De presentatie wordt gedownload. Even geduld aub

De presentatie wordt gedownload. Even geduld aub

The European eduroam confederation Klaas Wierenga 10º Encontro de Centros de Informática Universidade do Porto, 8 de Março 2007.

Verwante presentaties


Presentatie over: "The European eduroam confederation Klaas Wierenga 10º Encontro de Centros de Informática Universidade do Porto, 8 de Março 2007."— Transcript van de presentatie:

1 The European eduroam confederation Klaas Wierenga 10º Encontro de Centros de Informática Universidade do Porto, 8 de Março 2007

2 Hoogwaardig internet voor hoger onderwijs en onderzoek Contents Intro eduroam The European eduroam confederation –European level –NREN level –Institutional level Integration with other federations –DAMe Summary

3 Hoogwaardig internet voor hoger onderwijs en onderzoek eduroam members Portugal and The Netherlands sometimes do have succesful collaboration……. ;-)

4 Hoogwaardig internet voor hoger onderwijs en onderzoek eduroam

5 Hoogwaardig internet voor hoger onderwijs en onderzoek The goal of eduroam “open your laptop and be online” To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources

6 Hoogwaardig internet voor hoger onderwijs en onderzoek eduroam RADIUS server University B RADIUS server University A SURFnet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest Student VLAN Commercial VLAN Employee VLAN data signalling Trust based on RADIUS plus policy documents 802.1X (VLAN assigment)

7 Hoogwaardig internet voor hoger onderwijs en onderzoek Eduroam interactions Id Repository Resource (AP) RADIUS + TLS Channel(s) Tue Oct 10 00:05: : DEBUG: Packet dump: *** Received from port Code: Access-Request Identifier: 1 Authentic: k D Attributes: User-Name = NAS-IP-Address = Called-Station-Id = "001217d45bc7" Calling-Station-Id = "0012f0906ccb" NAS-Identifier = "001217d45bc7" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE EAP-Message = - Message-Authenticator = `- y. I<218 > \ Tue Oct 10 00:17: : DEBUG: Handling request with Handler 'TunnelledByTTLS= 1, Realm=/guest.showcase.surfnet.nl/i' Tue Oct 10 00:17: : DEBUG: Deleting session for case.surfnet.nl, , Tue Oct 10 00:17: : DEBUG: Handling with Radius::AuthFILE: SC-GUEST-ID Tue Oct 10 00:17: : DEBUG: Reading users file /etc/radiator/db/showcase-gu est-users Tue Oct 10 00:17: : DEBUG: Radius::AuthFILE looks for match with Klaas.Wie Tue Oct 10 00:17: : DEBUG: Radius::AuthFILE ACCEPT: : Tue Oct 10 00:17: : DEBUG: AuthBy FILE result: ACCEPT, Tue Oct 10 00:17: : DEBUG: Access accepted for se.surfnet.nl Tue Oct 10 00:17: : DEBUG: Returned TTLS tunnelled Diameter Packet dump: Code: Access-Accept eduroam hierarchy

8 Hoogwaardig internet voor hoger onderwijs en onderzoek (virtual) eduroam root APAN rootEuropean root(America’s root)...nl.ac.uk.dk....au.cn....edu.us....pt.es... Eduroam hierarchy

9 Hoogwaardig internet voor hoger onderwijs en onderzoek The European eduroam confederation

10 Hoogwaardig internet voor hoger onderwijs en onderzoek Federations in European education Enable the sharing of educational resources –Network eduroam –Applications Shibboleth, PAPI, A-Select, Liberty Federated with eduGAIN Require agreement on: –Responsibilities –Liability –Technology –Language –Standards

11 Hoogwaardig internet voor hoger onderwijs en onderzoek As Federations Grow The risk of dying of success Different communities, different needs –Not even talking about international collaboration –Different (but mostly alike) solutions Different =/= wrong, but…. Further standardisation is imperative!

12 Hoogwaardig internet voor hoger onderwijs en onderzoek Policy and Legal Matters The PMA model has proven extremely useful –Consensual set of guidelines –Peer-reviewed accreditation Legal matters: Hic sunt leones –For techies like us –Privacy –Liability –More or less manageable in the case of (national) federations

13 Hoogwaardig internet voor hoger onderwijs en onderzoek eduroam confederations Regions have their own stage of development and pace Regions have their own regional policies (with delegation to national federations) Policies will be aligned as much as possible

14 Hoogwaardig internet voor hoger onderwijs en onderzoek The European eduroam policy Mutual access Home institutions are/remain responsible for their users abroad Members are European NRENs Members guarantee required security levels by their participants Members promote eduroam in their countries European eduroam may peer with other regions Set of technical recommendations (SSID!) Implemented by the eduroam service activity in Géant2

15 Hoogwaardig internet voor hoger onderwijs en onderzoek National Policies Mutual access Members are connected institutions Home institution is/remains responsible for its users behaviour. Home institution is responsible for proper user management Home and visited institution must keep sufficient logdata Appropriate security levels

16 Hoogwaardig internet voor hoger onderwijs en onderzoek Institutional policy I have to implement SSID eduroam!

17 Hoogwaardig internet voor hoger onderwijs en onderzoek Integration with eduGAIN

18 Hoogwaardig internet voor hoger onderwijs en onderzoek Id Repository(ies) Resource(s) MDS R-FPP Metadata Publish R-BE Metadata Query AA Interaction H-FPP Metadata Publish H-BE AA Interaction AA Interaction The eduGAIN model Lingua Franca: SAML

19 Hoogwaardig internet voor hoger onderwijs en onderzoek RequesterResponder Id Repository Resource TLS Channel(s) MDS TLS Channel https://mds.geant.net/ ?cid=someURN ... ... ... ...  urn:geant2:...:responder urn:geant2:...:requester  eduGAIN interactions

20 Hoogwaardig internet voor hoger onderwijs en onderzoek Deploying Authorization Mechanisms for Federated Services in eduroam (DAMe) DAME is a project that builds upon: –eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, –Shibboleth and eduGAIN –NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on the SAML (Security Assertion Markup Language) and the XACML (eXtensible Access Control Markup Language) standards.

21 Hoogwaardig internet voor hoger onderwijs en onderzoek First Goal: extending eduroam using NAS-SAML Gast RADIUS server University B RADIUS server University A SURFnet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant data User mobility controlled by assertions and policies expressed in SAML and XACML XACML Policy Decision Point SAML Source Attribute Authority Signaling

22 Hoogwaardig internet voor hoger onderwijs en onderzoek Second: eduGAIN as AuthN and AuthZ backend Link between the AAA servers (now acting as Service Providers) and eduGAIN

23 Hoogwaardig internet voor hoger onderwijs en onderzoek Finally: Universal Single Sign On Users will be authenticated once, during the network access control phase The eduGAIN authentication would be bootstrapped from the NAS-SAML New method for delivering authentication credentials and new security middleware 4th goal: integrating applications, focusing on grids.

24 Hoogwaardig internet voor hoger onderwijs en onderzoek Summary

25 Hoogwaardig internet voor hoger onderwijs en onderzoek Summary Educational federations are happening –And suffering their first growing pains Convergence to (small number of) standards –802.1X+ RADIUS –The SAML orbit International confederations are emerging –eduroam –Géant2 AAI (eduGAIN) –The twain will ever meet –Using the same principles and standards

26 Hoogwaardig internet voor hoger onderwijs en onderzoek Thank you! More info:


Download ppt "The European eduroam confederation Klaas Wierenga 10º Encontro de Centros de Informática Universidade do Porto, 8 de Março 2007."

Verwante presentaties


Ads door Google