Expanding eduroam in Asian countries * What is eduroam * eduroam JP update * R&D on DEAS
description
Transcript of Expanding eduroam in Asian countries * What is eduroam * eduroam JP update * R&D on DEAS
1
Expanding eduroam in Asian countries * What is eduroam
* eduroam JP update* R&D on DEAS
33rd APAN meetingFeb. 16, 2012, Chiang Mai
Hideaki SoneNII / Tohoku University, Japan
is ReadyCongratulations!
What is eduroam?
2
eduroam (education roaming) is the secure, world-wide roaming access service developed for the international research and education community.
eduroam allows students, researchers and staff from participating institutions to obtain Internet connectivity across campus and when visiting other participating institutions by simply opening their laptop.
http://www.eduroam.org/
Internet
Inst. A
Home inst.
student / staff
Inst. Beduroam promotion video by AARNet
Who operates eduroam• The eduroam service started as a pilot under the
auspices of TERENA.• 4 regional operators• About 50 countries worldwide– 7 members in Asia Pacific
• GeGC (Global eduroam Governance Committee)
has been organized (2010).– 7 voting members: EU(3), US, CA, AP(2)– “Compliance Statement” compilation is under way.
• service definitions, technical standards
3
eduroam deployments in Asia Pacific
• Hosting by a nearby country works well as an incubator.• Hosting is quite beneficial for countries having a small
number of institutions. 4
realm joinedinst.
#total deploymentrate
.au 33 37 89.2% (AP Server 1)
.hk 9 9 100% (AP Server 2)
.cn ? 1,700+ ?
.tw 137 ? 170+ ? (data as of Apr. 2009)
.jp 27 1,200+ 2%
.nz 5 8 62.5% hosted by AARNet
.pg 1 6 ? hosted by AARNet
steady growth 8 joined in 2010, 10 more in 2011
5
eduroam JP• National eduroam operation and promotion– 27 institutions (2% of 1,200) joined (Dec. 2011)
• 17 (2010), 9 (2009)– Tutorial & technical documents
• R&D– Easy deployment and operation– Location privacy, etc.
• Collaboration with commercialW-ISPs– eduroam on commercial hotspots – Shared hotspots on campus– New architecture and business models for next-
generation commercial / academic WLAN services
6
eduroam / ISP collaboration
• Livedoor, an ISP in Japan, provides eduroam service on their commercial hotspots– 130+ in-door APs at cafes, conference sites and some
large shops in and around Tokyo– 2,200+ out-door APs on power poles in central Tokyo• eduroam-livedoor is now available on the streets
– provides Campus Network solution with eduroam
• Commercial WLAN service using univ. APs– shared AP, experimental
• Negotiations are under way with some other ISPs / carriers
eduroam in disaster-affected campuses• Borderless eduroam helped suffering staff
– Nomadic network in temporary evacuation campus• Tohoku University faced the big earthquake in March.
– Many buildings were severely damaged. – Staff moved to other buildings where networks are operated by different
departments.– eduroam is an effective rescue for them to use network --- Inter-
department roaming network
Additional APs
Eduroam APs
Center
Damaged depts
Network ID
• Problems– Difficulties in large-scale RADIUS deployment
• 1200 institutions in Japan → 1200 branches in RADIUS tree– Laborious eduroam connection / management work
• Our solutions– Federated Delegate Authentication System (DEAS)
with centralized/clustered RADIUS server• remove RADIUS IdP at each institution• Federation using Shibboleth SSO• simplify RADIUS tree (→ higher stability)
– Web-based eduroam IdP / SP management system• simplify connection and administration at both the
eduroam JP office and each institution
Difficulties in expanding eduroam in JP
9
Easy-to-join eduroam system
RADIUSIdP
RADIUSproxy
auth requests
<secret key 2>
Institution’sRADIUS server
access points
1. Delegate Authentication System (DEAS)
nationaltop-level
2. eduroam IdP/SP management web
<secret key 1>
10
Federated Delegate Authentication System
• Account Issuer as a Shibboleth SP of Japan’s GakuNin federation (f.k.a. UPKI federation)
• Centralized / Clustered eduroam IdP to simplify the RADIUS proxy tree
• 3 types depending on the needs and federation level
• Authenticated access with pseudo-anonymized, fixed-term, and traceable roaming IDs
Before & After DEAS• Huge RADIUS tree can be replaced by single RADIUS which
works as an SP for member institutions
C D
jp
A B
th
AP
RADIUS
IdP
eduroam RADIUS tree Centralized RADIUS
C D
jp
A B
th
AP
User
DEAS
IdP
SP
Shib.
IdP
Current statusDeployment Users
Type I(no federation, web UI only)
National DEAS deployed 5 universities
Type II(admin-only fed.)
Under development –
Type III(full fed.)
National Shib. SP for GakuNin deployed
(22 federated institutions)
12
(as of Feb. 2011)
Univ. A, B : clients of Livedoor (ISP),using for main IdP
Univ. C : using for university’s sub IdP Univ. D, E : trial use of eduroam