You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

This page contains service description outlining how and where service should be used, targeted users, service delivery model and service elements and topology.

RESPONSIBLE: Information provided in this page is initially populated by the development team (during the transition phase), and revised based on the need or in a yearly service check by service_name Service Manager, with exception of CBA which remains the responsibility of business development team.

Service description

The purpose of eduroam (education roaming) is to provide secure, worldwide roaming access service for the international research and education community.

The eduroam service allows students, researchers and staff from participating institutions to obtain Internet connectivity on their mobile devices across their campuses and when visiting other participating institutions. The architecture that enables this is based on a number of technologies and agreements, which together provide the essential eduroam user experience: “open your laptop and be online”. 

The basic principle underpinning the security of eduroam is that the authentication of a user is carried out at his/her home institution using the institution’s specific authentication method. The authorisation required to allow access to local network resources is carried out by the visited network.

GÉANT operates the confederation-level service for members of the European eduroam Confederation, which is formed of autonomous roaming services who agree to a set of defined organisational and technical requirements by signing and following the eduroam policy declaration  is based on the eduroam service definition. The confederation’s goal is to provide a secure, consistent and uniform network access service to its users.

Users

eduroam (first-level) users are National Roaming Operators, that are responsible to operate eduroam service on a national level for their country. Up to date list of eduroam users is available at the eduroam monitor site.

Contacts

 

Service OwnerDevelopment Team LeadL1 supportL2 supportL3 support
 Miroslav Milinovic Stefan Winter help@eduroam.org eduroam-ot@lists.geant.org eduroam-ot@lists.geant.org

Service delivery model

The European eduroam service is built hierarchically. Confederation-level service is at the top level, and it provides the confederation infrastructure required to grant network access to all participating members of the eduroam service together with a set of supporting services. This confederation service is built upon the national roaming services, operated by the national roaming operators (NROs – in most cases, NRENs). National roaming services make use of other entities, for example, campuses and regional facilities. eduroam service delivery model is presented in the following pictures. 

eduroam service delivery model





                            

The European service is governed by the eduroam Steering Group (SG), while day-to-day operations are carried out by the eduroam Operations Team (OT).

In addition to operating the service’s basic technical infrastructure, the GÉANT eduroam team also delivers a supporting services suite to facilitate the widespread deployment of eduroam. This suite includes:

Service Elements

Technology infrastructure

The confederation infrastructure relies on a distributed set of AAA servers. The current configuration uses RADIUS as the AAA protocol. There are various transport protocols to carry RADIUS payloads, as of May 2012, the following protocols exist: RADIUS/UDP, RADIUS/TCP, RADIUS/DTLS and RADIUS/TLS. eduroam supports transport over RADIUS/UDP and RADIUS/TLS, and recommends the use of RADIUS/TLS. Routing of RADIUS messages, independently of the transport used, is implemented in two ways: a baseline routing model, based on a hierarchy of RADIUS servers, and a dynamic-routing model, based on DNS service discovery. The dynamic-routing model is only supported over RADIUS/TLS.

Complete explanation of technology infrastructure is provided in the eduroam Service Definition.

The following table is a list of products and resources used to deliver main functionalities of the eduroam service.

Service main element

Description

Technologies used in delivery

Access URL

(two) European Top Level Radius servers - ETLREach server has a list of connected, federation top-level domains (.nl, .dk, .hr, .de etc.) serving the appropriate NRENs. The servers also maintain exception rules for domains whose federation membership is not immediately identifiable in the realm (typically gTLD realms such as ’.edu’, ‘.eu’, ‘.net’, etc.).
The servers accept requests for the federation domains they are responsible for, and subsequently forward them to the associated RADIUS server for that federation, and transport the response (i.e. result of the authentication request) back.

Protocols: RADIUS/UDP, RADIUS/TCP, RADIUS/DTLS and RADIUS/TLS

Software: Radiator

-

 


Supporting infrastructure

The following table is a list of products and resources used to deliver eduroam supporting services. 

Service supporting element

Description

Access URL

Monitoring, Diagnostics and Metering tools

The basic purpose of the eduroam monitoring, diagnostics and metering service is:  

  • to test the functionality of the FLRSs, TLRSs and the whole confederation infrastructure.
  • to collect information about the authentication traffic from the FLRSs that is used to provide usage statistics.

The eduroam monitoring and diagnostics element reports the results of the tests. An alert system is also implemented in order to inform OT and NRO responsible stuff about any malfunctions. The metering element relies on the F-Ticks tool.

Some of those info are public, while others are restricted to predefined user groups. The decision on the availability of the information lies with the eduroam Steering Group (SG).

https://monitor.eduroam.org/

https://monitor.eduroam.org/f_ticks_about.php

eduroam Database

eduroam database stores information about eduroam service such as: NROs, SP and IdPs contacts, SP locations, monitoring, service usage. NROs are obliged to provide the information.

There is a web interface to the database that allows various views of the database content. Some of these are public, while others are restricted to predefined user groups.The decision on the availability of the information lies with the eduroam SG.

More info available at: monitoring website, database section

https://monitor.eduroam.org/db_web/

Trouble Ticketing System (TTS)

First level support uses Trouble Ticketing System (TTS) to receive and process user requests. The support is available at help@eduroam.org  

eduroam website

This is the central information point for eduroam users at the same time providing information and links for all user groups. 

https://www.eduroam.org/
eduroam wikiIt provides technical information, guides and manuals targeting technical personnel in NRO, IdP and SP organisations that are responsible for deploying different parts of eduroam infrastructure. To smaller extent, the content is as well provides technical information targeting eduroam end-users. The content is provided as volunteer contribution by the eduroam community, and edited by the subject matter experts from the eduroam OT. http://wiki.eduroam.org

eduroam CAT

The eduroam Configuration Assistant Tool (CAT) has been developed to help organisations offering their users eduroam access. The tool builds customised installers for a range of popular PC and smartphone platforms and enhances the security for the end user. The tool ensures that users are protected against rogue wi-fi hotspots accessing usernames and passwords.

The tool builds a specific configuration for each participating organisation and so users should ensure they are downloading the correct installer.  

https://cat.eduroam.org/

eduroam Managed IdP

eduroam Managed IdP outsources the technical setup of eduroam IdP functions to the eduroam Operations Team. This leaves the institution only having to focus on its users and frees up valuable technical support resource.

The system includes:

  • A web-based user management interface where end user credentials for access to eduroam can be created and revoked.
  • A technical infrastructure (“CA”) which issues and revokes credentials for users to access to eduroam.
  • A technical infrastructure (“RADIUS”) which verifies access credentials and subsequently grants access to eduroam.
https://hosted.eduroam.org/ 

Cost Benefit Analysis

Provide URL to last valid CBA


  • No labels