search:

7   AAI and Mobility

7.1   AAI and Mobility

The research activity AAI and Mobility aims at creation and development of a generic Authentication and Authorization Infrastructure (AAI). This infrastructure would serve as an authentication and authorization service provider to users and resource owners of the CESNET2 network, thus eliminating the need to register every user for every service. The concept assumes using authentication services operated by individual institutions - every user is registered within his/her own home institution which has established identity verification mechanisms. A proper user categorization may even be used as one of the authorization decision inputs.

This ambitious aim requires deployment, development and standardization of communication interfaces of institutional authentication systems not only at the national but especially at the international level. Close bounds to international development in this field strongly affect the advance of the national level solution.

Even in the international context, the generic AAI has been prepared mainly as a theoretical concept so far. In addition to it, several projects are developing their own specific authentication and authorization infrastructures. One of the most importants is the RADIUS-based infrastructure operated by the eduRoam project.

7.1.1   The eduRoam.cz project

In accordance with the international context, an essential portion of our resources was devoted to the development of services for mobile (roaming) users. The eduRoam project started within the TF-Mobility working group of TERENA and later was included in the GN2 project JRA5 activity. It enables users from the individual participating institutions to connect to a (usually wireless) network operated by any of the participating institutions and get that way Internet connectivity and, optionally, access to some other services provided by the hosting network. The user is always authenticated by his/her home institution. The communication channel between the authentication service and the user is created in one of the following ways:

1. 801.1X + RADIUS hierarchy (the preferred way)
2. VPN tunnel
3. WWW application + RADIUS hierarchy

AAI for eduRoam consists of a hierarchical tree-like structure of RADIUS servers organized basically in three levels. The institutional-level servers provide authentication of local users - usually they serve as front-ends to local user databases. When confronted with a request to authenticate a non-local user, the server forwards the request one level up to its national RADIUS server. Every national server maintains a list of participating institutions and their RADIUS servers within its region. If the incoming request is asking for authentication of a user from any institution registered at the national server, it is forwarded to the corresponding institution's server. All other requests are forwarded to a top-level server. Top-level servers maintain lists of participating national networks and their RADIUS servers and forward the requests accordingly.

Participation of the Czech Republic in the eduRoam project is coordinated by the eduRoam.cz national project. Its pilot started in the second half of 2004 and was much appreciated by Czech academic institutions. Nine sites from eight institutions were connected by the end of 2004:

• CESNET, Prague
• Charles University
  • Faculty of Pharmacy, Hradec Králové
  • Rector's office, Prague
• Faculty of Electrical Engineering, CTU, Prague
• Technical University of Liberec
• University of Hradec Králové
• Jan Evangelista Purkyně University in Ústí nad Labem
• Institute of Chemical Technology, Prague
• University of West Bohemia, Pilsen

The eduRoam.cz pilot goal is to prepare and verify technical and organizational preconditions for roaming among Czech academic networks as well as their cooperating with other eduRoam networks. The pilot addresses four main tasks:

• verification of functionality, reliability and compatibility of the RADIUS hierarchy
• verification of 802.1X devices functionality for users, recommended configurations, documentation
• coordination of authentication VPN tunnel configuration
• roaming policy formulation

Current information, documents, guides and software are available at the pilot portal www.eduRoam.cz.

Link to the other parts of the eduRoam infrastructure is implemented by two national RADIUS servers radius1.eduRoam.cz and radius2.eduRoam.cz running the RADIATOR software by the Open System Consultants (none of the open source RADIUS servers met the projects requirements). The communication channel security is increased by mandatory IPsec implementation.

For non-802.1X enabled devices, a Scaa WWW authentication gateway was developed within the project. It consists of a firewall controlled by a WWW application using the RADIUS protocol to authenticate users. The Scaa gateway is being used in CESNET offices LAN as an alternative to 802.1X authentication. The software is available at the project portal www.eduRoam.cz.

The pilot will be evaluated in the second half of 2005. We expect that the outcome will contribute to creation of a standard roaming environment in the CESNET2 networks. We plan to continue the international cooperation in development of eduRoam-NG, i. e., the new generation of the roaming infrastructure which should rectify some of the current system imperfections based mainly on the RADIUS protocol and its mode of usage. We assume that our experience with IPsec-secured infrastructure operation will be a valuable contribution to the eduRoam development community.

7.1.2   Generic AAI

In spite of our original assumptions, standardization of AAI interfaces among European NRENs has not advanced very much during 2004. The GN2 project which deals with AAI and mobility in its JRA5 research activity has only been started in the fourth quarter of 2004; TF-EMC2 - the new AAI-oriented TERENA workgroup - has also been established only in the autumn. Most of AAI-oriented human resources from all NRENs seem to have taken part in preparing for these two forums.

The direction of the future advancement being kept open, we concentrated on development of the local AAI elements (user databases - LDAP, individual authentication systems, PKI). Integration-oriented tasks were postponed until key compatibility issues are sorted out. Our researchers actively participate in both groups mentioned above. As a result, we are not only informed about their activities but we can also influence their decisions.

7.1.3   PKI

In 2004, the CESNET CA continued its services. In addition to routine operation (more than 200 active server certificates and more than 80 personal certificates have been operating by the end of the year), we modified the server certificate profile to make it acceptable to common 802.1X clients.

At the same time, the preparation to root keys changeover was started. Current root certificate is going to expire at June 27, 2006. Because the end entities' certificates are valid for 12 months, the last end entity certificate in current configuration can be issued at June 27, 2005. EUGridPMA (the body most influencing the CESNET CA policy) is in the process of changing its minimal requirements on CAs. The discussed changes define a new value for maximum validity period for a root certificate and some other certificate profile parameters. We plan to use the changeover as an opportunity for a principal system change to make full use of the new minimal requirements and to deploy professional Entrust Authority CA software which would increase user and operator comfort while providing maximum security and credibility.

previous

contents

next