Jisc RSC Eastern Technical Managers forum Feb 2013 'Janet (eduroam), Edward Wincott'
-
Upload
jisc-rsc-eastern -
Category
Technology
-
view
142 -
download
1
description
Transcript of Jisc RSC Eastern Technical Managers forum Feb 2013 'Janet (eduroam), Edward Wincott'
eduroam (education roaming) is the secure, world-wide network access service for roaming users, developed by the international research and education community –
where authenticated logon is a pre-requisite
Poll
eduroam is a federated service
• eduroam is a federated service, provided through co-operation of participating organisations, sharing their (in many cases already existing) infrastructures and inter-operating to provide authenticated network access for the whole community
• In fact it is an international federation of federations, organised into 3 main confederations – and all connected using RADIUS
• Participating organisations inter-operate through infrastructure provided by their national eduroam federations which are operated by the national research & education network
• All eduroam services must adhere to their NREN’s eduroam technical specification and organisations must comply with local eduroam Policy – thereby establishing a fabric of trust
Why federated?
• eduroam has to be a federated service because that is the only economically viable way to provide a pervasive service across the country and worldwide
• eduroam builds upon the network infrastructures that are in many cases already in place at organisations
• Allows organic growth of service and accommodates local variation
• Adherence to a common technical standard enables a consistent assured service to be provided
Benefits
What does eduroam do - for the user?
• Makes available a huge footprint of campus-wide and public area Wi-Fi networks interconnected by Janet and other NRENs - requiring authenticated network logon
• Only a single Wi-Fi profile and set of user credentials is needed to provide Internet access for the researcher, teacher, student or staff member, regardless of location. No additional configuration is needed for roaming
• Makes connecting to a network service easy: • automatic connection when in hot zone (depending on
Wi-Fi profile) • just the same as when connecting at the home
organisation• does not require guest network accounts to be set up • free of charge
eduroam on my journey to Letchworth
Travel further afield
The user experience
• Straightforward one-time setup of the wireless client software (the supplicant) to use 802.1X (WPA-Enterprise)
• At many organisations, supplicant software setup is automated by IT Services
• Enter correct user name and password in supplicant
• Can check details of eduroam service at Visited site before arriving: https://community.ja.net/system/files/257/eduroamUK-sites-and-service-specifications-web_0.xls
Smart Phone apps
http://itunes.apple.com/gb/app/eduroam-companion/id480611749?mt=8&ls=1
https://play.google.com/store/apps/details?id=net.ja.android.eduroamcompanion
What does eduroam do - for the user?
• eduroam network service is assured to support a wide set of applications (web, e-mail, vpn, ftp, citrix)
• eduroam can be enabled for hard-wired desktop machines as well as Wi-Fi capable devices: laptops, tablets, smart phones
• User logon is secured using EAP-based authentication (WPA Enterprise) which means that credentials are securely encrypted
• Not just the UK - service is available at a huge number of locations across the UK, Europe, SE Asia (including Japan, HK, China, Taiwan and Australia and parts of North America), coming to Africa and South America
Every institution wanting to participate in eduroam peers its institutional RADIUS server(s) to the national top-level RADIUS servers.
National RADIUS servers (x3)
National RADIUS servers (x3)
RADIUS server(s)RADIUS
server(s)RADIUS
server(s)RADIUS
server(s)
CollegeCamford University
What happens when the user roams?
When a user requests authentication, the user's realm determines where the request is routed to. The realm is the suffix of the user-name, delimited with '@', and is derived from the organisation's DNS domain name.
National RADIUS servers (x3)
National RADIUS servers (x3)
RADIUS server(s)RADIUS
server(s)
Camford University
RADIUS server(s)RADIUS
server(s)
Visited College
What happens when the user roams?
The user credentials are processed by the users home site and the reply returned via the national radius server.
National RADIUS servers (x3)
National RADIUS servers (x3)
eduroam
Wireless networks
Connected
Connected
RADIUS server(s)RADIUS
server(s)
Camford University
RADIUS server(s)RADIUS
server(s)
Visited College
What happens when the user roams?
Where is eduroam available in the UK?
• In the UK service is available at 159 organisations with a further 57 working towards providing a service.
• There are 1000+ registered individual locations, with many more not individually listed.
• http://monitor.eduroam.org/gmap/country.php?country=uk
• https://community.ja.net/library/janet-services-documentation /where-can-i-use-eduroam-uk
eduroam in Europe
For interactive maps: eduroam.org all Europe:http://monitor.eduroam.org/gmap/country.php?country=europe
Individual countries:http://monitor.eduroam.org/gmap/country.php?country=ukor =de =fr =es etc.
Benefit to the organisation providing eduroam
• Attract conference visitors from eduroam-enabled organisations and meet expectations of availability of eduroam
• Encourage inter-institution co-operative working, e.g. support foundation courses, visiting teaching staff from other institutions, visiting/embedded researchers
• Reduce guest account management workload for your IT dept., leading to improvement of productivity of IT Support staff: • just one eduroam visitor per day could result in a saving
of 6 working days per annum
• Improve productivity of your network users by enabling connection to eduroam networks when your users travel to other organisations *
• (*) eduroam is increasing available in public spaces, museums, libraries and hospitals
Is it worthwhile?
• UK eduroam hotspots • 159 operational member
organisations 216 registered members
• http://monitor.eduroam.org/gmap/country.php?country=uk
• a visualisation of a week of UK roaming activity [mid 2010]
eduroam usage in the UK
• Chart shows the monthly counts of the number of unique devices whose authentication traffic was handled by the national proxy servers and which achieved successful authentications
• This represents a true picture of the growth in inter-institutional roaming within the UK
• In November there were over 160,000 unique devices seen by the NRPS – an average of 1,030 devices per operational organisation during the month
International Roaming
Communication matrix data for federation uk top 10from 2012-06-05 to 2012-06-12authentications handled by ETLRs Country Diff.
realmsOK
United Kingdom (uk) JANET 677 605520
Netherlands (nl) SURFnet 37 8046
Germany (de) DFN 126 11382
Spain (es) RedIRIS 61 5015
France (fr) RENATER/CRU 61 5281
Poland (pl) PIONIER/U.Tourn 13 5774
Australia (au) AARNet 28 1572
Denmark (dk) UNI-C 36 2019
Sweden (se) SUNET 26 3257
Portugal (pt) FCCN 53 3070
How does it work and what do you need?
eduroam in the UK
• eduroam in the UK is governed by Janet
• Membership is open to any organisation qualifying for Janet services
• Organisations wishing to participate must agree to the UK eduroam Policy and conditions of use and the eduroam services implemented must comply with the UK eduroam technical specification
• Application form at: https://www.ja.net/forms/eduroam-application-form/35
eduroam principles
• eduroam is based on the principle that authentication of the user is carried out by the user's home organisation; the home organisation bears the responsibility for the authentication of the user, affirming that the user is valid and entitled to network access
• The visited network makes the authorisation decision as to which network resources the user should be connected to – only after receipt of an access-accept will the user be connected to the eduroam resource or to an alternative local network; the user is only given eduroam IP access after authentication
User and organisation identification
• Participating organisations’ RADIUS systems need to route authentication requests to the correct home organisation for authentication
• Fundamental to the operation of eduroam is the concept of how the username is composed and how it is handled by the RADIUS servers during the processes of authentication, forwarding (proxying) and authorisation.
• The username consists of the userID and the realm separated by an @. Realms take the form of FQDNs
• userID@organisationrealm e.g. [email protected]
What must organisations do to participate?
• Each participating organisation implements either or both of:• a ‘Home’ or IdP service - an identity
management/ authentication service for members of the organisation
• a ‘Visited or SP service - a network service with an SSID of ‘eduroam’ for visitors (which will also be usable by local users)
• This is achieved through the implementation of 802.1X on the network coupled to RADIUS linked to the participating organisation’s identity management system and peered with the national RADIUS infrastructure
Overview of operation
Home organisation
RADIUS Proxy server (ORPS)
Visited organisation
RADIUS Proxy server (ORPS)
JANET
National RADIUS Proxy server
(NRPS)
Authenticator
(AP or switch)
User dB if also
providing Home
service
User dB
Visitor’s credentials:
EAP request
RADIUS request
RADIUS response
Query
IP connection
Camford
802.1X network RADIUS server RADIUS server
Visited Service Home Service
Visited site
camford.ac.uk ?
not local =>send to
NRPS
camford.ac.uk?
=> forward to Camford
ORPS
Authenticate user
‘example’
What will you need?
• RADIUS server (resilient, preferably dual or fail-over)• FreeRADIUS : open source : linux platform• Radiator : commercial : linux and Windows
platform• MS IPS/NPS : commercial : Windows• Cisco ACS : commercial :
• User access management dB (to participate as a Home org.)• AD • LDAP • NDS
What will you need to do?
• 802.1X configuration of network access servers (APs and switches where you wish to provide eduroam coverage) • set up of eduroam SSID and eduroam network (VLAN)• link authentication to your RADIUS server(s)
• Configure your firewall to permit RADIUS traffic between your RADIUS servers and the national proxy RADIUS servers
• Configure the firewall on your eduroam network to permit the ports and protocols detailed in the technical specification
What will your users need?
• 802.1X configuration of your user’s devices • decide which EAP methods to use and whether to use
built-in supplicant software (or to deploy third party variants)
• very often this decision will be determined by your choice of RADIUS server and password format in the database e.g. Microsoft NPS only supports PEAP/MSCHAPv2 and the built-in Windows supplicant has similar EAP method limitations
• in most cases the built-in supplicant is fine and will be most straightforward for users to configure themselves
• Option: automation of 802.1X configuration of user devices• Open source SU1X tool• Commercially provided XpressConnect• eduroam Configuration Assistant Tool (CAT)
Costs?
• 802.1X compliant network – modern network equipment should already be 802.1X-ready
• RADIUS Server hardware (£ 4,000 for a resilient server)
• Open source FreeRADIUS or low cost Radiator/MS NPS Server Certificate available via Janet Certificate Service
• 802.1X user configuration deployment tool – open source SU1X, Cloudpath XpressConnect, eduroam CAT
• Network engineer/system administrator time – depends on familiarity with technology and skill level (1 – 2 weeks)
• Training courses (£ 400 for 2 days); possible consultancy (£ 1,740 for 3 days)
Support & Training
Getting started – online resources
• https://community.ja.net/library/janet-services-documentation/eduroam • Putting together the business case• Technical guides, including step by step implementation
guide• ‘Joining eduroam’ web page
• Janet technical guides• https://community.ja.net/library/janet-services-
documentation/eduroam• eduroam(UK) Technical Specification• https://community.ja.net/library/janet-services-
documentation/implementing-eduroam-roadmap
• Further documentation at:• www.eduroam.org
Technical support for eduroam administrators
•Free of charge support available over the phone and by e-mail for enquiries on:
– technical advice– troubleshooting– administration – information queries
•Enquires placed via the Janet Service Desk (JSD) - [email protected]
•Not for end users
Training courses
Two one-day training courses are available:
• eduroam Fundamentals
• Implementing eduroam at your organisation
• Cost for each: £ 200
• Next courses: Manchester 2-3 May 2013
• Details: www.ja.net/training
Consultancy
A chargeable consultancy service is also be available for more in-depth implementation support and investigation of technical issues
The service can be utilised for such purposes as:• on-site problem solving• FreeRADIUS and Radiator configuration tutorial• post-deployment Q.A. auditing against Tech Spec and best
practice• on-site eduroam implementation training
• £ 580 + VAT per day + expenses
Benefits for your organisation and your
users
Recap - benefits for your organisation
•Minimisation of the administrative workload of managing guest accounts
•Enable your staff and students easy access to web resources at other institutions throughout the UK and around the world
•Reduction of visits to service desk by visitors
•No need for temporary accounts
•Standard service offering
•Free Wi-Fi at every eduroam enabled organisation
•Clear/concise/full audit trail (no forms)
Recap - benefits for users
•No need to wait for guest accounts to be set up
•Users use their home organisation username and password, regardless of location – a single Wi-Fi profile ‘just works’
•Service is already widely available throughout the UK, and in many countries around the world
A final thought
Quote from a recent application to join eduroam:
Q. What was your primary reason for wishing to implement eduroam?
A. Simply….“eduroam is now expected by visitors and collaborators from other research institutes from around the world”
THANK YOU