expanding eduroam in asian countries * what is eduroam * eduroam jp update * r&d on deas

1

Expanding eduroam in Asian countries * What is eduroam

* eduroam JP update* R&D on DEAS

33rd APAN meetingFeb. 16, 2012, Chiang Mai

Hideaki SoneNII / Tohoku University, Japan

is ReadyCongratulations!

What is eduroam?

2

eduroam (education roaming) is the secure, world-wide roaming access service developed for the international research and education community.

eduroam allows students, researchers and staff from participating institutions to obtain Internet connectivity across campus and when visiting other participating institutions by simply opening their laptop.

http://www.eduroam.org/

Internet

Inst. A

Home inst.

student / staff

Inst. Beduroam promotion video by AARNet

Who operates eduroam• The eduroam service started as a pilot under the

auspices of TERENA.• 4 regional operators• About 50 countries worldwide– 7 members in Asia Pacific

• GeGC (Global eduroam Governance Committee)

has been organized (2010).– 7 voting members: EU(3), US, CA, AP(2)– “Compliance Statement” compilation is under way.

• service definitions, technical standards

3

eduroam deployments in Asia Pacific

• Hosting by a nearby country works well as an incubator.• Hosting is quite beneficial for countries having a small

number of institutions. 4

realm joinedinst.

#total deploymentrate

.au 33 37 89.2% (AP Server 1)

.hk 9 9 100% (AP Server 2)

.cn ? 1,700+ ?

.tw 137 ? 170+ ? (data as of Apr. 2009)

.jp 27 1,200+ 2%

.nz 5 8 62.5% hosted by AARNet

.pg 1 6 ? hosted by AARNet

steady growth 8 joined in 2010, 10 more in 2011

5

eduroam JP• National eduroam operation and promotion– 27 institutions (2% of 1,200) joined (Dec. 2011)

• 17 (2010), 9 (2009)– Tutorial & technical documents

• R&D– Easy deployment and operation– Location privacy, etc.

• Collaboration with commercialW-ISPs– eduroam on commercial hotspots – Shared hotspots on campus– New architecture and business models for next-

generation commercial / academic WLAN services

6

eduroam / ISP collaboration

• Livedoor, an ISP in Japan, provides eduroam service on their commercial hotspots– 130+ in-door APs at cafes, conference sites and some

large shops in and around Tokyo– 2,200+ out-door APs on power poles in central Tokyo• eduroam-livedoor is now available on the streets

– provides Campus Network solution with eduroam

• Commercial WLAN service using univ. APs– shared AP, experimental

• Negotiations are under way with some other ISPs / carriers

eduroam in disaster-affected campuses• Borderless eduroam helped suffering staff

– Nomadic network in temporary evacuation campus• Tohoku University faced the big earthquake in March.

– Many buildings were severely damaged. – Staff moved to other buildings where networks are operated by different

departments.– eduroam is an effective rescue for them to use network --- Inter-

department roaming network

Additional APs

Eduroam APs

Center

Damaged depts

Network ID

• Problems– Difficulties in large-scale RADIUS deployment

• 1200 institutions in Japan → 1200 branches in RADIUS tree– Laborious eduroam connection / management work

• Our solutions– Federated Delegate Authentication System (DEAS)

with centralized/clustered RADIUS server• remove RADIUS IdP at each institution• Federation using Shibboleth SSO• simplify RADIUS tree (→ higher stability)

– Web-based eduroam IdP / SP management system• simplify connection and administration at both the

eduroam JP office and each institution

Difficulties in expanding eduroam in JP

9

Easy-to-join eduroam system

RADIUSIdP

RADIUSproxy

auth requests

<secret key 2>

Institution’sRADIUS server

access points

1. Delegate Authentication System (DEAS)

nationaltop-level

2. eduroam IdP/SP management web

<secret key 1>

10

Federated Delegate Authentication System

• Account Issuer as a Shibboleth SP of Japan’s GakuNin federation (f.k.a. UPKI federation)

• Centralized / Clustered eduroam IdP to simplify the RADIUS proxy tree

• 3 types depending on the needs and federation level

• Authenticated access with pseudo-anonymized, fixed-term, and traceable roaming IDs

Before & After DEAS• Huge RADIUS tree can be replaced by single RADIUS which

works as an SP for member institutions

C D

jp

A B

th

AP

User@D.jp

RADIUS

IdP

eduroam RADIUS tree Centralized RADIUS

C D

jp

A B

th

AP

User

DEAS

IdP

SP

Shib.

IdP

Current statusDeployment Users

Type I(no federation, web UI only)

National DEAS deployed 5 universities

Type II(admin-only fed.)

Under development –

Type III(full fed.)

National Shib. SP for GakuNin deployed

(22 federated institutions)

12

(as of Feb. 2011)

Univ. A, B : clients of Livedoor (ISP),using for main IdP

Univ. C : using for university’s sub IdP Univ. D, E : trial use of eduroam