Self-Service Diagnostics and eduroam as-a-service To boldly roam how we never roamed before Stefan Winter <stefan.winter@restena.lu> Tomasz Wolniewicz <twoln@umk.pl>
Outline Background of eduroam supporting services User self-service support Admin self-service support eduroam-as-a-service 2
eduroam Operations Support Services - Background eduroam is what you define it to be a RADIUS backbone; for almost a decade, this was the canonical def if that one worked, eduroam was okay a consortium; true, but meaningless for the end user a service; but then just quietly running a RADIUS server is not enough! A franchise brand: whoa, this means you can permanently damage yourself by delivering sub-par performance 3
eduroam Operations Support Services eduroam Operations Support Services (OSS) augment the technical RADIUS core extend throughout the infrastructure reach out to all parties OSS currently provides Common authentication platform for web-based support services ( eduroam SP proxy ) Monitoring infrastructure Operations Database Usage statistics User Onboarding 4
eduroam Operations Support Services Missing Elements Brand damage may be prevented if Good explanation for any dis-service Quick remedy! Gaps still exist! OSS does not currently provide Troubleshooting capabilities Efficient communication channels Example at this TNC (int'l routing problem): User eduroam OT 24h; User SP 26h (OBE) 5
User self-service support Goal: one-stop shop to go to if things don't work Identify source of problem Suggest remedies Enable to get in touch with pertinent personnel (yes, out-of-band) User Support procedure in European service definition is a manual process Create an expert system: automate as much as possible, by using real-time operations data to assist in fault-finding As little and gentle interaction with user as possible 6
Just one question... What is your Identity Provider (realm/from list)? enough to conduct infrastructure reachability tests for that realm it's NRO top-level servers Augmented with monitoring information available at all times GeoIP info from user's request: enough to identify the country they are having problems in Remains only the last mile gap: in case of SP problems how to identify the SP? 7
The Diagnostic Philharmony (M) direct (M) direct (M) int'l check (C) eduroam CAT realm check (M) country-to-country check IdP IdP NRO ETLR SP NRO SP User Device (X) hotspot probes (X) 8
Diagnosis Deterministic answer for Problem location IdP IdP-NRO ETLR SP-NRO or further downstream Need two additional elements to provider better answers Hotspot probes to isolate SP-NRO vs. SP WIP User device info to isolate local Wi-Fi issues (e.g. no DHCP) later... 9
Admin self-service In large parts, by-product from fault-finding Relevant admins will always be notified by diagnostic expert system Additionally, create communication platform to assist resolving common issues: e.g. breach of AUPs: SP needs to contact IdP with outer ID, timestamp, MAC address of user, to request sanctions (we don't really know what else are common issues) web form for admins is probably a good start (recipient details hidden where indicated) 10
eduroam as-a-service Q: What if a person can not become an eduroam user in the first place, because IdP not capable to run RADIUS server? A: We should be their RADIUS server! 11
eduroam as-a-service Multi-tenant platform which outsources IdP/SP RADIUS operation to Operations Team/NRO Well-shepherded, implementing a role-model server with all bells and whistles from the eduroam spec Responsibility for account management stays within the organisation For small organisations only! Hard limit number of active user accounts (200?) Limits subject to discussion 12
The Silver Bullet IdP Passwords, passwords, passwords must be funny in a TLS world. (ABBA would be turning in their graves if they were dead) Dedicated CA for user accounts Issuing pseudonymous certificates RADIUS server for EAP-TLS Web UI for admin: add/delete/revoke Web UI for user: install eduroam settings (incl. cert) Issuance via invitation link and one-time activation code By integration into eduroam CAT, the fact that there is a certificate being installed becomes entirely transparent: no extra effort 13
Conclusions Two new elements that hopefully make eduroam even greater than it already is Coming soon to a reality near you Pilots scheduled for Jan 17 and Aug 17 respectively Open world-wide! Thank You! 14