You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

eduroam

Description

The purpose of eduroam (education roaming) is to provide secure, world-wide roaming access service for the international research and education community.

The eduroam service allows students, researchers and staff from participating institutions to obtain Internet connectivity across campus and when visiting other participating institutions by simply opening their laptop. The architecture that enables this is based on a number of technologies and agreements, which together provide the essential eduroam user experience: “open your laptop and be online”.

The basic principle underpinning the security of eduroam is that the authentication of a user is carried out at his/her home institution using the institution’s specific authentication method. The authorisation required to allow access to local network resources is carried out by the visited network.

GÉANT operates the regional level service for members of the European eduroam Confederation, a confederation of autonomous roaming services who agree to a set of defined organisational and technical requirements by signing and following the eduroam policy declaration based on the eduroam service definition. The confederation goal is to provide a secure, consistent and uniform network access service inside the boundaries of the European confederation.

The European eduroam service is built hierarchically. At the top level sits the confederation level service, which primarily provides the confederation infrastructure required to grant network access to all participating members of the eduroam service at any time. This confederation service is built upon the national roaming services, operated by the national roaming operators (NROs) (in most cases, NRENs). National roaming services make use of other entities, for example, campuses and regional facilities.

The European service is governed by the eduroam Steering Group (SG) with day-to-day operations carried out by the eduroam Operations Team (OT).

In addition to operating the basic technical infrastructure for Europe, the GÉANT eduroam team also delivers a supporting services suite to support the widespread deployment of eduroam. This suite includes a central database with information about participating institutions, monitoring & metering tools and configuration assistant tool (CAT) for end users and campus administrators.

 

Technical Description

The eduroam confederation infrastructure relies on a distributed set of AAA servers. The current configuration uses RADIUS as the AAA protocol. Currently eduroam supports transport over RADIUS/UDP and RADIUS/TLS, and recommends the use of RADIUS/TLS as preferred.

Routing of RADIUS messages is implemented in two ways: a baseline-routing model, based on a hierarchy of RADIUS servers, and a dynamic-routing model, based on DNS service discovery. The dynamic-routing model is only supported over RADIUS/TLS.

The (baseline) RADIUS hierarchy for a national eduroam federation consists of several RADIUS servers located at the various institutions, which are directly or indirectly connected to the federation-level RADIUS proxy server (FLRS).


The eduroam European Top-level RADIUS Servers (ETLRS) interconnect the participating eduroam federations in the region. They provide the means to find the correct federation-level RADIUS server of a given users’ federation, and to transport all information in a secure way. The eduroam ETLRS are maintained by SURFnet and DeIC as part of the eduroam Operational Team within GÉANT.

In dynamic routing, eduroam Identity Providers (IdP) announce their responsible RADIUS server over DNS. eduroam Service Providers (SPs), which need to authenticate a user, look up the appropriate RADIUS server by querying the Domain Name System (DNS) for a special eduroam server record.

This routing model does not require any intermediate RADIUS infrastructure, but can be used even in the presence of intermediates. In particular, if an eduroam IdP does not wish to deploy its own RADIUS/TLS-enabled RADIUS server, it can connect to the FLRS via a static uplink (hierarchical routing), and announce in the DNS record that the RADIUS/TLS endpoint is the IdP’s FLRS. Similarly, an eduroam SP which does not wish to perform its own DNS lookups can statically connect its infrastructure to the FLRS. The FLRS in turn, can then carry out the DNS lookups for that SP.

eduroam IdPs and SPs always need to have a static route to their FLRS configured as a “default” fallback routing mechanism, because the publishing of DNS records for eduroam IdPs is optional. As a result, a default routing decision needs to be available should a DNS not yield the routing information.

 

Service Description

The European eduroam service has two components – a core technical infrastructure (as outlined in the technical description) and a supporting services suite. The supporting services suite includes a central database with important information about participating institutions, monitoring & metering tools and a configuration assistant tool for end users (CAT). The supporting services suite is maintained by the eduroam OT.

The supporting services suite is designed and delivered to serve three main user groups with the most suitable level of access to targetted information:

 

  • federation-level personnel – NRO staff running service operation inside a country (federation).

 

  • institution-level personnel – staff running service on an institutional level (typically operating eduroam IdP and SP functions).

 

 

  • end users – individuals who use eduroam technology to access the network, either at their home institution or when visiting other sites.

 


Offering

The purpose of eduroam (education roaming) is to provide secure, world-wide roaming access service for the international research and education community.

The eduroam service allows students, researchers and staff from participating institutions to obtain Internet connectivity across campus and when visiting other participating institutions by simply opening their laptop. The architecture that enables this is based on a number of technologies and agreements, which together provide the essential eduroam user experience: “open your laptop and be online”.

 

Reason to Act

Collaboration between researchers and students across multiple sites and even multiple countries is a key feature of the modern R&E environment. Movement of staff and students in formal and informal collaborations is a daily reality and wireless functionality is the default in almost every communication device. Due to this increased mobility and the constant need to access their data and information regardless of their location, a secure, reliable and uniform roaming service has therefore become a necessity for members of the academic and research community.

eduroam’s goal of providing global, secure, consistent and uniform network access therefore makes it the perfect solution to serve the needs of the R&E community. As eduroam is built on the well-known RADIUS protocol, campuses can often deploy the service at minimal cost to provide a network access solution for their own users (in a non-roaming scenario), thereby avoiding a duplication of effort and infrastructure.

 

Customer Experience

The customer experience for eduroam is defined in one simple phrase 'Open your laptop and be online'.

 

Benefits

The eduroam service gives users from participating academic institutions secure Internet access free of charge at any eduroam-enabled institution in any country which takes part in the global service delivery. In this way, users experience a consistent, production-quality connection without the need for reconfiguration or even for them to know local network details.

The eduroam service is supported by a rigourous technical and policy specification, thus avoiding the need for countless bilateral agreements between participating institutions.

The suite of eduroam supporting services, including the CAT (Configuration Assistant Tool), enable national and campus-level administrators in particular to achieve more efficient and simpler deployment. Profiles provided to end users by CAT also aim to reduce the instances of misconfigured devices, which is the largest challenge for eduroam deployment and use.

 

Costs

The service is free at point of use for users.

 

Time

Immediately available

 

Alternatives

The alternative to eduroam is multiple bilateral, non standard roaming agreements throughout Europe and Globally or less secure access.

 

Advantages

The eduroam service eases the operational burden for campus administrators as participating institutions gain a universal, uniform and secure network access solution, eliminating the need to manage guest accounts individually. The authentication overhead is passed from the visited site to the home site, ensuring the most secure access decisions are made.

 

Engagement

In view of the way the eduroam service is designed and delivered, National Roaming Operators(NROs)play an essential role.

It is extremely important to ensure the uniformity of the service accross the confederation boudaries both in technical and organisational terms. The proper engagement of all participating NROs must be ensured as this directly affects the overall quality of the service as perceived by the end users. NROs are members of the eduroam Steering Group (SG) which holds regular meetings where their input and views in terms of the direction and operation of the service are directly considered.

At the same time, GÉANT eduroam representatives participate actively in the GeGC (Global eduroam Governance Committee) leading the further development and deployment of eduroam on the global level. These parallel activities on a national and global scale ensure that service quality is maintained in alignment with further development of the service. GÉANT eduroam members also work in cooperation with TERENA's TF-MNM, to look beyond the existing service and to identify future innovations in the area that can be brought to service.

Finally, engagement with standard bodies, primarily the IETF and WIFI Aliance, is also important in order to gain important technical information and establish relations with standard-makers.

 

KPIs

Kpi nameRAGKPI RAG
eduroam authentications per month (national)GreenGREEN
eduroam authentications per month (international)GreenGREEN
ETLR % AvailabilityGreenGREEN

 

Roadmap

 

 

 

  • No labels