eduroam Meeting Support

Last updated: 
5 days 6 min ago
Group Manager
The content in this group is private. Please request membership to view it.
Log in to request membershipHide group description

Group administrators:

Recent members:

eduroam Meeting Support Introductory Information for Venues

1 May 2015 at 3:21pm

eduroam Meeting Support (eMS) overview

Jisc wishes to provide eduroam for delegates attending meetings at venues which do not provide eduroam Visited services. This is achieved our eduroam Meeting Support service which is a Wi-Fi system that extends the ubiquitous eduroam Wi-Fi service found on most university campuses to venues where it is not natively available. University networks generally require users’ identities to be authenticated prior to connection. eduroam provides a common authentication environment, enabling users to 'just connect' without them having to create new profiles for their Wi-Fi devices for each location they visit or to adjust Wi-Fi association settings. Since a single SSID is used, the need to create further profiles that would be needed for local WEP/WPA-key/open networks, is also avoided.

eduroam is also popular with users since it features AES data encryption security, whilst also guaranteeing the operation of a range of commonly used applications through rules requiring a minimum standard set of ports and protocols to be permitted through firewalls. With the eMS service this is accomplished through a secure VPN tunnel to our eduroam network and proxy server at Harwell – effectively extending the home university eduroam environment to wherever the eMS devices are deployed.

In practical terms eduroam Meeting Support simply comprises a number of 802.11a/g/n wireless access points (APs) which connect to a host venue’s wired network. Using the venue’s Internet service, through an IPSec VPN the APs tunnel all authentication AND network traffic to a WLAN controller at Janet’s Harwell data centre. Here a RADIUS server handles the authentication requests, forwarding these to organisations’ home networks and handling the returning access/reject responses. Once the user’s device is connected to the AP’s eduroam network, all application traffic is then also tunnelled back to Janet head office over the IPSec VPN.

Benefits to the venue

The benefit to the venue is that delegates who are from eduroam enabled organisations do not have to take up your time in administrative tasks before they can use your network. If you have implemented user authentication, you will save on guest account management. If you simply use WPA keys, you will save on having to repeatedly inform delegates of the code/help them get their devices connected. In addition, since IP addresses for client devices are distributed from the Janet eduroam pool, eduroam connected delegates will not make any demand on your IP address pool. Finally, if the venue’s own guest network is open you will be avoiding the risk of possible complaints arising from delegates connecting to an unencrypted service (since the eMS service utilises AES encryption). 

eMS requirements for deployment at the venue

Essentially, depending on the size of the event and the venue, we would like to connect a small number of Wi-Fi access points to your network and for these to make use of your Internet connection.

The requirements on your network would be:

• suitable locations for secure connection of APs to wired LAN network
points – which may require patching in your comms rack to enable
• power over Ethernet or mains power source at the AP locations
• a DHCP IP address for each AP
• permission to utilise wireless channels in the 2.4G and/or 5.8G bands
• firewall must allow an IPsec VPN to be established and permit NTP
• a reasonable bandwidth (e.g. minimum 10Mbps) for Internet access

Since all traffic is contained within a secure tunnel, other than to permit the establishment of the initial IPSec tunnel, there are NO specific demands made on your venue's firewall configuration to permit delegates applications to work.

The ports that must be open on your firewall are therefore:

IPSec -
ESP                                     IP 50
AH                                       IP 51
IKE                                      UDP 500
IPSec NAT Traversal            UDP 4500

NTP -
NTP                                     UDP 123

Regarding demands on Wi-Fi RF spectrum, since the addition of eMS APs for the event could have an effect on your existing Wi-Fi network, we can tailor the Wi-Fi standards and channels that eMS uses to avoid interference if required.
 

  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo