Joining eduroam

Wireless Roaming for Higher Education and Research

chris.myers@grangenet.netEuroCAMP ver 2.7

Global working Group

Global Working GroupA Global Working Group has been

setup.

There is an open email list to share

The first meeting was at EuroCAMP 2005

The second meeting was held after the I2 members meeting.

The third meeting was yesterday

We have a conference call when required.

Global Working Group

What are we doing.

Working on standards and systems for safe roaming internationally.

eduroam NG (next generation).

Peering policies and frameworks.

There are representatives from Europe, USA and ASIA PAC

Global Working Group• Current eduroam

environment

• Hierarchy of radius proxies

• shared key security

• Manual configuration of all links

Global Working Group• Future eduroam

environment

• Radius discovery

• PKI secured links

• Via radiator, diameter or FreeRADIUS versions

• Possible SHIB attribute passing.

The APAN Region Future direction and update

What is eduroam’s core requirement?

eduroam allows roving researchers to log-in, with their usual “user name/password”, to wireless networks at participating campuses

around the world and transparently get access to resources.

This is the mission statement

This is what we needs to be delivered

• Federated– Australia

• 17 sites

– Taiwan• 51 sites

• Interest in– Japan– China– Korea– New Zealand– AU University in Vietnam

Eduroam in APAN Region

Project Members:

National Science and Technology Program for Telecommunications

Global Cross-Campus WLAN Roaming based on Distributed Authentication

Mechanism

Yung-Chi Yang c00ycy00@nchc.org.tw

Ko-Chung Tang kevin@nchc.org.tw

Wei-Hung Huang a00whl00@nchc.org

Wei-Wen Chen c00cyw00@nchc.org.tw

Roaming Platform Participants1) National Taiwan University

2) National Cheng-chi University

3) National Chiao-Tung University

4) National Tsing-Hua University

5) National Central University

6) National Cheng-Kung University

7) National Chi-Nan University

8) National Chung-Hsing University

9) National Dong Hwa University

10) National Taipei University

11) National Yang-Ming University

12) National Taiwan Normal University

13) National Chung-Cheng University

14) National Taiwan Ocean University

15) National United University

16) National Hsinchu University of Education

17) National University of Tainan

18) National University of Kaohsiung

19) National Ilan University

20) National Taitung University

21) National Taiwan University of Science and Technology

22) National Yunlin University of Science and Technology

23) National Kaohsiung First University of Science and Technology24) Northern Taiwan Institute of Science and Technology25) Taipei Medical University

26) Tamkang University27) Feng Chia University28) I-Shou University29) Soochou University30) Wufeng Institute of Technology31) Vanung University32) Huafan University33) Kaohsiung Medical University34) Ming Chuan University35) Providence University36) Da-Yeh University37) Shih Hsin University38) Yuan Ze University39) Chung Hua University40) Chinese Culture University41) Hsiuping Institute of Technology42) Ling Tung University43) Lunghwa University of Science and Technology44) Takming College45) Jin Wen Institute of Technology46) Fooyin University47) Tatung University48) Mingdao University49) St. John’s University50) Yuanpei Institute of Science and Technology51) Tunghai University

Can roaming between 51 universities in Taiwan.

And over 500,000 user accounts are being served.

(Updated at 2005-10-30)

WLAN Roaming Architecture

Roaming Server – Software Architecture

VPN TUNNEL

• The “FreeRADIUS” implements the RADIUS protocol and uses the RADIUS-Proxy to communication with Roaming Center.

• The “Firewall” controls the access right to Roaming Server.

• The “OpenVPND” builds the secure tunnel between Roaming Server and Roaming Center.

• Roaming Center uses the “SNMP” to monitor the status of Roaming Server.

RADIUS Server(in campus) Roaming Center

(NCHC)

Roaming Server(Linux Red Hat/Fedora)

Firewall

OpenVPND

RADIUS Server with Proxy( FreeRadius, SNMP enabled )

• Top Level servers– Server 1

• Australia• coming on-line soon

– Server 2• Looking for a home.

Eduroam in APAN Region

• This will be run as a service.– (in this region)

• Which means– Security– Education– Monitoring– Granular Control– Policies – Service Levels– IPv6

Eduroam in APAN Region

What does Security mean?• Minimum standards

– 802.1x – WPA TKIP on AP’s– EAP TTLS Auth

• Why– The security level of this

service is only as strong as the weakest site.

• Wavers will be available for fixed times.

What does Security mean?• Future standards

– 802.11i – WPA2 AES on AP’s– EAP SAML ?– The next wave of magic

• Integration with – Shib– A-Select– Or Other

What does Security mean?

• Why not web redirect– We don’t share our password with others

• (Not Secure )

• Why not VPN – Which VPN ?– ACL / XML lists of how long

• (1006 sites x 2 VPN x 16 firewall rules = 32192 lines)

• (not Scalable)

What does Security mean?• Why WPA TKIP

– Open all traffic is clear.– WEP is hacked (all traffic is clear).– WPA and TKIP is in most AP’s now a good

level of security.

• Why EAP-TTLS– Secure PAP password exchange – Many supplicants are available.

• 802.1x is worth the pain.

What does Education mean?• Training

• Support

• Debugging

• Site Visits

Skills can be imported

What does Monitoring mean?

• Servers– What’s up? – What’s down?– What’s the impact?– Who to contact?

(this is only half the story)

What does Monitoring mean?

• Service– Is Auth up? – Is Auth down? (where)– What’s the impact?– Who to contact?– Must be end to end.

• I like to know this before the clients

What does Granular Control mean?

• How do we identify.

• How do we suspend access.

• How can a client obtain their roaming data.

• This will empower users and providers

What does Policies mean?

• Policies support and protect.– The service– The provider– The client

– The Australian Policy is complete.• (Ratification is in its final stages)

– This work has been completed by– James Sankar of AARNet

What does Service Levels mean?

• As a service – We need to define the

service.

– We need to set response times.

– We need to supply a level of service to our clients.

What does IPv6 mean?

• IPv6 is fundamental in this region.– All eduroam type services need to work on v6.

• (not all sites but the service)

– We will be looking closely at v6 mobility.– And also IPsec for secure roaming.

What You Need to play

International eduroam portals

Local NREN eduroam Portal.Elements of a portal

•Local information •Services•Participants•Policies•Technology

•International links•Information for roaming

•Mail lists•How to contact Groups

Local NREN eduroam Portal.

Data Mining

•Who’s interested.

•Where are they from.

•Are you hitting your targets

Local NREN eduroam Portal.

•Did any one read the news release•Put links in your news release (this helps)

•How can I exploit this information

Local NREN eduroam Portal.

Feed Back and help.

•Feed back is important.•for the program.•for the NREN.•for the Institute.•For the user.

•Use detailed user guides on portal•Put in links to the WIKI forum.•The user that can help themselves don’t call.

WIKI forum page

Team RequirementsWhat people are required for EduRoam

– The wireless people• Basic wireless administration skills.

– The directory people• Average Radius administrative skills.

– The security people.• Average firewall/ACL skills

– The desktop support.• Basic to Average skills

• Its not about the technology that’s easy.

Team RequirementsWhat the people require from EduRoam

– Trust.• Policy.• Reactive, collaborative, community.• Policy.

– For the NREN.• See people

• Its all about the People.

Local Wireless Implementation802.1x Tools• SecureW2 Alfa & Ariss

– SecureW2 for Windows platforms is the cost effective and most robust client solution for deploying 802.1X networks. The SecureW2 Client enables EAP-TTLS using the standard Microsoft IEEE 802.1X Client currently available for Windows 2000, Windows XP and Pocket PC 2003.

• Now open source

Local Wireless Implementation

• Under Security, Encryption Manager.

• Select VLAN in drop down box under Set Encryption Mode and Key for VLAN.

• Select Cipher in Encryption Modes.

• Select TKIP in Cipher drop down box.

• Clear Encryption keys.• Select Encryption key 2.

Cisco 1200 Series Access Point setup for EduRoam

Local Wireless Implementation

• Under Security, SSID Manager.

• Select eduroam SSID.• Under Authentication Settings,

Methods Accepted.• Select open Authentication

with EAP in the drop box.• Select Network EAP.• Under Authentication Settings,

Server Properties.• Select Customize.• Under Priority 1 select your

RADIUS servers address.

Radius Implementation• Create National radius server.

• Federate to international server.– Good service selling point.

• Create institutional Radius services.

• Create test accounts.– On all sites

• Radius Tools– Free RADIUS - A most excellent free radius

server

Radius Implementation• Deliver cookie cuts. (AUS example)

– config for end user to connect to national server

– realm DEFAULT {– type = radius– authhost = 203.22.212.134:1812– accthost = 203.22.212.134:1813– secret = XXXXXXXXXXXX– nostrip– }

– client 203.22.212.134 {– shortname = national-au-eduroam1– secret = XXXXXXXXXX– }

Layer 8Layer 8

– Can be your friend.• They want the service.• They can see the business drivers.• Will divert resources to the project.

– Can be your enemy.• They Can have unrealistic expectations. • The work policy triggers lawyers.• Lawyer means money and long documents.

Layer 8

Know your Landscape– What is out there. – What does the community want.– Can you meet there requirements.– Can you control expectation. – Can you deliver the service.– Were can you go for help

eduroam Links

eduroam AU Sitehttp://www.eduroam.edu.au

APAN eduroam Sitehttp://www.apaneduroam.edu.au

Eduroam Global Working Grouphttp://www.eduroam.edu.au/gwg-eduroam

Global working group email listgwg-eduroam@eduroam.edu.au

Email Enquiries

enquiries@eduroam.edu.aujoin@eduroam.au

Joining eduroamThankyou

Please Join eduroamhttp://www.eduroam.org

http://www.eduroam.edu.au

AcknowledgmentsSurfnet, TF Mobility TERENA,UNI-C & AARNet

TECH chris.myers@grangenet.netPolicy james.sankar@aarnet.edu.au