eduroam
EDUcation ROAMing | |
Purpose | International authentication infrastructure |
---|---|
Region served | Worldwide |
Parent organization | TERENA |
Website |
www |
eduroam (education roaming) is an international roaming service for users in research, higher education and further education. It provides researchers, teachers and students easy and secure network access when visiting an institution other than their own. Authentication of users is performed by their home institution, using the same credentials as when they access the network locally, while authorization to access the Internet and possibly other resources is handled by the visited institution. Users do not have to pay for using eduroam.
The service is provided at the local level by the participating institutions (universities, colleges, research institutes etc.). At the national level it is organised by National Roaming Operators, which are in many cases the National Research and Education Networks (NRENs) of their countries. At the global level, the organisation of the eduroam service is under the auspices of TERENA, which is also the holder of the eduroam® trademark. The eduroam Architecture for Network Roaming is defined in RFC 7593.
In some countries, Internet access via eduroam is also available at other locations than the participating institutions, e.g. in libraries, public buildings, railway stations and airports.[1][2]
In Belgium, Belnet uses the eduroam technology to provide a similar service to Belgian public administrations under the name govroam.[3] A govroam service for municipalities in the Netherlands was launched in October 2013.[4] govroam® is a registered trademark of Belnet.
History
The eduroam initiative started in 2002 when during the preparations for the creation of TERENA's task force TF-Mobility Klaas Wierenga of SURFnet shared the idea of combining a RADIUS-based infrastructure with IEEE 802.1X technology to provide roaming network access across research and education networks.[5] Initially the service was joined by institutions in the Netherlands, Germany, Finland, Portugal, Croatia and the United Kingdom.[6] Later, other NRENs in Europe embraced the idea and started joining the infrastructure, which was then called eduroam.[7] Since 2004 the European Union co-funded further research and development work related to the eduroam service through the GN2[8] and GN3[9] projects.[10] From September 2007 the European Union funded through these projects also the continued operation and maintenance of the eduroam service at the European level.[11]
The first non-European country to join eduroam was Australia, in December 2004.[12] In Canada, eduroam started as an initiative of the University of British Columbia, which was later taken over by CANARIE as a service of its Canadian Access Federation.[13] In the United States, eduroam was initially a pilot project between the National Science Foundation and the University of Tennessee (UTK). In 2012 Internet2 announced the addition of eduroam to its NET+ service offerings.[14] AnyRoam LLC, a private company, was formed by former UTK staff to serve as an Internet2 active corporate member administering the top-level servers.
Technology
The eduroam service uses IEEE 802.1X as the authentication method and a hierarchal system of RADIUS servers.[15] The hierarchy consists of RADIUS servers at the participating institutions, national RADIUS servers run by the National Roaming Operators and regional top-level RADIUS servers for individual world regions. When a user A from institution B in country C with two-letter country-code top-level domain xy visits institution P in country Q, A's mobile device presents his credentials to the RADIUS server of institution P. That RADIUS server discovers that it is not responsible for the Institution_B.xy realm and proxies the access request to the national RADIUS server of country Q. If C and Q are different countries, it is in turn proxied to the regional top-level RADIUS server, and then to the national RADIUS server of country C, which has a complete list of the participating eduroam institutions in that country. That national server forwards the credentials to the home institution B, where they are verified. The 'acknowledge' travels back over the proxy-hierarchy to the visited institution P and the user is granted access.
Because the user's credentials travel via a number of intermediate servers, not under the control of the home institution of the user, it is important that the credentials are protected. This requirement limits the types of authentication methods that can be used. Basically there are two categories of useful authentication methods: those that use credentials in the form of some public-key mechanism with certificates and those that use so-called tunnelled authentication. Most institutions use a tunnelled authentication method that only requires server certificates. These server certificates are used to set up a secure tunnel between the mobile device and the authentication server, through which the user credentials are securely transported.
A complication arises if the user's home institution does not use a two-letter country-code top-level domain as part of its realm, but a generic top-level domain such as .edu or .org. By inspection of such realms, it is not possible to determine which national RADIUS server the request should be routed to. Such domains will thus by default fail to work in international roaming. The workaround for this problem involves the creation of exceptions in the international RADIUS request routing tables; however, this workaround does not scale as the number of exception entries grows. Several solutions have been proposed to eliminate this workaround in future, the most promising of which is RADIUS over TLS with Dynamic Discovery, which does not rely on static routing tables inside a RADIUS server configuration to route requests to their proper destination.[16] Instead, the participating institution adds one single DNS resource record to its own domain's DNS zone which states by which server eduroam authentication for the domain is handled.
Governance
TERENA has established a lightweight global governance structure.[17] Recognising the large variety in the organisation and funding of research and education (networking) in different countries and regions, rules imposed on the operations of eduroam are limited to technical and administrative requirements that are necessary to ensure the smooth and secure operations of eduroam worldwide. Moreover, the eduroam operators have the leading role in creating and maintaining the rules of the global eduroam governance.
The Global eduroam Governance Committee (GeGC) has the central role in the global eduroam governance structure. Its members are nominated by the European eduroam confederation, respectively by the National Roaming Operators in other world regions, and are appointed by TERENA. The GeGC is composed of three members representing Europe, two representing Asia-Pacific, two representing North America, two representing Latin America and two representing Africa. In addition, TERENA may appoint one or more experts as non-voting members of the GeGC.
Geographical deployment
eduroam is available at selected locations in countries with a National Roaming Operator that has signed the eduroam Compliance Statement.[18] Those sixty-seven countries are listed below. In addition, there may be pilot deployments in countries that are in the process of joining eduroam.
Europe
The NRENs that are members of the consortium of the GN3 project[9] have joined the European eduroam confederation by signing the confederation's policy[19] that requires its members to comply to a set of technical and organisational requirements, which are more specific than those in the global eduroam Compliance Statement.
As a consequence, eduroam is deployed in the following countries: Austria (ACOnet), Belgium (Belnet), Bulgaria (BREN), Croatia (CARNet), Cyprus (CYNET), Czech Republic (CESNET), Denmark (NORDUnet, operated by UNI•C), Estonia (EENet), Finland (NORDUnet, operated by FUNET), France (RENATER), Germany (DFN), Greece (GRNET), Hungary (NIIF), Iceland (NORDUnet, operated by RHnet), Ireland (HEAnet), Israel (IUCC), Italy (GARR), Latvia (SigmaNet), Lithuania (LITNET), Luxembourg (RESTENA), Macedonia (MARNET), Malta (University of Malta), Montenegro (MREN), Netherlands (SURFnet), Norway (NORDUnet, operated by UNINETT), Poland (PSNC), Portugal (FCCN), Romania (RoEduNet), Serbia (AMRES), Slovakia (SANET), Slovenia (ARNES), Spain (RedIRIS), Sweden (NORDUnet, operated by SUNET), Switzerland (SWITCH), Turkey (ULAKBIM), United Kingdom (Janet).
In addition, three NRENs that are associate members of the consortium of the GN3 project without voting rights joined the European eduroam confederation; they represent Belarus (UIIP), Moldova (RENAM) and Russia (Joint Supercomputer Center of the Russian Academy of Sciences).
Finally, five NRENs not involved in the GN3 project joined the European eduroam confederation on a voluntary basis, enabling the deployment of the service in Andorra (Universitat d'Andorra), Armenia (ASNET-AM), Azerbaijan (AzScienceNet), Kazakhstan (KazRENA) and Kyrgyzstan (KRENA).
The European top-level RADIUS servers are operated by SURFnet and Forskningsnettet.
Asia-Pacific
eduroam is deployed in the following countries and economies: Australia (AARNet), China (CSTNET), Hong Kong (Harnet), India (ERNET), Japan (NII), Macau (University of Macau), Malaysia (UPM), New Zealand (REANNZ), Saudi Arabia (KAUST), Singapore (SingAREN), South Korea (KREONET), Sri Lanka (University of Moratuwa), Taiwan (Ministry of Education) and Thailand (UniNet).
The Asia-Pacific top-level RADIUS servers are operated by AARNet and by the University of Hong Kong.
North America
eduroam is deployed in Canada (CANARIE) and the United States (Internet2, operated by AnyRoam LLC).
Latin America
eduroam is deployed in Argentina (Innova-RED), Brazil (RNP), Chile (REUNA), Colombia (RENATA), Costa Rica (RedCONARE), Ecuador (CEDIA),[20] Mexico (CUDI) and Peru (RAAP).
Africa
eduroam is deployed in Kenya (KENET), Morocco (MARWAN) and South Africa (TENET).
References
- ↑ "600,000 students and researchers in Sweden go mobile with eduroam and The Cloud". 2 October 2012. Retrieved 17 September 2016.
- ↑ "eduroam at Norwegian airports". 4 July 2013. Retrieved 23 August 2013.
- ↑ "Belnet govroam service". Retrieved 23 August 2013.
- ↑ "govroam: het nieuwe zusje van eduroam". 6 November 2013. Retrieved 7 November 2013.
- ↑ "eduroam® celebrates a decade of providing secure roaming Internet access for users". 24 May 2012. Retrieved 24 August 2013.
- ↑ Carol de Groot (2004). TERENA Annual Report 2003 (PDF). TERENA. p. 34.
- ↑ Klaas Wierenga and Licia Florio (2005). "eduroam: past, present and future". Computational Methods in Science and Technology. 11 (2): 169–173.
- ↑ "Multi-gigabit European academic network (GN2)". 1 September 2004. Retrieved 12 August 2012.
- 1 2 "Multi-gigabit european research and education network and associated services (GN3)". 1 April 2009. Retrieved 20 July 2012.
- ↑ Carol de Groot (2006). TERENA Annual Report 2005 (PDF). TERENA. pp. 32–33.
- ↑ Carol de Groot, Laura Durnford and Karel Vietsch (2010). TERENA Annual Report 2009 (PDF). TERENA. p. 31.
- ↑ "eduroam goes global" (PDF). 15 December 2004. Retrieved 23 August 2013.
- ↑ "A million times a month, CANARIE enables mobile research and learning" (PDF). 29 November 2012. Retrieved 24 August 2013.
- ↑ "Over 220 Universities and Research Labs Gain Easy and Secure Wi-Fi Access to the Internet". 2 October 2012. Retrieved 23 August 2013.
- ↑ Mark Grayson, Kevin Shatzkamer and Klaas Wierenga (2011). Building the Mobile Internet. Cisco Press. pp. 45–48. ISBN 978-1-58714-243-7.
- ↑ Stefan Winter, Mike McCauley, Stig Venaas and Klaas Wierenga (2012). Transport Layer Security (TLS) Encryption for RADIUS. RFC 6614. The Internet Society.
- ↑ Karel Vietsch (2010). Global eduroam Governance (PDF). TERENA.
- ↑ eduroam Compliance Statement (PDF). TERENA. 2011.
- ↑ Miroslav Milinović, Jürgen Rauschenbach, Stefan Winter, Licia Florio, David Simonsen and Josh Howlett (2008). eduroam Service Definition and Implementation Plan (PDF). DANTE.
- ↑ https://www.cedia.org.ec/