• Thus they remain in synch, but do not otherwise directly communicate

Top-Level Server 1

Eduroam TAGPMA 27 Mar 2006 10

Eduroam Development

• Many instances, but not yet ubiquitous• City-State of CERN?• EU eduroam success leads to eduroam-

NG– Need to exchange attributes– Service discovery– Weaknesses of RADIUS in these areas +

security concerns

• (Teaser for KW & PH slide decks)

Eduroam TAGPMA 27 Mar 2006 11

Outlook

• Grid application? (Other networks?)• PKI support

– EAP clients– RADIUS router & ID Provider support

• Useful for our collaboration• Acknowledgements:

Most of the material in this deck is from Klaas Wierenga (at one remove) and Kevin Miller & Philippe Hanset (FWNA-I2)