Joining eduroam

Document Sample
Joining eduroam Powered By Docstoc
					  Joining eduroam
Wireless Roaming for Higher
 Education and Research




      chris.myers@grangenet.net
      EuroCAMP ver 2.7
Global working Group
           Global Working Group
A Global Working Group has been
  setup.

There is an open email list to share

The first meeting was at EuroCAMP
  2005

The second meeting was held after
  the I2 members meeting.

The third meeting was yesterday

We have a conference call when
  required.
         Global Working Group
What are we doing.

Working on standards and systems
 for safe roaming internationally.

eduroam NG (next generation).

Peering policies and frameworks.

There are representatives from
  Europe, USA and ASIA PAC
         Global Working Group
• Current eduroam
  environment

• Hierarchy of radius
  proxies

• shared key security

• Manual configuration of
  all links
         Global Working Group
• Future eduroam
  environment
• Radius discovery

• PKI secured links

• Via radiator, diameter or
  FreeRADIUS versions

• Possible SHIB attribute
  passing.
    The APAN Region
Future direction and update
      What is eduroam’s core
          requirement?

 eduroam allows roving researchers to log-
in, with their usual “user name/password”, to
wireless networks at participating campuses
   around the world and transparently get
             access to resources.

      This is the mission statement

                This is what we needs to be delivered
        Eduroam in APAN Region
• Federated
   – Australia
        • 17 sites
   – Taiwan
        • 51 sites


• Interest in
   –   Japan
   –   China
   –   Korea
   –   New Zealand
   –   AU University in Vietnam
 National Science and Technology
 Program for Telecommunications
   Global Cross-Campus WLAN Roaming
    based on Distributed Authentication
                Mechanism
Project Members:   Yung-Chi Yang    c00ycy00@nchc.org.tw
                   Ko-Chung Tang    kevin@nchc.org.tw
                   Wei-Hung Huang   a00whl00@nchc.org
                   Wei-Wen Chen     c00cyw00@nchc.org.tw
1)
      Roaming Platform Participants
      National Taiwan University                                      26)   Tamkang University
                                                                                                    (Updated at 2005-10-30)

2)    National Cheng-chi University                                   27)   Feng Chia University
3)    National Chiao-Tung University
4)    National Tsing-Hua University
                                                                      28)   I-Shou University
5)    National Central University                                     29)   Soochou University
6)    National Cheng-Kung University                                  30)   Wufeng Institute of Technology
7)    National Chi-Nan University                                     31)   Vanung University
8)    National Chung-Hsing University
                                                                      32)   Huafan University
9)    National Dong Hwa University
10)   National Taipei University                                      33)   Kaohsiung Medical University
11)   National Yang-Ming University                                   34)   Ming Chuan University
12)   National Taiwan Normal University                               35)   Providence University
13)                      Can roaming between 51 universities
      National Chung-Cheng University                                 36)   Da-Yeh University
14)   National Taiwan Ocean University
15)
16)
      National United University      in Taiwan.
      National Hsinchu University of Education
                                                                      37)
                                                                      38)
                                                                            Shih Hsin University
                                                                            Yuan Ze University
17)
18)
                           And over 500,000 user accounts
      National University of Tainan
      National University of Kaohsiung
                                                                      39)
                                                                      40)
                                                                            Chung Hua University
                                                                            Chinese Culture University
19)
20)
      National Ilan University
      National Taitung University
                                 are being served.                    41)   Hsiuping Institute of Technology
21)   National Taiwan University of Science and Technology            42)   Ling Tung University
22)   National Yunlin University of Science and Technology            43)   Lunghwa University of Science and Technology
23)   National Kaohsiung First University of Science and Technology   44)   Takming College
24)   Northern Taiwan Institute of Science and Technology
                                                                      45)   Jin Wen Institute of Technology
25)   Taipei Medical University
                                                                      46)   Fooyin University
                                                                      47)   Tatung University
                                                                      48)   Mingdao University
                                                                      49)   St. John’s University
                                                                      50)   Yuanpei Institute of Science and Technology
                                                                      51)   Tunghai University
WLAN Roaming Architecture
 Roaming Server – Software Architecture
      RADIUS Server             VPN TUNNEL
       (in campus)
                                                    Roaming Center
                                                       (NCHC)

                                    •   The “FreeRADIUS” implements the RADIUS
                                        protocol and uses the RADIUS-Proxy to
          Firewall                      communication with Roaming Center.
                                    •   The “Firewall” controls the access right to
                                        Roaming Server.
        OpenVPND                    •   The “OpenVPND” builds the secure tunnel
                                        between Roaming Server and Roaming Center.
                                    •   Roaming Center uses the “SNMP” to monitor
RADIUS Server with Proxy                the status of Roaming Server.
 ( FreeRadius, SNMP enabled )

    Roaming Server
(Linux Red Hat/Fedora)
      Eduroam in APAN Region
• Top Level servers
  – Server 1
    • Australia
    • coming on-line soon
  – Server 2
    • Looking for a home.
        Eduroam in APAN Region
• This will be run as a service.
   – (in this region)

• Which means
   –   Security
   –   Education
   –   Monitoring
   –   Granular Control
   –   Policies
   –   Service Levels
   –   IPv6
    What does Security mean?
• Minimum standards
  – 802.1x
  – WPA TKIP on AP’s
  – EAP TTLS Auth

• Why
  – The security level of this
    service is only as strong as
    the weakest site.

• Wavers will be available for
  fixed times.
      What does Security mean?
• Future standards
  –   802.11i
  –   WPA2 AES on AP’s
  –   EAP SAML ?
  –   The next wave of magic


• Integration with
  – Shib
  – A-Select
  – Or Other
   What does Security mean?
• Why not web redirect
  – We don’t share our password with others
    • (Not Secure )


• Why not VPN
  – Which VPN ?
  – ACL / XML lists of how long
    • (1006 sites x 2 VPN x 16 firewall rules = 32192 lines)
    • (not Scalable)
    What does Security mean?
• Why WPA TKIP
  – Open                all traffic is clear.
  – WEP                 is hacked (all traffic is clear).
  – WPA and TKIP        is in most AP’s now a good
                                 level of security.

• Why EAP-TTLS
  – Secure PAP password exchange
  – Many supplicants are available.

• 802.1x is worth the pain.
What does Education mean?
                         •   Training
                         •   Support
                         •   Debugging
                         •   Site Visits




Skills can be imported
 What does Monitoring mean?


• Servers
  – What’s up?
  – What’s down?
  – What’s the impact?
  – Who to contact?
  (this is only half the story)
 What does Monitoring mean?
• Service
  – Is Auth up?
  – Is Auth down? (where)
  – What’s the impact?
  – Who to contact?
  – Must be end to end.

• I like to know this before the clients
What does Granular Control mean?
• How do we identify.

• How do we suspend access.

• How can a client obtain their
  roaming data.

• This will empower users and
  providers
    What does Policies mean?
• Policies support and protect.
  – The service
  – The provider
  – The client

  – The Australian Policy is complete.
     • (Ratification is in its final stages)
        – This work has been completed by
        – James Sankar of AARNet
 What does Service Levels mean?
• As a service
  – We need to define the
    service.

  – We need to set response
    times.

  – We need to supply a level
    of service to our clients.
        What does IPv6 mean?
• IPv6 is fundamental in this region.
  – All eduroam type services need to work on v6.
     • (not all sites but the service)
  – We will be looking closely at v6 mobility.
  – And also IPsec for secure roaming.
What You Need to play
International eduroam portals
       Local NREN eduroam Portal.
Elements of a portal

•Local information
   •Services
   •Participants
   •Policies
   •Technology

•International links
   •Information for roaming

•Mail lists
   •How to contact Groups
      Local NREN eduroam Portal.

Data Mining

   •Who’s interested.

   •Where are they from.

   •Are you hitting your targets
Local NREN eduroam Portal.




 •Did any one read the news release
    •Put links in your news release (this helps)

 •How can I exploit this information
   Local NREN eduroam Portal.

Feed Back and help.

•Feed back is important.
   •for the program.
   •for the NREN.
   •for the Institute.
   •For the user.
                                             WIKI forum page
•Use detailed user guides on portal
•Put in links to the WIKI forum.
•The user that can help themselves don’t call. 
        Team Requirements
What people are required for EduRoam
  – The wireless people
     • Basic wireless administration skills.
  – The directory people
     • Average Radius administrative skills.
  – The security people.
     • Average firewall/ACL skills
  – The desktop support.
     • Basic to Average skills
• Its not about the technology that’s easy.
       Team Requirements
What the people require from EduRoam
 – Trust.
     • Policy.
     • Reactive, collaborative, community.
     • Policy.
  – For the NREN.
     • See people


• Its all about the People.
 Local Wireless Implementation
802.1x Tools
• SecureW2 Alfa & Ariss
  – SecureW2 for Windows platforms is the cost
    effective and most robust client solution for
    deploying 802.1X networks. The SecureW2
    Client enables EAP-TTLS using the standard
    Microsoft IEEE 802.1X Client currently available
    for Windows 2000, Windows XP and Pocket PC
    2003.

• Now open source
  Local Wireless Implementation
     Cisco 1200 Series Access Point setup for EduRoam

• Under Security,
  Encryption Manager.
• Select VLAN in drop down
  box under Set Encryption
  Mode and Key for VLAN.
• Select Cipher in
  Encryption Modes.
• Select TKIP in Cipher drop
  down box.
• Clear Encryption keys.
• Select Encryption key 2.
  Local Wireless Implementation
• Under Security, SSID
  Manager.
• Select eduroam SSID.
• Under Authentication Settings,
  Methods Accepted.
• Select open Authentication
  with EAP in the drop box.
• Select Network EAP.
• Under Authentication Settings,
  Server Properties.
• Select Customize.
• Under Priority 1 select your
  RADIUS servers address.
     Radius Implementation
• Create National radius server.
• Federate to international server.
  – Good service selling point.
• Create institutional Radius services.
• Create test accounts.
  – On all sites
• Radius Tools
  – Free RADIUS - A most excellent free radius
    server
       Radius Implementation
• Deliver cookie cuts. (AUS example)
   – config for end user to connect to national server

   – realm DEFAULT {
   –      type = radius
   –      authhost      = 203.22.212.134:1812
   –      accthost      = 203.22.212.134:1813
   –      secret      = XXXXXXXXXXXX
   –      nostrip
   – }

   – client 203.22.212.134 {
   –      shortname      = national-au-eduroam1
   –      secret      = XXXXXXXXXX
   – }
                       Layer 8
Layer 8
   – Can be your friend.
      • They want the service.
      • They can see the business drivers.
      • Will divert resources to the project.

   – Can be your enemy.
      • They Can have unrealistic expectations.
      • The work policy triggers lawyers.
      • Lawyer means money and long documents.
                 Layer 8
Know your Landscape
  – What is out there.
  – What does the community want.
  – Can you meet there requirements.
  – Can you control expectation.
  – Can you deliver the service.
  – Were can you go for help
 eduroam Links
            eduroam AU Site
      http://www.eduroam.edu.au

           APAN eduroam Site
    http://www.apaneduroam.edu.au

      Eduroam Global Working Group
http://www.eduroam.edu.au/gwg-eduroam
       Global working group email list
      gwg-eduroam@eduroam.edu.au

            Email Enquiries
      enquiries@eduroam.edu.au
          join@eduroam.au
        Joining eduroam
               Thankyou

          Please Join eduroam
        http://www.eduroam.org
      http://www.eduroam.edu.au

              Acknowledgments
Surfnet, TF Mobility TERENA,UNI-C & AARNet
      TECH chris.myers@grangenet.net
     Policy james.sankar@aarnet.edu.au

				
DOCUMENT INFO