Summary of wireless projects in the Janet community December 2010
Introduction
The last 10 years have seen wireless networking emerge and evolve from a supplementary hotspot technology into a ubiquitous necessity. Wireless networking is now a mature technology within educational institutions and as a result Janet is involved in work aiming to maximize the benefits of the investment that has been made by the community. This document briefly describes a number of current wireless networking related projects: some long-term, community-based or centred within established services which experience constant development; others short term, involving small-scale projects looking at single specific issues. The information contained in this document is only an overview. For further information, URLs are provided for each project’s website.
eduroam
When wireless networking first began to grow rapidly, Janet and TERENA were each quick to realise both the potential benefits of providing pervasive wireless access and that access would need to be secure and authenticated. In 2003 work began in Europe on a project to create a Europe-wide RADIUS authentication infrastructure. Janet responded by setting up the Location Independent Networking (LIN) trial to investigate the feasibility of utilizing differing remote authentication technologies. The trial included national RADIUS proxy servers to allow institutions to authenticate users visiting partner sites using the RADIUS protocol. This infrastructure enabled the UK to become one of the early participants in the European eduroam federation. The LIN project proved highly successful and resulted in the emergence of the Janet Roaming service to provide eduroam in the UK.
Since 2004, eduroam has evolved into a well-developed service used by over a hundred institutions across the UK and has been adopted extensively throughout Europe and in many countries around the world. In October 2010 the name Janet Roaming, representing the service to end users in the UK, was retired to enable consistent marketing of the more widely recognized eduroam name.
Whilst eduroam is an established service, there is still constant development work going on to improve it. Recent innovations include:
- A call for mentors to provide technical assistance on a one-to-one basis to help organisations experiencing RADIUS configuration problems.
- Introduction of the use of the Operator-Name RADIUS attribute to identify visited sites, in order to help troubleshooting.
- Syslog reporting to TERENA’s Federated-Ticker (F-Ticks) eduroam usage statistics service, currently in development.
- Various improvements to the eduroam UK support centre’s suite of automated tests and performance enhancements to the national RADIUS servers.
eduroam Visualisation Tool
Whilst eduroam is functionally a very mature and well-developed service, monitoring and logging is still somewhat basic. Currently in the UK monthly roaming statistics are manually compiled into a report which simply shows tables of figures and charts indicating overall inter-site usage. Presentation of these usage statistics is an area of eduroam in which there is a lot of room for development. Therefore, Janet funded a small project for MSc students at Southampton University to develop a proof of concept for the presentation of roaming statistics in an interactive visual manner.
In collaboration with Janet, the students developed a prototype tool for visualising eduroam roaming statistics within the UK using archived data from the national proxy servers to produce a map which could be manipulated to present inter-site roaming in a number of different ways. The software was Java-based and used NASA World Wind mapping technology. The prototype was presented by Janet in a session at the TERENA Networking Conference (TNC2010) in Vilnius, Lithuania.
RADIUS over TLS and IF-MAP
The current eduroam RADIUS infrastructure is a hierarchical system of servers which communicate via the UDP protocol. Whilst authentication data is encrypted, other RADIUS information is sent in plain text. To address these perceived weaknesses, an update to the standard has been developed to enable RADIUS to be used over TCP instead of UDP and to be encrypted using TLS. The increased security and more robust communications provided by the updated standard make the adoption of this element of RadSec desirable for the UK eduroam infrastructure.
RadSec comprises a number of elements; in addition to RADIUS over TCP/TLS, dynamic host discovery is defined within the standard, which enables RADIUS servers to communicate directly without involving the proxy servers. In practice this means that inter-site eduroam authentication communication could take place without involving the national proxy servers.
A Janet project currently under way addresses the deployment of RadSec RADIUS over TCP/TLS for use within the UK infrastructure. The project aims initially to convert a number of participating organisations to use RADIUS over TCP/TLS for communications with the National RADIUS Proxy Servers (NRPS). Once this goal has been achieved, the project aims to implement dynamic discovery to communicate directly without the need for the NRPS. The project is also investigating the use of IF-MAP (see below) for monitoring and logging. Concurrent to the RadSec work it is aiming to deploy IF-MAP within the eduroam UK infrastructure.
Eduroam usage statistics are currently derived from logs of traffic passing through the national proxy servers. Logs are currently maintained at both a national and European level. If the eduroam infrastructure were to move to dynamic host discovery and sites were to communicate directly, a new mechanism would be required to collect logs. Therefore as a potential long term logging solution for eduroam in the UK, IF-MAP (Interface to Metadata Access Points) is being investigated as part of the RadSec project.
IF-MAP uses a flexible lightweight database to store state information to which devices and systems can then subscribe or retrieve information from. IF-MAP is viewed as an emerging technology with great potential for linking data from various source systems to provide holistic overviews of network activity. This is most useful for areas such as network access control (NAC) as IF-MAP can provide a repository of data for making decisions about access.
In addition to the RadSec / IF-MAP project, Janet is also funding an MSc project at Southampton University investigating potential uses and applications of IF-MAP within Janet.
Federated Ticker for eduroam (F-Ticks)
With projects underway to introduce RADIUS over TCP/TLS and dynamic discovery to the eduroam infrastructure, not just in the UK but also in Europe, the problem of collecting statistics is beginning to surface. As previously mentioned, once institutions’ RADIUS servers communicate directly, the ability to monitor usage will be lost using current methods. Given that most national network operators would like to maintain this usage information, new methods are needed to obtain these statistics. In the UK, Janet is exploring the use of IF-MAP as a solution; however, in Europe most NRENs are taking part in the GÉANT3 F-Ticks project. This is based on a much more basic technology than IF-MAP, using syslog messages sent from RADIUS servers to a central facility where data is stored and processed to enable international daily and monthly roaming activity to be displayed. In addition to the IF-MAP concept, eduroam UK is also taking part in F-Ticks and is currently sending syslog messages from the National RADIUS Proxy servers.
SU1X
Follow this link for more information about the SU1x 802.1x configuration deployment tool
For many Janet-connected organisations which have implemented networks that use 802.1X, one of the main issues faced is ensuring client devices are properly configured to connect to and gain authentication over the wireless network. Many users find it challenging to set up their devices properly themselves. This in turn often increases an institution’s IT support workload as it has to assist users who are experiencing difficulties. For this reason most organisations have extensive documentation and provide significant resources to help users connect their devices to the wireless network. Given the difficulties of 802.1X device configuration, it has long been recognised that there was a need for an automated method of configuring users’ devices. Such an automated method would have the benefit of simplifying the process for the user and greatly reducing the overhead of supporting users trying to connect to the wireless network.
To address this requirement, Swansea University, in association with Janet, has developed the SU1X 802.1X Windows Configuration Deployment tool. The software, complete with administrator manual and case study, is available free of charge on Sourceforge for network managers to download and use. The software allows the network manager to deploy their preferred 802.1X settings to Microsoft Windows clients by creating a reference configuration that is automatically installed on users’ machines through a simple click on a setup utility icon.
The SU1X software is now a popular deployment tool used by a number of universities and has undoubtedly contributed to the rapid rise in usage of the eduroam service in the UK.
Temporary eduroam hotspots for meeting support
For a long time it has been a goal of the UK eduroam community to develop a device which could be temporarily connected at a venue with no eduroam service to provide eduroam access for an event or meeting. Despite the obvious benefits such a solution has been slow to emerge, mostly due to the technical challenges of providing such a system.
The Southampton Open Wireless Network (SOWN) offers a glimpse of how a solution might be arrived at. SOWN is a project at the Southampton University which provides secure wireless networking for university students living within Southampton. The project has customized Linksys access points (APs) running the OpenWRT operating system. Students can borrow these APs and plug them into their broadband services at home. The APs then broadcast the SOWN SSID. When a user tries to connect to the wireless network, the APs tunnel access-requests via VPN (using OpenVPN) to the SOWN network and Southampton University’s RADIUS servers for authentication against the University’s user database.
The SOWN system has been adapted for use in proof of concept of an eduroam meeting support service. This work included the successful deployment of a modified SOWN AP at a recent UCISA meeting and the Janet Strategic Briefing event, providing eduroam to the attending members. Neither venue featured eduroam services and both were connected to the Internet by commercial ISPs.
Work is ongoing towards developing a scalable system that can provide the basis of a managed meeting/conference support service.