Introduction to eduroam

Similar documents
ilight/gigapop eduroam Discussion Campus Network Engineering

Introduction to eduroam

Guide to Configuring eduroam Using the Aruba Wireless Controller and ClearPass RADIUS

1.3 More information about eduroam is available at the relevant eduroam Service Provider (ESP) website detailed in Schedule 1 of this document.

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

TopGlobal MB8000 Hotspots Solution

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

Wireless access for Oxford University Staff on Oxfordshire NHS sites

802.1x Port Based Authentication

New Windows build with WLAN access

ENHANCING PUBLIC WIFI SECURITY

NXC Series. Handbook. NXC Controllers NXC 2500/ Default Login Details. Firmware Version 5.00 Edition 19, 5/

Configuring FlexConnect Groups

Microsoft NPS Configuration Guide

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

eduroam Managed IdP Product Presentation

Rhodes University Wireless Network

ISE Primer.

ForeScout CounterACT. Configuration Guide. Version 4.3

Dolby Conference Phone 3.1 configuration guide for West

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Exam Questions CWSP-205

VOCOM II. WLAN Instructions. VOCOM II Tough

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Forescout. Configuration Guide. Version 4.4

802.1X: Background, Theory & Implementation

Standard For IIUM Wireless Networking

Configuring 802.1X Settings on the WAP351

Policy Management and Inter-domain Mobility for eduroam through virtual Access Points (vaps)

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

P ART 3. Configuring the Infrastructure

Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide

Managing External Identity Sources

CounterACT 802.1X Plugin

REMOTE AUTHENTICATION DIAL IN USER SERVICE

Authentication and Security: IEEE 802.1x and protocols EAP based

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Zebra Setup Utility, Zebra Mobile Printer, Microsoft NPS, Cisco Controller, PEAP and WPA-PEAP

AXIS M1065-LW Network Camera. User Manual

Configuring FlexConnect Groups

Scottish Wide Area Network (SWAN) update & Partnership Connectivity

Integrating Meraki Networks with

IEEE 802.1X workshop. Networkshop 34, 4 April Josh Howlett, JRS Technical Support, University of Bristol. Copyright JNT Association

Verify Radius Server Connectivity with Test AAA Radius Command

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Your wireless network

Aruba Instant

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Network Administrator s Guide

SAML-Based SSO Solution

Cisco Exam Questions & Answers

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

MCSA Guide to Networking with Windows Server 2016, Exam

Table of Contents. Why doesn t the phone pass 802.1X authentication?... 16

Monitoring of RADIUS infrastructure

Implementing Security in Windows 2003 Network (70-299)

CompTIA Network+ Study Guide Table of Contents

Connectivity Made Easy MOBILE OFFLOAD HOSPITALITY. ANTlabs CARRIER WIFI BYOD

Understand iwag Solution for 3G Mobile Data

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Configuring EAP-FAST CHAPTER

Eduroam wireless network - Mac OSX 10.5 Leopard

Wireless LAN Controller Web Authentication Configuration Example

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Jisc Assent Service Technical Specification

System Requirements. Network Administrator Guide

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Cisco 4400 Series Wireless LAN Controllers PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)

SAML-Based SSO Solution

ITDUMPS QUESTION & ANSWER. Accurate study guides, High passing rate! IT dumps provides update free of charge in one year!

!! Configuration of RFS4000 version R!! version 2.3!! ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Self-Service Diagnostics and eduroam as-a-service

Monitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series

Creating Wireless Networks

Aerohive Configuration Guide RADIUS Authentication

AAA Authentication: New Use Cases

Seamless Yet Secure -Hotspot Roaming

User Directories and Campus Network Authentication - A Wireless Case Study

SecureW2 and Wi-Fi Cloud. Integration Guide

MOC 6421B: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

Cisco WAP121 Wireless-N Access Point with Single Point Setup

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

Juniper Exam JN0-314 Junos Pulse Access Control, Specialist (JNCIS-AC) Version: 7.0 [ Total Questions: 222 ]

Configuring Authentication Types

Junos Pulse Access Control Service

Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1

Mobility Groups. Information About Mobility

Grandstream Networks, Inc. Captive Portal Authentication via RADIUS

Network Policy Controller UAM/RADIUS Guide

Zebra Mobile Printer, Zebra Setup Utility, Cisco ACS, Cisco Controller PEAP and WPA-PEAP

About 802.1X... 3 Yealink IP Phones Compatible with 802.1X... 3 Configuring 802.1X Settings... 5 Configuring 802.1X using configuration files...

Network Access Flows APPENDIXB

SAML-Based SSO Configuration

Configuring Hybrid REAP

Tunneling Configuration Guide for Enterprise

Tech Note. Configuring NPS WITH ACTIVE DIRECTORY

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

Transcription:

SLIDE 1 - COPYRIGHT 2015 Introduction to eduroam LEARN eduroam Workshop 6 th May 2016

2 SLIDE 2 - COPYRIGHT 2015 Introduction Paul Hii Australia s National Research and Education Network (NREN) UC & Video Service Manager eduroam Service Manager Trans-Eurasia Information Network eduroam Project Project Coordinator

SLIDE 3 - COPYRIGHT 2015 About AARNet Origins Australia s National Research and Education Network (NREN) A registered carrier under the Australian Telecommunications Act. Operate our own dark fibre and optical transmission systems across the country High-end network designed specifically for Research and Education Over-engineered to avoid congestion and allow for large data peaks. Fault tolerant design. Uncontended, dedicated connections. Supports direct optical circuits, IPv6, IPv4 multicast, Jumbo frames Provide service to any R&E including to schools, TAFE, health and cultural. A Not-for-profit Company, owned by the Universities and CSIRO Most revenue comes from charges for services to members ~80 staff distributed across Australia ~120 connected organisations, ~ 1.5 million end-users

SLIDE 4 - COPYRIGHT 2015

SLIDE 5 - COPYRIGHT 2015 UC & Video 1600000 Minutes 8000 Meetings 1400000 7000 1200000 6000 1000000 5000 800000 4000 600000 3000 400000 2000 200000 1000 0 0

CloudStor SLIDE 6 - COPYRIGHT 2015

SLIDE 7 - COPYRIGHT 2015 XeAP Project extending eduroam into Asia Pacific Project lead by AARNet and sponsored by TEIN*CC Project Leader: John Batchelder Project Coordinator: Paul Hii Technical Leader: Neil Witheridge Funding for TEIN beneficiaries to implement eduroam in selected countries 7 countries: Bhutan, Indonesia, Malaysia, Nepal, Pakistan, Sri Lanka, Philippines Create resources to be shared with APAC countries. Achieve eduroam Compliance. More than just deploying RADIUS servers for eduroam.

Introduction SLIDE 8 - COPYRIGHT 2015 EDUcation ROAMing Easy network access when visiting other institutions. Started in 2002 in Europe Over 67 countries Global eduroam Governance Committee (GeGC) Hierarchy of RADIUS servers and 802.1x Defined in RFC7593 Similar service - GOVROAM

What is eduroam (value proposition) SLIDE 9 - COPYRIGHT 2015 Eduroam is a global service enabling education and research institution users zeroeffort access to the network of visited eduroam participating institutions, by virtue of their remote authentication at their home institution. Connect automatically to eduroam with username@myuni.edu and password Home Institution eduroam Identity Provider (IdP) WAP eduroam myuni.edu (user s realm ) 1 username password 2 3.2 Visited Institution eduroam Service Provider (SP) University, hospital, museum, library, art-gallery, café 3.1 WAP eduroam 4 4 1 Configure eduroam authentication 2 Travel to eduroam participating institution 3 Authenticate remotely via eduroam 4 Access visited institution network

APAC Top-Level RADIUS Servers Classical eduroam uses hierarchical infrastructure Institutional, National, Regional (Top-Level) RADIUS servers SLIDE 10 - COPYRIGHT 2015 TLRS NRS or FLR IRS or ORPS

SLIDE 11 - COPYRIGHT 2015 What is eduroam (technical perspective) Infrastructure Components: Supplicant, Network Access Server, RADIUS Servers (Proxy Servers, Authentication Server) Protocols: 802.1x (EAP over LAN), RADIUS with tunnelled EAP (TTLS, PEAP) Institutions have Identity Provider (IdP) (authenticate) and/or Service Provider (SP) (proxy for remote auth, grant access) roles Authentication: RADIUS response access accept Attributes: RADIUS attributes

RADIUS Transaction (wireshark) SLIDE 12 - COPYRIGHT 2015 See RFC2865 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server (experimental) 13 Status-Client (experimental) 255 Reserved

SLIDE 13 - COPYRIGHT 2015 RADIUS Transaction Overview NRO admin needs to understand tunneled EAP/ RADIUS TTLS/PAP, PEAP/MSCHAPv2, also TLS E.g. PEAP/MSCHAPv2 authentication Involves ~8 RADIUS transactions (request,responses) Or Access-Reject if auth fails Source: https://www.dkit.ie/file/6374

eduroam AU SLIDE 14 - COPYRIGHT 2015

eduroam AU SLIDE 15 - COPYRIGHT 2015

SLIDE 16 - COPYRIGHT 2015 eduroam Service Pre-Requisites Trusted protocols, infrastructure and operators Trust model that meets the requirements of the service. Technical & administrative capability of NRO eduroam relies on NRO competencies Willingness and ability to devote required resources Technical & administrative capability of Institutions eduroam relies on institutional competencies Identity Management at institutions Wireless infrastructure operability Business-case for eduroam eduroam relies on institutional & end-user demand Establishment of a business-case justifying cost & effort

SLIDE 17 - COPYRIGHT 2015 Institutional eduroam participation (IdP+SP) Pre-requisites for Institution Effective Identity Management Operational wireless infrastructure Institutional network access and Acceptable Use Policy Availability of support for eduroam at the institution Global & National eduroam policy agreement Planning & Joining Process Planning: Wireless 802.1x, Traffic handling (VLAN, IP addressing, protocols), RADIUS Server deployment (realm, attributes, logging, test user, trust test&monitoring server, certificate), Support, Webpage Institutional deployment info into eduroam AdminTool Institutional deployment of RADIUS server, network access National RADIUS Server configuration Operability Testing & Auditing

Questions? SLIDE 18 - COPYRIGHT 2015 End of Introduction

INSTITUTIONAL EDUROAM DEPLOYMENT SLIDE 19 - COPYRIGHT 2015

Typical Institutional Deployment SLIDE 20 - COPYRIGHT 2015

SLIDE 21 - COPYRIGHT 2015 Institutional eduroam participation (IdP+SP) Application to participate in eduroam involving the exchange of institutional and basic eduroam deployment planning information allowing the National Roaming Operator (the NRO) to assess the institution s satisfaction of prerequisites and ability to operate sustainably as an eduroam participant Deployment of eduroam Satisfying technical and administrative requirements eduroam Operability Audit Commencement of participation NRO announcement of the institution s participation in eduroam to current eduroam national participants, and globally via upload of the institution s eduroam deployment data to the eduroam global database

SLIDE 22 - COPYRIGHT 2015 Institutional Technical Pre-Requisites (To be assessed during 1 st step of institutional joining process) Identity Management Directory Realms supported Provide institutional test accounts for testing/monitoring/troubleshooting Wireless Infrastructure Coverage IEEE 802.1x Network Access ISP, if not NREN Acceptable Use Policy IT Support RADIUS/IdP capability, Helpdesk, eduroam webpage

SLIDE 23 - COPYRIGHT 2015 Institutional Wireless Infrastructure 802.1x capable Broadcast of SSID eduroam Issue relating to overlapping hotspots Potential of IEEE 802.11u to alleviate issue Wireless coverage across campuses Availability of coverage maps Incidental hotspots Encryption support (WPA2-Enterprise required) Tunneled EAP Protocol Choice of inner-authentication (depends on identity store) Limitations of WiFi Supplicants on various platforms See presentation by GEANT comparing supplicants

SLIDE 24 - COPYRIGHT 2015 Network Access Service Successful authentication -> network access for user SP role eduroam objectives Provide open network access according to local policy (unconstrained compared with users home environment) See list of recommended network protocols Network Characteristics Segregation of eduroam user traffic via VLAN IP Address allocation (DHCP, NAT ing, range available) Application Proxy (http proxy) Traffic constraints Data rate limiting, data volume quota

SLIDE 25 - COPYRIGHT 2015 Institutional eduroam Implementation Institutional RADIUS server must comply with RFC2865 FreeRADIUS, Radiator, Cisco ISE, Microsoft NPS (+ RadSecProxy) Others in use: Cisco ACS, Microsoft IAS, Aruba Clearpass Deploy RADIUS servers Preferrably public ip address and firewall access provisioned Accurate clock synchronisation Enable trusted client access Determine authentication protocols for local realm Supported clients User credentials store Acquire server certificate Establish TLS session Same certificate for all RADIUS servers. FQDN but need not DNS name. Provide CA and intermediate certificates if not pre-trusted Authentication logging, includes attributes.

SLIDE 26 - COPYRIGHT 2015 Institutional RADIUS Server Requirements for proxied RADIUS requests RADIUS Attributes Filtering to release only required attributes Generate Chargeable-User-Identity (CUI) (for IdP role) Include Operator-Name (ON) (for SP role) Terminate (i.e. don t proxy) accounting requests Configure bogus realm black-listing E.g. *.3gppnetwork.org Reject request with badly formatted username (e.g. invalid char s) Use Status-Server to handle non-responsive servers Configure trust for NRO Test and Monitoring Server (TMS)

SLIDE 27 - COPYRIGHT 2015 Institutional RADIUS Server (cont d) Deployment considerations Time synchronisation (NTP) Server Redundancy (high-availability deployment) Load-balancing RADIUS Request Logging Trust model ability to trace a network access to a real user Traceability of Users achieved via logging Attributes to be logged DateTimeStamp, User-Name (outer) i.e. realm, Packet Type (Access-Accept, Access- Reject), Chargeable-User-Identifier, NAS-IP-Address (IP address of adjacent RADIUS client, i.e. NAS or proxy server), Operator-Name (identifier for institution providing network access), Calling-Station-ID (MAC address of user device)

RADIUS Attributes SLIDE 28 - COPYRIGHT 2015 Set of attributes required (at a minimum) to support eduroam ref. https://community.jisc.ac.uk/library/janet-services-documentation/faqs-eduroam-system-administrators-and-implementation-techs) Below attributes must NOT be filtered out of RADIUS messages of type Access-Request, Access-Challenge, Access-Accept, Access-Reject 1. User-Name 4. NAS-IP-Address 18. Reply-Message 24. State 25. Class 31. Calling-Station-ID 33. Proxy-State 79. EAP-Message 80. Message-Authenticator 89. Chargeable-User-Identity Unique, opaque identifier for user 126. Operator-Name Identifier for visited institution i.e. where authentication request originated and Microsoft vendor specific attributes: MS-MPPE-Send-Key, MS-MPPE-Recv-Key For RADIUS Accounting Messages (institutions should not proxy local accounting requests, but can t control what comes in) 1. User-Name 25. Class 33. Proxy-State 40. Acct-Status-Type 44. Acct-Session-ID username@realm (note username might be anonymous) IP address of adjacent NAS or RADIUS proxy from which request received Reason, for Access-Reject for example. User device MAC address Inner-authentication RADIUS attributes (encrypted) Info to be logged

SLIDE 29 - COPYRIGHT 2015 Tools of trade for eduroam Troubleshooting tools rad_eap_test RADIUS client (wrapper around WPA supplicant eapol_test) Logs/splunk/ELK Wireshark/tcpdump Splunk query & output rad_eap_test request & output

SLIDE 30 - COPYRIGHT 2015

Questions? SLIDE 31 - COPYRIGHT 2015 Next lets build an institutional RADIUS for eduroam Thank-You Please send feedback/questions to: Paul.Hii@aarnet.edu.au

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback