No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Eduroam: Past, present and future
... In fact, AAA infrastructures based on the protocol Diameter [18] are commonly used in 3G networks to control the access of millions of users [19]. Another example is eduroam (educational roaming network) [20], which is a world-wide federation for WiFi connectivity across campuses and research and educational organizations around the world, that support thousands of users. Eduroam deploys EAP and an AAA infrastructure based on the Remote Authentication Dial In User Service (RADIUS) [21], which provides the identity federation substrate. ...
... The EAP server is typically placed in the IdP's AAA server where the Smart Object is registered. Several intermediate AAA proxies can be placed between the Controller and the IdP's AAA server, especially in federated environments (although it will depend on the specific deployment) [20]. ...
The Internet of Things (IoT) is becoming increasingly important in several fields of industrial applications and personal applications, such as medical e-health, smart cities, etc. The research into protocols and security aspects related to this area is continuously advancing in making these networks more reliable and secure, taking into account these aspects by design. Bootstrapping is a procedure by which a user obtains key material and configuration information, among other parameters, to operate as an authenticated party in a security domain. Until now solutions have focused on re-using security protocols that were not developed for IoT constraints. For this reason, in this work we propose a design and implementation of a lightweight bootstrapping service for IoT networks that leverages one of the application protocols used in IoT : Constrained Application Protocol (CoAP). Additionally, in order to provide flexibility, scalability, support for large scale deployment, accountability and identity federation, our design uses technologies such as the Extensible Authentication Protocol (EAP) and Authentication Authorization and Accounting (AAA). We have named this service CoAP-EAP. First, we review the state of the art in the field of bootstrapping and specifically for IoT. Second, we detail the bootstrapping service: the architecture with entities and interfaces and the flow operation. Third, we obtain performance measurements of CoAP-EAP (bootstrapping time, memory footprint, message processing time, message length and energy consumption) and compare them with PANATIKI. The most significant and constrained representative of the bootstrapping solutions related with CoAP-EAP. As we will show, our solution provides significant improvements, mainly due to an important reduction of the message length.
... Nowdays the deployment of multiple APs in large enterprises and campuses has become a prevalent standard [1]. The concept of users always being connected to these APs with their smartphones, tablets and/or a notebooks has changed the way of our everyday communication [2][3][4]. ...
... Nowdays the deployment of multiple APs in large enterprises and campuses has become a prevalent standard [1]. The concept of users always being connected to these APs with their smartphones, tablets and/or a notebooks has changed the way of our everyday communication234. ...
Excessive energy consumption of mobile device Wi-Fi (IEEE 802.11x) interface is limiting its operational time
on batteries, and impacts total energy consumption of electronic devices. In recent years research community
has invested great effort in better efficiency of energy consumption. However, there is still a space for improvement.
Wi-Fi devices connected to the single AP (Access Point) compete for the medium during data exchange. However, due
to the performance anomaly in 802.11 networks, a low data rate device will force all other devices connected to the
AP to communicate at low rate, which will increase the total energy consumption of these devices. Wake-on-a-Schedule
algorithm is proposed reducing the energy consumption of devices placed in the area with the weaker signal by
scheduling the data packets for each client on the server side which will not allow clients to compete for
the Wi-Fi medium. Through extensive measurements we show that our algorithm can save up to 60% of energy
consumption on the client side.
... It originated in Europe and gradually expanded its coverage to other continents, becoming a global federated service. The main goal of this initiative is to enable students, researchers, and university staff to obtain wireless internet access on campus and at other academic centres using their home institution's login credentials (Florio, Wierenga 2005). The concept of Eduroam's creation and development arose from the growing need to provide secure and reliable internet access in academic environments. ...
The study describes the procedure and conditions for performing geovisualisations based on dispersed measurement data obtained at specified spatial intervals. The research utilised a rarely used method of representing dispersed phenomena in the form of static three-dimensional visualisation. The work presents the procedure necessary to create a clear and cartographically effective image of a phenomenon that is not directly observable but recorded using specialised equipment. The method was tested by analysing the spatial distribution and intensity of the signal strength of the Eduroam wireless access system operating in the building of the Faculty of Earth Sciences and Spatial Management at Nicolaus Copernicus University in Toruń. The outcome is a three-dimensional model of the signal distribution of this network within selected size intervals. The results support the building administrator's decision-making processes regarding the optimal placement of internal access points. Geographic information system (GIS) software and raster applications for processing and integrating image data were used in the conducted activities. The methodological part describes data acquisition, geodatabase creation, statistical analysis, and data interpolation using spline functions and surface estimation. The development of 3D GIS tools not only enables more precise analyses but also contributes to a better understanding of the distribution of non-linearly dispersed phenomena in space. The presented method and the results of the conducted research contribute to the practical application development of 3D GIS systems.
... Eduroam [12] is a current example within this problem space that provides a pathfinding example. For educational institutions, Eduroam has been operational worldwide under an agreement protocol, where users are authenticated by their home institution on an as-need basis as users roam across institutions. ...
Modern information systems are built fron a complex composition of networks, infrastructure, devices, services, and applications, interconnected by data flows that are often private and financially sensitive. The 5G networks, which can create hyperlocalized services, have highlighted many of the deficiencies of current practices in use today to create and operate information systems. Emerging cloud computing techniques, such as Infrastructure-as-Code (IaC) and elastic computing, offer a path for a future re-imagining of how we create, deploy, secure, operate, and retire information systems. In this paper, we articulate the position that a comprehensive new approach is needed for all OSI layers from layer 2 up to applications that are built on underlying principles that include reproducibility, continuous integration/continuous delivery, auditability, and versioning. There are obvious needs to redesign and optimize the protocols from the network layer to the application layer. Our vision seeks to augment existing Cloud Computing and Networking solutions with support for multiple cloud infrastructures and seamless integration of cloud-based microservices. To address these issues, we propose an approach named Open Infrastructure as Code (OpenIaC), which is an attempt to provide a common open forum to integrate and build on advances in cloud computing and blockchain to address the needs of modern information architectures. The main mission of our OpenIaC approach is to provide services based on the principles of Zero Trust Architecture (ZTA) among the federation of connected resources based on Decentralized Identity (DID). Our objectives include the creation of an open-source hub with fine-grained access control for an open and connected infrastructure of shared resources (sensing, storage, computing, 3D printing, etc.) managed by blockchains and federations. Our proposed approach has the potential to provide a path for developing new platforms, business models, and a modernized information ecosystem necessary for 5G networks.
... X.509, SAML, OAuth, OpenID) [17]. eduroam (EDUcation ROAMing, https://eduroam.org) is an international roaming service in Wi-Fi networks for the R&E community with uniform credentials and user authentication on the side of his home organization [18,19]. Currently, more than 10 thousand of hotspots has already been deployed around the world in 106 countries (territories) more than 12 million national and international authentications were registered daily (before the COVID-19 pandemic). ...
... Over the years, the use of computer networks has provided huge benefits to mankind via the Internet in several domains such as education, business, banking and defense (Arun, 2018). These interconnected set of computer system permits interactive resource sharing between connected pair of systems either wired or wirelessly (Wierenga and Florio, 2005). However wireless communications are becoming widespread in many fields and commonplace in many environments, and people are also adapting to the onthe-go connection of computer networks (Tang and Baker, 2002). ...
The increasing rate of Internet users has caused the storage of tremendous amount of data and the rise in web traffic resulting to network congestion, web service delay and slow response time. These network bottlenecks have affected the services and performance experienced by the users thereby posing a serious question against the network reliability and usability. This paper analyzes the usability of a wireless network and its performance based on the quality of service (QoS) experienced by the network users. A huge amount of distinct packets were collected on 1,476 installed access points using wireshark packet tool over a period of three weeks for data pre-capturing at experimental stage. Experimental analysis was carried out using a number of QoS parameters subject to the network resource requirements and usability. Experimental results showed the usability indices for each QoS parameter and the practicality of traffic patterns, user behaviours and other QoS parameters in measuring network usability.
... One applied mechanism in Wi-Fi environment is Eduroam that has been designed and implemented by European educational institutes [26]- [28]. This service provides users with secure Internet access when they roam between participating academic institutions. ...
Future wireless networks will exploit a variety of wireless technologies to provide ubiquities connectivity to mobile devices in the form of cellular, Wireless Local Area Networks, and femtocells. Inevitably, future wireless networks will be diverse in nature, employing a number of different techniques to associate the hand held devices that are deemed to use the network. Furthermore, mobile users seek for seamless connectivity, while roaming in the midst of different networks. This requires the mobile device and the wireless networks be capable of performing a vertical handover, when the mobile nodes find themselves in the vicinity of a foreign network. Regardless of the technological challenges in terms of security, data integrity and mutual authentication between participating agents remain a significant concern in heterogeneous networks. This paper explores these concerns by examining a number of solutions proposed for vertical handover, and identifies EAP Reauthentication Protocol (ERP) as a technology-independent flexible mechanism for a vertical handover. EAP-ERP satisfies the mobility requirements of future hand held devices while promising the desired security futures. In view of thoroughly exploring EAP-ERP, Casper/FDR has been used in this paper to analyze its security properties under various conditions. The results indicate that despite the initial perception, EAP-ERP lacks mutual authentication between agents, while the integrity of keying material is adequately protected.
... Hence, the development of intelligent campus environ-ments constitutes a new paradigm for supporting and integrating all the academic activities, as an effort to enrich the students' end-to-end learning lifecycle [1]. Given the significant increment of the number of mobile devices with connectivity requirements within academia, in 2003 was designed eduroam, 1 as a secure, world-wide roaming solution to provide access service for the international research and education com- munity [23]. Nowadays, eduroam is one of the most important network federations around the world, allowing users from hundreds of institutions to access to the visiting network although they belong to other Eduroam member institution [16]. ...
This paper presents a novel activity recommendation system based on the secure federated network Eduroam. The system, according to the users' profiles, is able to offer personalized information in a campus environment. The recommendation system uses a basic user's profile information from the directory services of Eduroam and an optional extended user's profile with advanced personal information provided from users. The system is able to recommend even with just only the basic information from Eduroam. Therefore, users can obtain recommendations without a prior configuration and they can still obtaining recommendations when they are visiting a foreign university within the Eduroam federation in a transparent way.
... A total of 5,917 devices associated to the wireless network during the whole trace period. To encourage the mobility of researchers and European students, UPC is taking part in the Eduroam project (Wierenga & Florio, 2005), providing wireless connectivity to Eduroam partners as if they were at their home institution. This scenario offers an opportunity for students to access mLearning activities from outside the classroom. ...
Wireless local area networks (WLANs) are commonplace in many universities. Understanding the trends in the usage of these networks is becoming more important. Interesting results can be extracted about association patterns by analyzing WLAN traces from real scenarios. In this work, the library in the main campus of the Technical University of Catalonia (UPC) in Barcelona has been studied. Daily and weekly patterns of the WLAN connections are shown. The population accessing the network is mostly composed of infrequent users: half of the population accesses the WLAN once during each month. Many users associate to only one of the twelve possible access points, which means that, despite the widespread use of lightweight devices, many users are static. The results of this analysis provide general tools for characterizing campus-wide WLAN and a better understanding of usage and performance issues in a mature wireless network.
... While the eduroam [1] is clearly the dominating RADIUS [2] based confederation between academic and research organisations, there already exist other federations such as for example commercial community networks, which have similar interests for enabling roaming between their members and academic and research organisation networks. Each of these federations may have their own even contradicting policies for federation member roaming, which means that all roaming relationships cannot be covered within single federation. ...
As eduroam, other confederations and community networks continue to grow and evolve, the inter-connectivity and roaming issues between these and multiple federations are becoming more important. The current and future needs for multi-community and peer-to-peer roaming must be addressed when developing the federation level eduroam server implementations. Based on the new upgrade developed for the Finnish eduroam top-level server, this paper proposes a design and an implementation to address these issues in a federation level server implementation.
... While the parties in SAML need pre-built trust, in OpenID, SP simply relies on DNS system to find the address of IdP and trust it anyway, thus OpenID is susceptible to DNS-related impersonation attacks, such as DNS hijack and DNS cache poisoning. Eduroam [18] is a network roaming federation based on RADIUS proxy hierarchy, supported by G ´ EANT. Many organizations have membership both in eduroam and eduGAIN, and need to deploy and maintain them separately, so the DAMe [19] project was raised to unify those two federations. ...
Federated identity management (FIM) is an effective technology that allows multiple organizations to share resources with each other. Proposed FIM solutions have faced deployment and maintenance barriers caused by lack of effective trust management mechanism. In this paper, we present a FIM system with a centralized trust management component named TSP. TSP can automatically establish trust relationship between federation parties in runtime with inexpensive overhead. We also propose a new interaction mode, indirect authentication exchange, to unify network access authentication with application level Single Sign-On (SSO) as an integrated one-step authentication. With the features of centralized trust management and indirect authentication exchange, FIM system can be more easily and flexibly deployed and maintained. We have implemented a prototype to demonstrate the feasibility of proposed features.
... A autenticação de usuário nessas redes é fundamental para garantir que apenas usuários autorizados acessem os serviços disponíveis. Nem sempre é possível encontrar redes de instituições distintas interligadas entre si, entretanto em [7] é proposto um modelo em os que usuários de uma rede se autenticam em localidades não pertencentes à sua rede de origem. A ideia desse projeto é utilizar autenticação IEEE 802.1X em conjunto com o protocolo RADIUS (Remote Authentication Dial In User Service) para criar uma rede educacional na qual os membros de várias universidades podem se conectar utilizando as mesmas credenciais da sua origem em todas as redes interligadas. ...
Resumo— Esse trabalho tem como objetivo criar um modelo de arquitetura de mobilidade IPv6 entre cidades digitais. O propósito desta arquitetura é implantar suporte a IPv6 nas redes metropolitanas destas cidades e criar uma forma única de conexão e autenticação do usuário, independentemente da sua localização, mantendo o mesmo endereço IPv6 da sua rede de origem por meio da mobilidade IPv6. O resultado será a integração das cidades, permitindo aos munícipes total mobilidade no consumo e prestação de serviços executados sobre as cidades digitais. Abstract—This work proposes a Mobile IPv6 architecture for digital cities. The objective of this architecture is to enable the IPv6 support at metropolitan networks of these cities and create an single way of connection and authentication, independent of physical location, keeping the same IPv6 address of the home network using the IPv6 mobility. The result will be the cities integration, allowing the citizen mobility to access any service provided by the home digital city.
... An example is the Wireless Andrew at the Carnegie Mellon University campus [1], an enterprise-wide broadband wireless network developed in 1993. To encourage the mobility of researchers and European students, the Education Roaming project (eduroam) was developed in 2003 [2], providing wireless connectivity through different institutions in Europe. ...
Wireless local area networks (WLAN) are common in universities and their popularity grows every day. Understanding the trends in the use of these networks (i.e. how much, when and where traffic is present) is becoming more relevant. Interesting results can be extracted by analyzing WLAN traces from real scenarios. In this work, three buildings are studied on two campuses in Barcelona (Spain) and its surroundings. This is the first study providing the user behavior in a European campus. Similar trends are observed in the three buildings, despite the different amount of users, purpose of the building and size of the campus. Daily and weekly patterns are shown. The population accessing the networks is mostly composed of infrequent users: less than half of the devices access the WLAN more than four days during the three months studied. Many users visiting one building associate with only one access point: despite the widespread use of lightweight devices many users are static. The main difference among different buildings is the fidelity of users: users on a small campus are more likely to reappear on different days than on a large campus, where the population is more heterogeneous. The results of this analysis provide general tools for characterizing campus-wide WLAN and a better understanding of usage and performance issues in a mature wireless network in Europe.
... Previous work in interconnecting identity federations have been done in the eduroam confederation for roaming network access [8] and in interconnecting the E-Authentication federation of the US government and the inCommon federation of the US higher education [9]. In private sector, project Fidelity has demonstrated interconnecting four teleoperator-centered CoTs (Circle of Trust) [10]. ...
Purpose
– This paper aims to outline considerations for trust management between established national identity federations in education and research. It also aims to discuss policy issues related to cross‐federation and to compare existing academic identity federations. The paper seeks to investigate Nordic national federations and to introduce the Kalmar Union as a means of interconnecting the Nordic federations.
Design/methodology/approach
– The paper discusses various issues in the policy of a cross‐federation, and suggests further work for developing the Kalmar Union Charter.
Findings
– The paper finds that the technology used in federated identity management becomes more and more standardised, the technological challenges in making cross‐federations become fewer. Therefore, the remaining obstacles seem to be missing legislative know‐how, causing lack of sound information for decision makers. Thus, in an identity federation, trust establishment is, in the first place, a policy issue, not a technical one.
Originality/value
– In recent years, several identity federations have been established in higher education around the world. Existing federations have a national scope, but the need for cross‐border services has led to the first interconnects of national federations. The Kalmar Union has been established as a cross‐federation of the Nordic academic identity federations.
... Hence, new services must earn the merit of the provider, which reduces the opportunity to implement innovative services without provider benefit. An example for a federated non-profit network is the eduroam network, a European Wi-Fi access network for education facilities, such as Universities and high-schools [11]. eduroam consists of many organizations, of which each operates its own RADIUS [12] authentication server. ...
Large-scale municipal wireless networks are currently being established all around the world. These networks provide a rich set of local services, such as tourist guides, environmental information, pedestrian navigation, and local shopping guides. As recent financial failures of prominent municipal wireless networks show, it is economically challenging to achieve the bandwidth and coverage that is necessary for such a network. At the same time, Wi-Fi-sharing communities achieve high bandwidth and good coverage at a very low cost by capitalizing on the dense deployment of private access points in urban areas. However, from a technical, conceptual, and security perspective, Wi-Fi sharing community networks resemble a patchwork of heterogeneous networks instead of one well-planned, uniform and secure network as required for the economic success of a municipal Wi-Fi project. In this paper, we show how to realize municipal wireless services on top of a Wi-Fi-sharing infrastructure in a technically sound and economically attractive fashion while taking into account legacy devices and mobile clients. Our solution cleanly separates the roles of controlling and administering the network from providing bandwidth and wireless access. This allows municipalities to focus their resources on municipal wireless services instead of providing Wi-Fi access.
... In the following, we highlight the three most-widely used access control mechanisms: Link layer network access control through 802.1X, network-layer access control via Virtual Private Network (VPN) approaches, and applicationlayer access control. The eduroam project [15] is a prominent example for a network provider restricting access at the link layer. It employs 802.1X to authenticate users during their attempt to associate to the advertised network. ...
Municipal Wi-Fi networks aim at providing Internet access and selected mobile network services to citizens, travelers, and civil servants. The goals of these networks are to bridge the digital divide, stimulate innovation, support economic growth, and increase city operations efficiency. While establishing such urban networks is financially challenging for municipalities, Wi-Fi-sharing communities accomplish good coverage and ubiquitous Internet access by capitalizing on the dense deployment of private access points in urban residential areas. By combining Wi-Fi communities and municipal Wi-Fi, a collaborative municipal Wi-Fi system promises cheap and ubiquitous access to mobile city services. However, the differences in intent, philosophy, and technical realization between community and municipal Wi-Fi networks prevent a straight-forward combination of both approaches. In this paper, we highlight the conceptual and technical challenges that need to be solved to create collaborative municipal Wi-Fi networks.
... In a 802.11 network, the Supplicant is the STA and the Authenticator is the AP. Local AS's may use the services provided by remote AS's to authenticate Supplicants belonging to roaming users (using, for instance, a hierarchy of RADIUS servers [25]). In 802.11 networks, the 802.1X has three phases (see Figure 3 ). ...
This article presents a fast, secure handover protocol for 802.11 networks. The protocol keeps the security func- tionalities of 802.1X but uses a new reauthentication pro- tocol that promotes fast handovers during reassociations. The reauthentication protocol recovers the original 802.11 paradigm: authenticate first, reassociate next. Following this paradigm, we conceived two new 802.11 authentication and reassociation protocols, which allow a mobile station to perform 802.1X reauthentications before reassociations with the same functionality of a complete 802.1X authentication. Furthermore, reassociation protocols are authenticated, pre- venting denial-or-service scenarios that are not handled by 802.11i. Our new approach requires little from the environ- ment, namely a new, central Reauthentication Service, for storing data used in the reauthentication of stations. The time of security-related tasks that contribute to handover delays was dramatically reduced to 1.5 ms, while an 802.1X fast resume takes more than 150 ms. Finally, our protocol addresses most design goals and problems stated by stan- dards' working groups for fast, secure roaming in 802.11.
... This service level agreement among different organizations requires several efforts related to user mobility, exchange of security information, integration of heterogeneous proposals, etc. Concerning to user mobility, the TERENA Mobility Task Force [1] provided a forum for exchanging experiences and knowledge about the different roaming development activities in the European Union. As a result of this effort, this task force defined and tested an inter-NREN roaming architecture, called eduroam [20], based on AAA servers (RADIUS [3]) and the 802.1X [14] standard. Eduroam allows users of participating institutions to access the Internet at other participants using their home institution's credentials, all this with a minimal administrative overhead. ...
Identity federations are emerging in recent years in order to make easier the deployment of resource sharing environments among organizations. One common feature of those environments is the use of access control mechanisms based on the user identity. However, most of those federations have realized that user identity is not enough to offer more grained access-control and value-added services. Therefore, additional information, such as user attributes should be taken into account. This paper presents how one of those real and widely spread identity federations, eduroam, has been extended in order to make use of user attributes and to adopt authorization decisions during the access control process.
MOOCs are seen as an important measure to open up universities to new target groups. In this chapter, two new variants of the usage of MOOCs in European higher education are highlighted: First, openly licensed MOOCs can be used as part of microcredential offers with university accreditation. Second, openly licensed MOOCs can be made available to other universities as an integrated resource and offer within European University alliances. This chapter discusses legal (such as copyright issues), organizational (such as processes), and technical issues (such as LTI, eduGAIN) for these new developments. An important requirement for this is that MOOCs are available as open educational resources (OER): Open licenses that allow the reuse, modification , and republication of educational resources ("open education resources") are another opportunity to open up and share university offers. This chapter is based on experiences of the national Austrian MOOC platform iMooX.at, the microcredential implementation of Graz University of Technology, as well as first ideas concerning the integration of openly licensed MOOCs within the unite! University alliance of nine European technical universities.
This chapter considers wireless local area network (WLAN) security. The focus is WLANs based on the IEEE 802.11 standard, and related subsets marketed under the Wi-Fi brand by an industry association to facilitate product interoperability.
The behavior of students attending their classes while connected to WLAN facilities is analyzed in this paper. Information of their time behavior (i.e., when and how often they access the network) and space behavior (i.e., how they move inside the building) is presented. This analysis provides understanding of the current usage of existing WLAN infrastructures by students that combine the classes with mLearning activities on the same topic.
Eduroam is a secure WLAN roaming service between academic and research institutions around the globe. It allows users from participating institutions secure Internet access at any other participating visited institution using their home credentials. The authentication credentials are verified by the home institution, while authorization is done by the visited institution. The user receives an IP address in the range of the visited institution, and accesses the Internet through the firewall and proxy servers of the visited institution. However, access granted to services that authorize via an IP address of the visited institution may include access to services that are not allowed at the home institution, due to legal agreements. This paper looks at typical legal agreements with service providers and explores the risks and countermeasures that need to be considered when using eduroam.
Wireless Mesh Networks (WMNs) consist of a wirelessly connected infrastructure of Mesh Routers (MRs) connected to the Internet via Mesh Gateways. Previous proposals on WMN security mainly focus on mesh networks operated by a single operator and rarely support mobility of Mesh Clients (MCs) with the help of secure roaming and handover procedures. While these approaches protect the communication of MCs against external attackers, they do not take internal attackers into account. In our previous work, we proposed a security architecture for single-operator WMNs, extended this architecture to the multi-operator case to support roaming between operators and secure infrastructure sharing and proposed secure handover procedures within the domain of a single operator. In this paper, we merge the different aspects of our prior proposals together to form a comprehensive security architecture for multi-operator WMNs. Our solution is based on open standards and explicitly addresses internal attackers. In addition, we propose pro-active handover services between different operators and show how dedicated MRs can take over authentication services in time-critical situations such as handover procedures.
A lot of effort has been made recently to build academic federations. However some issues are still open. The first is off-line authentication. Today's model of federation re-quires systems to work on-line and synchronously, what limits its use for some applications. Second, the data federated institutions make available is only for computer systems and not for people. This makes it difficult for humans involved to assess such credentials. Finally, the federation has numerous technical and legal issues for the provision of private data such as biometric parameters. Even tough, these would bring a much stronger authentication process. Therefore this research proposes to model an identity card based on ICAO 9303 standard for usage in academic federated environments. This proposal enables off-line authentication, assessment of credentials by human agents and allow the usage of private biometric data in a secure manner.
Purpose
eduroam™ has already been proved to be a scalable, secure and feasible way for universities and research institutions to connect their wireless networks into a WLAN roaming community, but the advantages of eduroam™ have not yet been fully discovered in the wireless community networks aimed at regular consumers. This aim of this paper is to describe how eduroam™ architecture and technologies can be utilised in building these kinds of wireless community networks and to present the experiences gathered in building the Wireless Tampere community network.
Design/methodology/approach
The eduroam™ architecture and technologies were chosen as the basis of Wireless Tampere community network architecture because of their scalability and security. Deploying eduroam™ technologies and architecture to a wider user base both confirmed old and revealed new issues and solutions in improving the usability and the deployment effort of eduroam™ and similar technologies.
Findings
The eduroam™ technology and architecture can be utilised to build wireless community networks, but additional effort must be allocated in improving the usability and the ease of deployment when consumers, company and other regular users are involved. The improvements achieved would not have been developed if the concept and architecture had not been exposed to consumer and company users. The development of both the eduroam™ and Wireless Tampere concept requires deploying them to a wider audience and improving them iteratively utilising the existing solutions as the basis for new improvements.
Originality/value
The paper presents the issues and problems, which were confronted when applying eduroam™ technologies in building the Wireless Tampere community network. The solutions found and deployment experiences presented can be utilised in improving eduroam™ as well as a basis for developing new, open and inter‐connected wireless community networks.
This paper presents the details of a Single Sign On proposal which takes advantage of previously deployed authentication mechanisms.
The main goal is to establish a link between authentication methods at different levels in order to provide a seamless global
SSO. Specifically, the users will be authenticated once, during the network access control phase. Next, having authenticated
to get on to the network using 802.1X, that authentication will automatically fetch the necessary signed tokens so that there
would be no need to repeat the login at the application layer. Therefore, the application level authentication would be bootstrapped
from the network access. As we will see, this involves the generation of SAML signed tokens that will be obtained by the users
using a PEAP channel able to deliver the appropriate authentication credentials. Then, users will contact a federation-level
validation service and there will no need to re-authenticate the user, only a query of the related user attributes will be
necessary in some cases.
Ubiquitous connectivity today allows many users to remain connected regardless of location with various kinds of communities. This paper studies challenges in building trusted communities that encompass both new users as well as users already possessing credentials from other well known connectivity providers, federations, content providers and social networks. We postulate that trusted communities are initially created as a means to access some services, but become enriched with user created services. We present an architecture aimed at managing the complexity of service composition, access as well as guarantees of authenticity. Since users possess multiple credentials from various identity providers, we address this in our architecture from the service access perspective. In addition, our model explicitly takes into account cases where users may temporarily be granted access to a communitypsilas services based on recommendations from existing members.
The field of wireless network security gained a lot of attention in recent years. Many protocols and procedures were developed to meet those needs. Authentication, authorization and accounting protocol are already tremendous importance to realize a secure wireless networks infrastructure. In this paper, we analyze the performance of using UDP and TCP as the underlying transport layer protocol for RADIUS when transmitting EAP message in inter-domain environment. The inter-domain authentication requires message exchange between the RADIUS server of the visited domain and the home RADIUS server of the roaming user. Because these inter-domain exchanges occur over the wide area networks or internet, they are subject to packet loss and high delays. The results presented here show that the overall authentication delay is reduced significantly by using a reliable transport protocol, TCP.
We are experiencing the emergence of federated approaches to resource sharing. In these approaches, trust links are established
among different autonomous organizations in order to grant users in any of them access to shared resources with a single identity,
stated by the organization the user belongs to. However, some of those federations are working using different schemas for
representing user attributes, both from a semantic and a syntax point of view. This fact makes difficult the interoperability
of heterogeneous federations based on different authorization systems. The work presented in this paper benefits from an existing
proposal for building confederations, eduGAIN, to address that issue. As we will see, it will be necessary a way to establish
the relationships between attributes and technologies from different federations and to define how those relationships can
be published and managed. We present the required conversion policy, the entities in charge of the conversion process, and
the communication protocols for conversion requests and for publishing the policies.
Fast handovers of roaming stations (STAs) between access points (APs) require preauthentication or fast reauthentication within new serving APs. The current standards address only over-the-DS (Distribution System) preauthentications for 802.1X authentications. However, over-the-DS preauthentication is not suitable for fast moving STAs, which may loose their connection with the currently serving AP before performing preauthentications in the neighbouring APs. This paper presents several ways to achieve fast 802.11 handovers while keeping the basic security features of 802.1X authentications. To do so, we designed a fast 802.1X reauthentication protocol. This protocol enables an STA to perform many fast 802.1X reauthentications after an initial, possible slow, 802.1X authentication. The reauthentication protocol requires little from the network environment, namely a new, central Reauthentication Service (RS) (possibly integrated with the local 802.1X Authentication Server). To speed up 802.1X reauthentications within handovers, the reauthentication protocol was piggybacked into 802.11 management frames that are ordinarily used during handovers. This way, we are able to perform 802.1X reauthentications while taking the normal, over-the-air 802.11 steps for performing handovers (network probing, authentication, and (re)association). Besides this over-the-air approach, we also show how the 802.1X reauthentication protocol can be implemented using an over-the-DS approach. A prototype implementation using over-the-air 802.1X reauthentication showed that handover delays can be dramatically reduced to 1.5 ms, while an 802.1X fast resume takes more than 150 ms. Copyright © 2010 John Wiley & Sons, Ltd.
A través del proyecto Education Roaming (eduroam), muchas universidades europeas permiten que sus usuarios puedan desplazarse entre ellas, disponiendo en todo momento de los servicios móviles igual que estuviesen en su propia universidad. La Universitat Politècnica de Catalunya (UPC) participa en este proyecto. Analizando los syslog de los puntos de acceso de la biblioteca principal del Campus Nord, se ha estudiado la actividad de los usuarios en la red WLAN de la UPC durante una semana y se ha extraído información sobre el comportamiento de los usuarios. A pesar de la difusión de dispositivos portátiles ligeros que facilitan su uso entre la gente joven mientras se va desplazando, en general los usuarios no se mueven mucho. No obstante la buena cobertura proporcionada por la infraestructura de red, los usuarios sufren muchos problemas de conectividad. Los resultados de nuestro trabajo pueden resultar útiles para mejorar la calidad de la red inalámbrica y para diseñar nuevas aplicaciones que se adapten a los hábitos de los usuarios. Postprint (published version)
European universities taking part in the Education Roaming project (eduroam) provide wireless connectivity through different institutions all over Europe, thus encouraging mobility of students and researchers. The Technical University of Catalonia (UPC) takes part in this project. In order to analyze users’ activity inside the wireless network at UPC, syslog information has been captured at the access points in the main library during a period of a week. Even if it is not a long trace period, interesting results can be extracted about user behaviour. Despite the widespread of lightweight devices which facilitate their use while walking inside the campus, we still observe low mobility. Moreover, regardless of the overcoverage provided by the infrastructure, users still experience many connectivity problems. These results may be useful for network developers in order to improve the quality of the wireless service and for software developers in order to create location-based applications. Postprint (published version)
RADIUS monitoring KLAAS WIERENGA is manager of Middleware Services at SURFnet. He is co-chair of the TERENA taskforce on Mobility (TF-Mobility) and active member of the TERENA Task Force on Middleware
- Fig
Fig. 6. RADIUS monitoring
KLAAS WIERENGA is manager of Middleware Services at SURFnet. He is co-chair of the TERENA taskforce on
Mobility (TF-Mobility) and active member of the TERENA Task Force on Middleware (TF-EMC2) and the
Internet2 working group on network authentication (SALSA NetAuth). Klaas also leads the roaming task within the
"Roaming and Authorisation" activity of the EU-funded project Géant2.