eduroam Supporting Services

Miroslav Milinovic, CARNet/Srce

2014 Technology Exchange, Indianapolis, USA

October 26-30, 2014

2 Connect | Communicate | Collaborate

eduroam service in a nutshell

objectives: build and maintain (European) education roaming service provide secure, consistent and uniform network access service (inside the boundaries of the confederation)

motto: “open your laptop and be online”

eduroam infrastructure:

technology infrastructure: – (E)TLRSs, FLRSs, IdPs and SP RADIUS servers,

network access elements (APs/switches)

supporting infrastructure supporting services suite – eduroam web site – eduroam database – monitoring and metering service – diagnostics, configuration assistance – ...

3 Connect | Communicate | Collaborate

It all started with ...

TERENA TF-mobility (inter-NREN) roaming requirements (http://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdf)

identify users uniquely at the edge of the network

enable guest usage

scalable

– local user administration and authentication

easy to install and use

– at the most one-time installation by the user

open

http://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdfhttp://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdfhttp://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdfhttp://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdfhttp://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdfhttp://www.terena.org/activities/tf-mobility/deliverables/delC/DelC1-4.pdf

4 Connect | Communicate | Collaborate

RADIUS server

University B

RADIUS server

University A

XYZnet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

user

joe@university_b.hr

Student VLAN

Commercial VLAN

Employee VLAN

data

signalling

• Trust: RADIUS & policy documents

• 802.1X + EAP

• (VLAN assignment)

The solution (eduroam™)

5 Connect | Communicate | Collaborate

(Basic) eduroam technology

security based on 802.1X integration with VLAN assignment

protection of credentials

authentication based on EAP different authentication mechanisms possible by using EAP (Extensible Authentication Protocol)

roaming based on RADIUS proxying Remote Authentication Dial In User Service

transport-protocol for authentication information

trust fabric based on: technical: RADIUS hierarchy

policy: documents/contracts that define the responsibilities of user, institution, (N)RO

6 Connect | Communicate | Collaborate

From a pilot to a service

TF-Mobility started work on eduroam in 2002

GN2: JRA5 (2004) SA5 (2007)

European eduroam Policy v .1.0 (January 2008)

supporting services

service officially started on September 1, 2008

http://www.eduroam.org

GN3 (2009-2013) / GN3plus (2013-2015) GN4 (2015 - …)

European eduroam Policy v .2.0 (July 2012)

https://www.eduroam.org/index.php?p=docs

further development of infrastructure and supporting services

44 countries

GeGC (Global eduroam Governance Committee) (2011 - )

global governance

eduroam Compliance Statement (October 2011) https://www.eduroam.org/downloads/docs/eduroam_Compliance_Statement_v1_0.pdf

6 continents (70 countries)

http://www.eduroam.org/https://www.eduroam.org/index.php?p=docshttps://www.eduroam.org/downloads/docs/eduroam_Compliance_Statement_v1_0.pdf

7 Connect | Communicate | Collaborate

Global eduroam

8 Connect | Communicate | Collaborate

eduroam in numbers

10+ years after:

70 countries (44 in Europe)

>12000 (>10000 in Europe) service locations registered in the

eduroam database (http://monitor.eduroam.org/user_map/)

GeGC members from 6 continents

new countries interested to join ...

F-ticks - cumulative stats from 30 European countries (September 2014)

total of ≈140 million successful authN

ETRLS servers logs (September 2014):

33.800.000+ successful international authN

4.400.000+ CSI (device)

eduroam SSID is widely known

http://www.wigle.net/gps/gps/main/ssidstats

http://monitor.eduroam.org/user_map/http://www.wigle.net/gps/gps/main/ssidstats

9 Connect | Communicate | Collaborate

European eduroam authN traffic

≈30 participating countries

0

5

10

15

20

25

30

35

40

0

20

40

60

80

100

120

140

2013-04

2013-05

2013-06

2013-07

2013-08

2013-09

2013-10

2013-11

2013-12

2014-01

2014-02

2014-03

2014-04

2014-05

2014-06

2014-07

2014-08

2014-09

Inte

rnati

on

al

au

thN

in

Millio

ns

Nati

on

al

au

thN

in

Millio

ns

National authN* International authN**

* National authN = total number of authN in the same country counted via f-ticks

** International authN=number of international (cross-border) authN counted in the logs of etrs servers

10 Connect | Communicate | Collaborate

(European) eduroam service model

national eduroam

service

(provided by

NREN/NRO)

national eduroam

service

(provided by

NREN/NRO)

eduroam confederation

service

(provided by OT)

eduroam service (governed by eduroam SG)

...

11 Connect | Communicate | Collaborate

(European) eduroam service “stack”

end users

institution-level personnel

federation-level personnel

operational team

12 Connect | Communicate | Collaborate

User support:

problem escalation scenario (1)

visited federation

fed.-level admin.

local institution

admin.

user

home federation

fed.-level admin.

local institution

admin.

OT

1,2

3

4

13 Connect | Communicate | Collaborate

User support:

problem escalation scenario (2)

visited federation

fed.-level admin.

local institution

admin.

user

home federation

fed.-level

admin.

local

institution

admin.

OT

1,2

3

6

4a

5

4b

4

14 Connect | Communicate | Collaborate

Supporting services suite (1)

fed.op.

support

SP

support

IdP

support

enduser

support

general

public

?

eduroam

db

core services

15 Connect | Communicate | Collaborate

Supporting services suite (2)

based on the concept known as OSS (operations support system)

supporting apps. portfolio to meet the needs of all user groups

end-users, IdP-admins, SP-admins, fed-admins, OT

general public

eduroam db as a core data source

completeness (?)

open data (?)

currently available

public sites:

– http://monitor.eduroam.org: with maps, monitoring and metering information (f-ticks)

– https://cat.eduroam.org: Configuration Assistant Tool (CAT) protected sites (eduGAIN + social networks based AuthN)

– eduroam db web interface, testing on demand, CAT for admins, ...

(new) supporting services portal: http://monitor.eduroam.org

to be lauched in November 2014

http://monitor.eduroam.org/https://cat.eduroam.org/http://monitor.eduroam.org/

16 Connect | Communicate | Collaborate

eduroam database

authoritative data source for all supporting services

(including contact pages on www.eduroam.org and eduroam

companion tool for smartphones)

currently holds info from 55 countries

more info at http://monitor.eduroam.org/database

available maps:

http://monitor.eduroam.org/user_map

http://monitor.eduroam.org/eduroam_map.php?type=all

a tool for service administration / for (N)ROs

DJNRO (http://djnro.grnet.gr/)

http://www.eduroam.org/http://monitor.eduroam.org/databasehttp://monitor.eduroam.org/user_maphttp://monitor.eduroam.org/eduroam_map.php?type=allhttp://djnro.grnet.gr/

17 Connect | Communicate | Collaborate

Maps: examples

http://monitor.eduroam.org/user_maphttp://monitor.eduroam.org/eduroam_map.php?type=all

18 Connect | Communicate | Collaborate

Monitoring: problem definition

monitor functionality of the eduroam infrastructure:

servers

infrastructure

user experience

ultimate goal is to test real user experience

(very) different workflows at RADIUS servers for Accept and Reject

perform both accept and reject logic tests

a challenge: to build a WLAN probe

19 Connect | Communicate | Collaborate

Monitoring: status

http://monitor.eduroam.org

monitoring (E)TLRs and NRO

Servers (FLRSs)

3 monitoring scenarios:

monitoring servers

monitoring infrastructure

testing on demand

ongoing development:

new scenarios:

CUI / ON, RadSec, IPv6, ...

global monitoring

...

http://monitor.eduroam.org/

20 Connect | Communicate | Collaborate

Metering: F-Ticks

(new) way of collecting stats

simple, based on syslog

http://monitor.eduroam.org/f-ticks/

message formats:

basic: F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=HR

#CSI=%{Calling-Station-Id}#RESULT=OK#

extended: F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=HR

#VISINST=SP-Name#CSI=%{Calling-Station-Id}#RESULT=OK#

http://www.ietf.org/archive/id/draft-johansson-fticks-00.txt

http://monitor.eduroam.org/f-ticks/http://monitor.eduroam.org/f-ticks/http://monitor.eduroam.org/f-ticks/http://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txthttp://www.ietf.org/archive/id/draft-johansson-fticks-00.txt

21 Connect | Communicate | Collaborate

CAT

Configuration Assistant Tool

http://cat.eduroam.org (in production since March 2013)

build to help users and IdP admins

generate “installers” to ease the client device configuration process

provides diagnostics functions for IdPs

software development homepage: http://forge.geant.net/CAT/

https://cat-test.eduroam.org – test version

http://cat.eduroam.org/http://forge.geant.net/CAT/https://cat-test.eduroam.org/https://cat-test.eduroam.org/https://cat-test.eduroam.org/

22 Connect | Communicate | Collaborate

Why eduroam CAT?

eduroam is a very secure roaming service

10.000+ hotspots

millions of users (close to 1 million downloads from CAT)

credentials will only be disclosed to the user’s “home” server (IdP)

no hotspot (eduroam SP) or any unauthorised rogue AP/server can

grab credentials …

… IF the user cares enough to verify that he is actually connecting to

his own eduroam IdP!

software on typical end-user devices makes it too easy to neglect

security – automation of the setup process is required.

23 Connect | Communicate | Collaborate

How does eduroam CAT help?

collects required setup parameters from the eduroam IdP

simple web interface

expert system verifies that information is complete and correct

transforms parameters into automated installation programs for the

eduroam Identity Provider’s end users:

“just click” and eduroam will be installed

– with all complexity hidden from the user – with full security enabled – digitally signed

for many operating systems:

– Windows XP, Vista, 7, 8, 8.1 – Mac OS X 10.6+, iOS – Linux

setup instructions in many languages

24 Connect | Communicate | Collaborate

How does eduroam CAT work?

1. End-User Interface

• selection of Identity Provider

• download and execution of Installer

2. Administrator Interface

• overview of settings

• deep-link to own download area

• expert system: setup verification

sign-up for IdPs –by invitation only:

eduroam Identity Providers should contact their eduroam National

Roaming Operator (NRO) and request access

they will receive a one-time authorisation token with a login link

25 Connect | Communicate | Collaborate

Conclusion & future work

supporting services are must

current tools

work well

[can be | are used] globally

future work

awareness, outreach & completeness

extend the tools portfolio

improve current tools

26 Connect | Communicate | Collaborate

http://www.eduroam.org

http://monitor.eduroam.org

https://cat.eduroam.org

monitor@eduroam.org

eduroam-ot@geant.net

miro@srce.hr

http://www.eduroam.org/http://monitor.eduroam.org/https://cat.eduroam.org/mailto:monitor@eduroam.orgmailto:eduroam-ot@geant.netmailto:eduroam-ot@geant.netmailto:eduroam-ot@geant.netmailto:miro@srce.hr

27 Connect | Communicate | Collaborate

www.geant.net

www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv

Connect | Communicate | Collaborate

Thank you!