Eduroam services presentation to ERNET August 2010-j sankar

Copyright AARNet Pty Ltd 2010

Network Operations

Eduroam Services for ERNet consideration

August 2010

James Sankar Director, Applications & Services


Background •  Involved at UKERNA (now JA.NET) •  Co-Chaired TF-Mobility group (2002-2005). •  Developed eduroam to initially 50 sites in UK •  Migrated to Australia

–  Service continued and developed via AARNet project group after handover from GrangeNet (3+ years),

•  Eduroam and its logo is a registered trademark of TERENA

2


Contents •  The problem statement •  The opportunity and value to NRENs •  The current eduroam landscape – services •  The current eduroam landscape – development •  Opportunities for ERNET to consider going

forward •  More Information


Problem statement •  Students come with own mobile devices expecting

to connect

•  Visiting scholars, researchers bound by complex policies at institutions

•  different wireless networks on campus = duplication, waste, security gaps

•  Overseas campuses access in another languages or require data roaming.

•  Regulations, complexity, cost harming collaboration and wasting resources


Opportunities •  Eduroam is tried and trusted - since 2003

•  802.1X/RADIUS/RADSSEC and WPA2/AES for eduroam – can build on opensource FREERADIUS 2

•  Full egress internet access on authz service should be ideal as minimum to join

•  Most Operating systems now support eduroam

•  Man-in-middle attacks stopped via certificates

•  Some vendors provide easy to click and install eduroam supplicants


How eduroam works


Eduroam Infrastructure in AUS - current

7

.au PNG

NZ

org1.edu.au org2.edu.au

AP1 AP2 AP3

RADIUS + LDAP

AP1 AP2 AP3

.au .hk

.au

RADIUS + LDAP


Eduroam Infrastructure in AUS - future

8

.au PNG

NZ

org1.edu.au org2.edu.au

AP1 AP2 AP3

RADIUS + LDAP

AP1 AP2 AP3

.au .hk

.au

RADIUS + LDAP


Current eduroam services landscape

•  1800+ sites in Europe (originated there) •  144 sites in Australia •  21 sites in Canada •  10 sites in USA (expected to grow to 100) •  Interest from Mauritius, Nepal, India,


Eduroam in Asia-Pac

•  AU - AARNet (Australia) - hosts APAN regional eduroam server

•  CN - UESTC (China) •  HK - Hong Kong Polytechnic (Hong

Kong) - hosts APAN regional eduroam server

•  JP - NII (Japan) •  NZ - New Zealand - NZ sites are

hosted by AARNet in Australia •  Papua New Guinea - PNG sites

(Divine Word University) are hosted by AARNet in Australia

•  TW - TWAREN (Taiwan)

10


Eduroam services at AARNet •  AARNet

–  Host national and regional “top level” servers –  Provide support + documentation to connect –

www.eduroam.edu.au –  Provide test accounts for bilaterial tests –  Technical workshops –  Eduroam access at key conferences

•  Customers –  Provide eduroam coverage on campus (wifi, org servers) –  Provide local support (contacts, docs, website) –  Provide eduroam accounts to their local users to use

elsewhere 11


Helpdesk •  Use

[email protected] email address

•  Auto creates JIRA job ticket •  Email/Phone support

provided •  QUESTNET eduroam

helpdesk pics

12


Helpdesk •  AARNet helpdesk

–  Use [email protected] email address

–  Auto creates JIRA job ticket

–  Email/Phone support provided

•  Web presence –  Eduroam coverage via

Google Maps –  Services weathermap (in

development)

•  Standard connection process

–  1. Build your Infrastructure •  802.1X WPA Authentication

–  2. Choose an Authentication Type

–  3. Certificates –  4. Determine your IP address

allocation –  5. Traffic Policy –  6. Apply to join eduroam –  7. Configure a RADIUS Proxy and get

QA'd –  8. Build your local eduroam Webpage –  9. eduroam @ Home –  10. Inform the community

13


New opportunities •  Eduroam beyond the campus

–  On boats – city cat –  On buses – Brisbane buses –  On Islands – Sharke Island, Sydney –  At Health sites – 7+ hospitals for medical

researcher access •  Leveraging mobile devices (iphone etc) •  Futures

–  Integrate with 3G/4G/5G providers? –  Integrate with Shib/SAML for SSO to online

services/content? –  Use of Shibboleth to create temp eduroam

accounts for non-participating inst. users to try eduroam at conferences

–  PANGEA eduroam development partnership?

14


New opportunities

15

•  Eduroam beyond the campus –  On boats – city cat –  On buses – Brisbane buses –  On Islands – Sharke Island, Sydney –  At Health sites – 7+ hospitals for medical

researcher access •  Leveraging mobile devices (iphone etc) •  Futures

–  Integrate with 3G/4G/5G providers? –  Integrate with Shib/SAML for SSO to online

services/content? –  Use of Shibboleth to create temp eduroam

accounts for non-participating inst. users to try eduroam at conferences

–  PANGEA eduroam development partnership?


Marketing to user to drive awareness, deployment and use

•  Eduroam group on Facebook •  Eduroam rocks - http://amplicate.com/rocks/eduroam •  Eduroam animation – www.eduroam.edu.au •  Eduroam merchandise -T-Shirts – Stubby holders - User competitions @ events 16


AU and NZ Eduroam Participants


18

Up to 500 unique devices visiting other universities per week in Australia

2008 2009 2010


Support •  Community support is vital •  Requires 2 FTE dedicated staff

–  Technical expert – RADIUS/RADSSEC – current/future –  Services expert – handle helpdesk, customer connect,

operate, monitor service, policy enforcement, reporting, marketing etc

•  Support to 33 > 50 universities in Aus/NZ •  Support to region (top level, national, org) •  Coordination on tech/policy internationally – TF-

Mobility; Top level operator list, workshops, remote hands on support, etc with your staleholders

19


Current eduroam development landscape •  Strict standards for authentication, authorisation, encryption is key to

universal positive service experience to the end user.

•  A sustainable business model to fund the central helpdesk is key.

•  A national policy is very important as to monitoring and enforcement.

•  There’s a move from RADIUS to RADSSEC for peer-to-peer not hierarchy model

•  Global Harmonizing of helpdesk, measurement, monitoring, coverage info is important.

•  Developing eduroam in SOE for laptops and mobiles is key to uptake.

•  End-to-end actual service process monitoring key requirement for visited, local and service provider support


National Server monitoring

21

.au .cn .hk .jp .edu … .ca .nl

aarnet.edu.au org2.edu.au RADIUS

.au


Member server monitoring

22

.au .cn .hk .jp .edu … .ca .nl

aarnet.edu.au org2.edu.au RADIUS

.au

check [email protected] check [email protected]


23

E2e “federated” service monitoring

We can check all of the external services that form the federation. How do we check the service from the end user perspective?

1.  Ask a local user? 2.  Send someone to check the service? 3.  Leave a probe....


Sheeva Plug (latest versions integrate wifi)

24

http://www.globalscaletechnologies.com/p-22-sheevaplug-dev-kit-us.aspx


Port Probe & Reporting my%vpn=(tcp_10000

=>{port=>10000,name=>"tcp_10000",protocol=>"tcp"},isakmp

=>{port=>500,name=>"isakmp",protocol=>"udp"},ipsec_nat_t=>{port=>4500,name=>"ipsec‐nat‐

t",protocol=>"udp"},pptp=>{port=>1723,name=>"pptp",protocol=>"tcp"},l2f=>{port=>1701,name=>"l2f",protocol=>"tcp"},);

my%web=(http=>{port=>80,name=>"http",protocol=>"tcp"},https=>

{port=>443,name=>"https",protocol=>"tcp"});my%mail=(imaps=>

{port=>993,name=>"imaps",protocol=>"tcp"},submission=>

{port=>587,name=>"submission",protocol=>"tcp"});

25


Eduroam Experience - MyEduroam

CGI on VM collects probe reports Writes data to a log -  Log is processed, and provides data for a weathermap Considering NRPE (Remote Nagios) or NSCA (Remote Nagios – passive results) –

due to rich plug ins. 26


e2e Eduroam Monitoring

27


ERNET Opportunities •  Great demo of the value of NREN to leverage university wireless

networks via ERNET backbone.

•  Gather best practice on technical/policy/service

•  Create an eduroam federation: test national + org server and federate with APAN servers (managed by AARNet, HK Poly Univ).

•  Devise central service helpdesk

•  Consider sustainable model for institutions to subscribe

•  Provide RADIUS/RADSSEC + eduroam training to deploy eduroam, or assist on-site

•  Contribute to eduroam community – mailing lists, eduroam-GWG, help create new federation (eduroam/RADIUS + Shibboleth/SAML for SSO federation.

•  Eduroam access being developed for university medical researcher access at hospitals (backhaul via AARNet NREN) to assist researchers to collaborate


More information •  www.eduroam.org – global eduroam site

•  www.eduroam.edu.au - Australian eduroam site

•  Eduroam group on Facebook

•  Eduroam rocks - http://amplicate.com/rocks/eduroam

•  Enquiries to [email protected] or

•  Direct to me – James Sankar, +613932118438, Skype: jamessankar, email: [email protected]


Date post:	20-May-2015
Category:	Technology
Upload:	james-sankar
View:	1,054 times
Download:	1 times

Eduroam services presentation to ERNET August 2010-j sankar

Technology