may 17, 2006tnc 2006, catania1 eduroam.us: past, present, future philippe hanset university of...
TRANSCRIPT
May 17, 2006 TNC 2006, Catania 1
eduroam.us: past, present, future
Philippe Hanset
University of Tennessee, Knoxville
TNC 2006, Catania 2
Credits Working group supported by Internet2
Kevin Miller (Duke University) Chris Misra (U. Massachusetts) Andy Rosenzweig (Merit Network) John Vollbrecht (Merit Network) Jessica Bibbee (Internet2) Steve Olshansky (Internet2) Renee Frost (Internet2) and all the brave semimonthly participants
TNC 2006, Catania 3
History of edu-roaming RADIUS proxy used by Merit Network for
modem pools IEEE 802.1x ratified in June 2001 RADIUS proxy for WLAN at University of Utah TERENA creates TF-Mobility in 2003 First eduroam enabled Access-Point in
Zagreb (Croatia), May 2003 Internet2 creates FWNA in December 2004 eduroam.us, first International test in April 06
at Internet2 member meeting
TNC 2006, Catania 4
What is FWNA? An Internet2 working group evaluating:
-how 802.1x can be used to roam between institutions (local/global)-the implications of roaming (technology,policies,…)
An experiment that has Root RADIUS servers connected to US based schools as well as Europe and Asian-Pacific R&E networks.
Another name for eduroam.us
TNC 2006, Catania 5
Why FWNA/eduroam.us ? We had open wireless networks We have been asked to secure those
networks We are now asked to open them again
while maintaining an adequate security(visitors)
Somehow guest accounts are not good enough
TNC 2006, Catania 6
Where is FWNA today Architecture
RADIUS hierarchy modeled after eduroam.eu 802.1x only
Experimental service in place Top-level servers at UTK and Merit Servers connected to Europe, Asia-Pacific A few US based institutions have joined
Top-level tools being developed Web-based registration for connectors RADIUS proxy blocking mechanisms (realm, MAC)
TNC 2006, Catania 7
The State of EDUROAM
TNC 2006, Catania 8
Challenges of FWNA(…or challenges of 802.1x!) No easy method of communication with
users (layer2, no portal) Decentralized and complex
troubleshooting,lack of control (no adequate blocking)
AP roaming requires long distance re-auth (partially solved in 802.11i)
Policies are limited (but network control knobs are limited too!)
Low adoption rate of 802.1x in the USA
TNC 2006, Catania 9
FWNA next steps
Operational:
explore other architectures (RADSec, Diameter, DNSSec)
Improve 802.1x controls from RADIUS (local/global) to NAS (Switch, Wireless AP, …)
Policies:
Stature (Trusted Network Connect (TNC), NAC, NAP)
User Privileges (when in Rome do as the Romans?)
TNC 2006, Catania 10
Other uses of FWNA Sensornets
Sensors may be more “mobile” than people
not a EDU-person, but a EDU-gear! What EAP could be used? How additional facts can be provided?
the other AAA (Availability, Ability, Authentication)
TNC 2006, Catania 11
How to join FWNA? Must be willing to experiment; nothing
is plug and play Important for experimenters to give
feedback by way of pointers, local cookbooks, EAP trial info, etc.
If you want to be an experiment site, send email to: [email protected]
also visit http://fwna.ns.utk.edu to register
TNC 2006, Catania 12
FWNA info Project website:
http://security.internet2.edu/fwna
Biweekly Conference Calls Thursdays 11am-12pm Next on 2/23/06
salsa-fwna @ internet2 list “subscribe salsa-fwna” to sympa @ internet2
TNC 2006, Catania 13
Grazie mille and good luck to:
Cunego, Basso, Di luca et cetera ;-)