Institutional Eduroam Implementation Plan

AARNet Confidential Institutional eduroam Implementation PlanInstitution eduroam Implementation Plan

About This Document

This document describes the institution eduroaminstitutional eduroam implementation plan, addressing technical and administrative requirements for participating in the national eduroam federation. This plan is based on AARNet’s eduroam institution implementation plan.

Contents

Introduction 3

Terminology 3

Institutional eduroam Service Type 4

eduroam Prerequisites 4

Information previously provided to the NRO 4

Implementation Plan Overview 5

Deployment Tasks 5

RADIUS Servers 6

Wireless Infrastructure 6

Network Access 6

Institutional eduroam Support 6

Institutional eduroam Webpage 6

Information Transfer to the NRO 7

Institutional eduroam Deployment Scenarios 7

Typical Institution 7

Institution acting as eduroam SP for Partners 8

Other Scenarios 8

NRO eduroam Operational Objectives 9

National RADIUS Server Operation 9

Operability Monitoring 9

Information Resources 9

Support to Institutional Administrators 9

Institution RADIUS Server(s) Deployment 10

Implementation Items 10

Required 10

Recommended 12

Optional 12

Discussion 12

Required RADIUS Attributes 12

RADIUS Server Certificate 13

Filtering invalid usernames and realms 14

Non-responsive Server Handling 15

RADIUS Server Logging 15

Information to be provided to the NRO 15

Wireless Infrastructure 17

Implementation Items 17

Required 17

Recommended 17

Information to be provided to the NRO 18

Network Access 19

Implementation Items 19

Required 19

Recommended 19

Optional 19

Discussion 19

Recommended Ports and Protocols 19

Information to be provided to the NRO 20

Institutional Support 21

Implementation Items 21

Mandatory 21

Recommended 21

Discussion 21

Local eduroam Contacts 21

Local Support Workflow 22

Test accounts 22

eduroam Configuration Assistant Tool 22

End-User Education 22

Information to be provided to the NRO 23

eduroam Webpage 24

Implementation Items 24

Mandatory 24

Required Information 24

General Information 24

IdP-role-specific Information 24

SP-role-specific Information 24

Information to be provided to the NRO 25

Appendix A: Institutional eduroam Implementation Workflow 26

Introduction 3

Terminology 3

Institution eduroam Service Type 4

eduroam Prerequisites 4

Information provided to NRO previously 4

Implementation Plan Overview 5

Deployment Tasks 5

RADIUS Servers 5

Wireless Infrastructure 6

Network Access 6

Institutional eduroam Support 6

Institutional eduroam Webpage 6

Information Transfer to NRO 6

Institution eduroam Deployment Scenarios 7

Independent Institution 7

Public Institution 8

Other Scenarios 8

NRO eduroam Operational Objectives 9

National RADIUS Server Operation 9

Operability Monitoring 9

Information Resources 9

Support to Institutional Administrators 9

Institutional Deployment Information Self-Maintenance (Future) 9

Institution RADIUS Server(s) Deployment 10

Implementation Items 10

Required 10

Recommended 11

Optional 12

Discussion 12

Required RADIUS Attributes 12

RADIUS Server Certificate 12

Filtering invalid usernames and realms 14

Non-responsive Server Handling 15

RADIUS Server Logging 15

Information to be provided to NRO 15

Wireless Infrastructure 17

Implementation Items 17

Required 17

Recommended 17

Information to be provided to NRO 17

Network Access 19

Implementation Items 19

Required 19

Recommended 19

Optional 19

Discussion 19

Recommended Ports and Protocols 19

Information to be provided to NRO 20

Institutional Support 21

Implementation Items 21

Mandatory 21

Recommended 21

Discussion 21

Local eduroam Contacts 21

Local Support Workflow 22

Test accounts 22

eduroam Configuration Assistant Tool 22

End-User Education 22

Information to be provided to NRO 23

eduroam Webpage 24

Implementation Items 24

Mandatory 24

Required Information 24

General Information 24

IdP-role-specific Information 24

SP-role-specific Information 24

Information to be provided to NRO 24

Appendix A: Institution eduroam Implementation Workflow 26

Introduction

The eduroam joining process for an institutions institution consists of 4 steps:

1.  Institution’s Application to the NRO to participate in eduroam, involving the Exchange exchange of institutional and basic eduroam deployment planning information allowing the National Roaming Operator (NROthe NRO) to assess the institution’s satisfaction of pre-requisites and ability to operate sustainably as an eduroam participant;

2.  Deployment of eduroam, satisfying technical and administrative requirements;

3.  eduroam Operability Auditing;

4.  Announcement Commencement of participation, involving the NRO announcement of the institution’s participation in eduroam to current eduroam national participants, and globally via upload of the institution’s eduroam deployment data to the eduroam global database.

This document describes the implementation plan for Step 2.

Terminology

National Roaming Operator (NROthe NRO): The entitityentity that operates the eduroam service for a country or economy. For example, the NRONRO may be a National Research and Education Network (NREN) operator. NROThe NROs are sometimes referred to as the “eduroam operators”.

The institution: The administrative organisation with overall responsibility for deployment of eduroam on behalf of one or more institutions is referred to simply as ‘the institution’ in the following implementation description.

eduroam username: institutional_username@institutional_realm

Following are components of eduroam infrastructure:

·  Supplicant i.e. software on an end-user’s mobile device responsible for establishing a wireless connection. For eduroam, the supplicant implements the IEEE 802.1X802.1x protocol;

·  Network Access Server (NAS) i.e. a Wireless Access Point, Wireless LAN Controller. The NAS implements the IEEE 802.1X802.1x protocol for communicating with the supplicant, and initiates an authentication transaction with the supplicant. The NAS implements the RADIUS protocol for communication with the Authentication Server. In performing authentication, both the IEEE 802.1X802.1x leg and RADIUS leg use the EAP framework (Extensible Authentication Protocol). EAP is a framework for conveying a variety of authentication methods.
For security and ease of implementation, eduroam uses tunneled EAP protocols. Basically this involves a first step of TLS handshaking and establishing an encrypted tunnel (keys, keying materials) (and also authenticating the home RADIUS server), and as a second step of transferring encrypted user information in RADIUS EAP attributes in order to perform secure user authentication. For eduroam, the predominant authentication protocols (outer/inner) are PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP.

·  Authentication Server (AS) i.e. the institution’s RADIUS Server(s) configured in the NAS as the destination of RADIUS authentication requests.

·  RADIUS is an ‘Authentication, Authorisation and Accounting’ (AAA) protocol. RADIUS implementations support the use of a ‘realm’ part of the eduroam username (conveyed in the RADIUS User-Name attribute) to determine whether to authenticate the user against a local identity store, or to forward (proxy) the authentication request to the national eduroam RADIUS Server, which in turn will proxy the request to the Regional or Top-Level eduroam RADIUS Server, or to the eduroam participating ‘home-institution’ RADIUS server responsible for authentication of user from the realm.

·  Infrastructure Servers are responsible for proxying the authentication request between institutional RADIUS servers, and include both the National RADIUS Servers (NRS) and Regional or Top-Level RADIUS servers (TLRS).

eduroam participant roles:

·  Identity Provider (IdP): the institution authenticates its users according to its local realm; and

·  Service Provider (SP): the institution provides network access to visitors by virtue of their successful remote authentication via eduroam by their ‘home institution’.

Some NROthe NROs also host operate an eduroam Test and Monitoring Server (TMS) which comprises both a RADIUS client, issuing authentication requests using the ‘rad_eap_test’ client software, and a RADIUS Server which authenticates NROthe NRO-provided institutional SP test accounts.

Institution eduroamInstitutional eduroam Service Type

The eduroam service-type for institutions is usually IdP+SP, i.e. , authenticating the institutions own users as they travel to other eduroam participating institutions, as well as providing network access to visitors via eduroam. Institutions may also operate as SP-only participants, and in special cases as IdP-only participants.

eduroam Prerequisites

The first stepStep 1. of the eduroam joining process, the institutional application to participate in eduroam, involving involves sharing basic institutional information and eduroam deployment and technical contact information, . The institution is evaluated in its satisfying the pre-requisites for eduroam participation, concludes with an invitation from NRO to the institution to proceed to deploy eduroam infrastructure and establish administrative processes required for eduroam participation.

Having received an invitation to proceed to Step 2, the institution has been deemed as satisfying the pre-requisites for eduroam participation, being:

·  Understanding of eduroam and willingness/ability to comply with technical and administrative policy requirements for operating as an eduroam IdP+SP;

·  Effective identity management & secure identity store;

·  Effective wireless network infrastructure with support for IEEE 802.1x (WPA2 Enterprise);

·  Effective internal networking and internet access via NREN or other ISP, with the requirement for their users (staff, students) to conform to the institution’s network access Acceptable Use Policy (AUP);

·  IT capability necessary to deploy and sustainably operate the eduroam RADIUS Server;

·  IT support capability necessary to provide IT support to local staff and visitors;

·  Administrative capability necessary to publish an institutional eduroam webpage providing eduroam configuration and usage information for local users and visitors.

·  If the NRO deems the institution as satisfying the pre-requisites, Step 1. concludes with an invitation from the NRO to the institution to proceed to deploy eduroam infrastructure and establish administrative processes required for eduroam participation i.e. an invitation to proceed to Step 2.

Information previously provided to NROthe NRO previously

The following information will have been provided to NROthe NRO during step 1 of the joining process:

Information item / Description/Comment
Institution name / Formal name, including “The” if appropriate
Institution address / Street,City,State,Postcode
Primary domain name / Registered primary domain name, will be use as the institution label in monitoring, metrics etc.
Institution webpage / URL of institution’s website home-page
Link to Institution’s network AUP / URL of institution’s network access Acceptable Use Policy
Institution’s Identity Store info / Authentication system/identity store vendor, model/name, version
Intended local realms / Intended local realms, of form (sub) primary domain name
Willingness to provide tLocal test account(s) / Confirm willingness to provide an eduroam test accounts for each local realm
Wireless Infrastructure info / Wireless equipment vendor, model/name, version. Confirm support for multiple SSIDs, IEEE 802.1x capable.
Wireless coverage map (if any) / Link to institution’s wireless coverage map
Intended eduroam coverage / Names & addresses of campuses where eduroam coverage will be provided
Potential eduroam overlap / Potential Assessment of potential for eduroam coverage overlap with another institution
RADIUS server info (if any) / Implementation vendor, model/name, version of existing RADIUS server, or preferred implementation if any.
Configure trust for eduroam NROthe NRO TMS / Confirmation of willingness to configure trust for the eduroam NROthe NRO Test&Monitoring servers in eduroam institutional RADIUS servers.
Internet Service ProviderISP information / Internet Service Provider, and link to the institution’s Access Agreement if available
Network service for local users / Description of network service, in particular IP addressing, application proxies & content filtering if any, restrictions e.g. ports/protocols, bandwidth, data quotas.
Intended eduroam network service / Intended network service for eduroam users, plan for eduroam user traffic segregation e.g. via VLAN if any
Institution IT Support info / Number of IT support staff, link to IT support helpdesk, support request, ticketing system
Estimate of number of users / Estimate of number of users/identities across the institution
eduroam Technical Contact / Full name, email address, phone, mobile (for SMS comms) of the primary technical contact who will be responsible for eduroam deployment.

Implementation Plan Overview

The eduroam service relies on consistent implementation achieved in conformance with global and national eduroam policy.

Deployment Tasks

An outline of each deployment task is provided below.

RADIUS Servers

·  RADIUS server deployment satisfying requirements for the eduroam service, including

o  Choosing a RADIUS Server Platform

o  Deploying the RADIUS Server(s) & DNS name server configuration

o  Firewall configuration to allow access to RADIUS servers from the National RADIUS Server

o  Acquiring a server certificate for the RADIUS Server(s) to enable home RADIUS server authentication

o  Based on local realms and how associated users credentials are stored, and which OS’s the institution will support for eduroam access, determine which EAP authentication protocols are applicable.

o  Receipt of user authentication requests from wireless network infrastructure and eduroam infrastructure (national RADIUS server (NRS), also the eduroam test&monitoring server (TMS)), and based on ‘realm’ part of username

§  authentication of local user against institutional identity store (IdP role)

§  proxying visitor authentication requests to eduroam infrastructure (national RADIUS server) (SP role)

§  interoperating with the NRO NRO test and monitoring server (operability monitoring)

o  Authentication transaction logging (ensuring the required attributes are logged)

o  Configuration for trust for the eduroam NROthe NRO TMS in each of the institution’s eduroam RADIUS servers for eduroam operability monitoring.

To assist with RADIUS Server deployment, the NRO NRO will configure National RADIUS Servers (NRSs) to enable testing during the deployment step. Configuration of NRS involves establishing trust for receipt of authentication requests from and proxying of authentication requests to the institution RADIUS server(s). The NRO NRO will assist the institution by performing tests to confirm technical readiness.

Wireless Infrastructure

·  Planning and implementation of eduroam coverage area by configuration of wireless infrastructure to broadcast the “eduroam” SSID and configuration of the ‘eduroam network’ for IEEE 802.1x authentication at required locations (institution sites/campuses).

· 

Network Access

·  Network service provision for eduroam users supporting the range of required protocols (the goal being to provide an equivalent network access service to users as would be available if the user were on their home campus)

o  Establishing a VLAN/network service for eduroam with appropriate IP addressing

o  Network access logging, associating access events with the user device’s MAC address and assigned IP address (including DHCP logging, address translation if user network addressing is NAT’ed).

o 

Institutional eduroam Support

·  Establishment of an eduroam end-user support capability (including training of local support staff, publication of an eduroam IT Support workflow) and promotion of the eduroam service to local users.

o  Provision of an institutional test account for each local realm;

o  Access to the eduroam Configuration Assistant Tool.