eduroam TM eduroam (education roaming) is the secure,
world-wide roaming access service developed for the international
research and education community Started in Europe but has gained
momentum through the community and is now available in 71
territories (as of 2015).
Slide 3
eduroam TM
Slide 4
Operation of eduroam TM eduroam is a worldwide federation of
RADIUS servers that facilitates network access for roaming
academics affiliates using IEEE802.1x as the vehicle Use of the
standard along with the RADIUS means the network is built around
well understood, established, and easy to manage standards which
are often already deployed within the network infrastructure of
participating institutions.
Slide 5
Operation of eduroam TM User credentials are not revealed to
the institution at which an eduroamer joins, but instead are only
revealed to their home institution, providing an extra measure of
comfort for visiting users. The eduroam network thusly also
provides a simple and automatic guest provisioning system: Instead
of providing a separate visitor network with the added
administrative overhead of maintaining user lists, potentially with
manual expiration dates, a participating institution may rely on a
visitor's home institution to authenticate them for the duration of
their stay.
Slide 6
Benefits With hundreds of thousands of wireless access-points
sharing a common SSID, eduroam acts as one large, world-wide,
wireless hotspot. Eduroam facilitates travelers from academic
institutions by allowing them to gain network access with minimal
configuration and no need for the visited institution to grant them
the access explicitly. This benefits visiting faculty, academics
traveling for conferences and collaborative work, study abroad
students regional academic exchange, etc. By joining eduroam you
extend the network to visitors at your institution without adding
any additional maintenance responsibilities to your IT staff.
Moreover, by extending the network, you help to guarantee access to
your own students and faculty while they are abroad.
Slide 7
Authentication Mechanisms Terms: Supplicant - The client
software on an computer associating to an 802.1x secured network.
Often the computer itself (or even the user) is referred to as the
supplicant but generally without ambiguity. Authenticator - The
authenticator is the piece of network equipment to which a
supplicant is connected and attempting to perform an 802.1x
authentication. This may be a wireless access point, a switch, or
another variety of hardware made for 802.1x. The authenticator will
only pass 802.1x traffic to an authentication server until such
point as the user has been authenticated and granted access to the
network. Authentication Server - an authentication server is a
server or network appliance which is able to accept 802.1x
authentication requests and respond appropriately based on
credentials passed it it. It may be a server running a RADIUS
server and a directory service or simply know how to forward
requests to another server which is itself connected to
LDAP/RADIUS. This abstraction is the strength of the 802.1x
architecture.
Slide 8
Authentication Mechanisms eduroam relies on standard wireless
authentication tools including 802.11, 802.1x, and RADIUS. When a
user associates to the eduroam SSID (or any 802.1x protected SSID
or wired connection for that matter) the client computer is not
able to pass any traffic other than 802.1x until granted further
access by the access-point (or switch in the wired case).
Slide 9
Authentication Mechanisms
Slide 10
Authentication Process The 802.1x authentication process is
more complicated than simply "exchanging credentials" as alluded to
above. The actual exchange between the supplicant and authenticator
involves an Extensible Authentication Protocol (EAP) conversation.
The EAP request is forwarded to the authentication server,
generally in the form of a RADIUS request. The actual security of
EAP comes from the use of SSL with one of the many EAP
sub-protocols, the most common of which are: EAP-TLS - requiring
both client and server SSL/TLS certificates EAP-PEAP - requiring
only a server certificate but also an ActiveDirectory or Samba PDC
authentication server. This is the default for Windows supplicants
and requires no external software, and is also supported natively
by Apple's OSX, and some Linux supplicants EAP-TTLS - this
sub-protocol also requires only a server certificate and is
supported natively by Apple's OSX, iPhone OS, and most Linux
supplicants. To use EAP-TTLS in Windows requires an external
supplicant such as Secure-W2Secure-W2
Slide 11
Authentication Process During authentication via of any of the
EAP protocols, an SSL tunnel is created between the supplicant and
the authentication server, inside of which the actual credentials
are exchanged. This protects the user from a compromise of their
credentials by any third party during authentication. In the case
of RADIUS, the SSL tunnel is constructed by the use of RADIUS
attributes carrying the encrypted data.
Slide 12
Authentication Process
Slide 13
Use of Anonymous Outer-Identity An additional option that users
may configure their supplicant to use is the so- called
"outer-identity" which is passed outside of the encrypted tunnel to
the authenticator and authentication servers. By default this
identity is simply their username, or more often in the case of
eduroam username@realm (such as [email protected] where "joe" is the
username or "netid" and "example.com" is the so-called
realm).username@[email protected] Since only the realm is used
for routing of the request, users may optionally set their
outer-identity to be anything they like as long as the realm is
their actual realm, and their inner-identity is configured
correctly. For purposes of etiquette it is expected that if the
outer-identity is not set to their inner-identity then it is set to
[email protected]. The ability to properly anonymize the
authentication sequence means that intermediate authentication
servers cannot observe and track authentication attempts of
eduroam-ers using the [email protected]
Slide 14
Use of Anonymous Outer-Identity
Slide 15
Routing in eduroam TM If the realm of the user is not the local
realm then the request may be forwarded to a remote RADIUS server
which is authoritative for that realm, or simply knows where the
request must go to be answered authoritatively. RADIUS supports
this forwarding in its proxy mode. When a RADIUS request is
forwarded the SSL tunnel protecting the privacy of the requestor is
propagated throughout the RADIUS infrastructure, thus preventing
administrators not responsible for the handling of the request from
intercepting and/or manipulating the contents of the EAP exchange.
The only information an intermediate RADIUS server has is the
outer-identity of the requestor, the state of the EAP request
(accept-request, access-challenge, access-accept, or access-reject)
and any RADIUS attributes passed outside of the tunnel.
Slide 16
Routing in eduroam TM
Slide 17
eduroam-US Routing eduroam-US is authoritative for the.edu TLD,
and handles routing to other TLDs including those handled by
eduroam in Europe (for all European members of the federation),
eduroam in the Asia- Pacific region (including Australia, China,
Hong Kong, Japan, New Zealand, and Taiwan), and Canada.
eduroamAsia- Pacific region Canada Within the US the eduroam-US
Top-Level RADIUS Server (TLRS) handles routing to.edu member
institutions. institutions
Slide 18
eduroam-US routing
Slide 19
eduroam TM Vs mobile roaming eduroam, although global, is a
closed members-only system. for this reason, (among others), it
will never replace the ad-hoc mobile roaming characteristics that
are desirable and indeed essential in a truly mobile network.
Slide 20
References Contents of this presentation adapted from: eduroam
(2014) Technical Overview of Eduroam [online]. URL:
https://www.eduroam.us/node/10 accessed (April 2015). eduroam
(2014) What is Eduroam? [online]. URL:
https://www.eduroam.us/introduction accessed (April 2015).