High-quality Internet for higher education and research AAI from the NREN perspective Schiphol,...
-
Upload
kenneth-harrison -
Category
Documents
-
view
214 -
download
0
Transcript of High-quality Internet for higher education and research AAI from the NREN perspective Schiphol,...
High-quality Internet for higher education and research
AAI from the NREN perspective
Schiphol, October 17, [email protected]
High-quality Internet for higher education and research
Contents
• NRENs and AAI• Federations for Network Access
– eduroam• Federations for Application (Web) Access
– AuthN– AuthZ– eduGAIN
• Supporting Services– SCHAC– PKI’s– SCS– TACAR
• Questions
High-quality Internet for higher education and research
The AAI domain
Authentication Systems
Administrative Systems
Autorisation Systems
Applications
login
High-quality Internet for higher education and research
NREN’s and AAI
• In the beginning there were:– Network access solutions– Web single sign-on solutions– Identity management systems– Authorisation engines– PKI’s– Directories
• Then: need for collaboration beyond institutional borders:
Federations
• Now: need for collaboration beyond national borders:
Confederations
High-quality Internet for higher education and research
Federated network access: eduroam
• Security– IEEE 802.1X
• Roaming– RADIUS
• Trust– Policies
High-quality Internet for higher education and research
eduroam architecture
RADIUS server
University B
RADIUS server
University A
SURFnet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Gast
piet@university_b.nl
StudentVLAN
CommercialVLAN
EmployeeVLAN
data
signalerling
• Trust based on RADIUS plus policy documents
• 802.1X
• (VLAN assigment)
High-quality Internet for higher education and research
Tunneled authentication (PEAP/TTLS)
• Uses TLS/SSL tunnel to protect data– The TLS tunnel is set up using the server certificate, thus
authenticating the server and preventing man-in-the-middle attacks
– The user sends his credentials through the secure tunnel to the server, thus authenticating the user
• Can use dynamic session keys for ‘in the air’ encryption
© Alfa&Ariss
`
802.1X Client EAP RADIUS Server
TLS tunnel
User authentication
Protected by TunnelServer authentication
High-quality Internet for higher education and research
Status of eduroam
• Over 400 institutions in Europe and Australia
• USA, Taiwan will follow shortly
High-quality Internet for higher education and research
Federated application (Web) access
• A number of web single sign-on solutions exist– Shibboleth (Australia, Finland, Switzerland, UK etc.)– PAPI (Spain, UK)– A-Select (Netherlands, Australia)– FEIDE/Moria (Norway)
• Authorisation Systems– PERMIS– SPOCP
• Single technology federations are or have been built
• Now through the Geant2 JRA5 project these will be integrated.
High-quality Internet for higher education and research
Web AuthN: A-Select
•“Black box” that:
•Accepts many authentication methods
•Interfaces with many applications
•Allows an institution to take authN out of the application
High-quality Internet for higher education and research
Web AuthZ: Shibboleth
• Allows institutions that belong to the same federation to share resources
• Lingua Franca: SAML
© SWITCH
High-quality Internet for higher education and research
eduGAIN
• Goal: to federate federations
• Web-services and SAML based
• As much as possible Shibboleth compatible
• 4 basic interactions:– AuthnReq/Resp– HLSReq/Resp– AttrReq/Resp– AuthZReq/Resp
• Defining parameters, protocols and profiles
High-quality Internet for higher education and research
Supporting services: SCHAC
• SChema HArmonisation Committee • Find agreement on a set of minimal attributes to
facilitate inter-institutional and international data-exchange
• An initial list of attributes has been agreed • Let the schema evolve as time goes by and needs
arise• Work is ongoing to define a formal LDAP schema• SCHAC would help the Bologna process
High-quality Internet for higher education and research
Supporting services: PKI’s
• PKI’s are complex• “Pop-up problem”• Path validation problems• Cross certification tedious• NREN’s never managed to distribute client certificates on a
large scale• Server certificates cost money
• But the GRID community seem to have pulled this thing off!
High-quality Internet for higher education and research
Supporting services: Server Certificate Service (SCS)
• Flat-fee• Pop-up free• Server certificates only!• Rooted in commercial CA provider• National RA’s• Pilot funded by ACONET, CARNet, CESNET,
CRU(RENATER), RedIRIS, SURFnet, SWITCH and UNI-C
• Currently in procurement procedure
High-quality Internet for higher education and research
Supporting services: TACAR
• Trusted repository of verified root-CA certificates for NRENs and not for profit research projects rooted in academic community.
• Currently containing:– AustrianGridCA, CERN CA, CESNET CA, DFN PCA, DOEGrids,
DutchGrid, EGCA, EuroPKI, Grid Canada CA, Grid-Ireleand CA, GridKa CA, GRNET, HellasGrid CA, IGC CRU, INFN CA, LIP CA, NIIF CA, RedIRIS, SURFnet, SWITCH, SwUPKI, UK e-Science CA, University of Thessaloniki
• Root of trust for International Grid Trust Federation (IGTF)
• Notice all the GRID certificates, it seems that we have found each other here already!
High-quality Internet for higher education and research
Questions
• Is there life beyond certificates in the GRID?• How do you do authorisation?• How do you overcome the Grid infrastructure
scalability problems? – Certificates deployment and life cycle management– Sources of authority “VO” (many VOs and users
belonging to many of them) – Plug-and-play, Plug-and-be-played
• How may we help you? • How can you help us?
High-quality Internet for higher education and research
More information• eduroam
– http://www.eduroam.org
• TERENA TF-Mobility– http://www.terena.nl/tech/task-forces/mobility/
• TERENA TF-EMC2– http://www.terena.nl/tech/task-forces/tf-emc2/– http://www.terena.nl/tech/task-forces/tf-emc2/schac.html
• TACAR– http://www.tacar.org
• Géant2 Joint Research Activity 5 (authorisation and roaming)– http://www.geant2.net/server/show/nav.758