 |
|
| |
 Elements of the eduroam infrastructure |
The elements of the eduroam infrastructure are:
- Confederation top-level RADIUS Server (TLR)
- Federation TLR
- Institutional RADIUS
- Supplicants
- Access Points
- Switches
|
Confederation top-level RADIUS Server (TLR)
The confederation top-level RADIUS Servers, at the time of writing located in the Netherlands and Denmark for the European confederation and Australia and Hongkong for the Asian and Pacific region each have a list of connected country domains (.nl, .dk, .au, .cn etc.) serving the appropriate NRENs. They accept requests for federation domains for which they are authoritative and subsequently forward them to the associated RADIUS server for that federation (and transport the result of the authentication request back). Requests for federation domains they are not authoritative for are forwarded to the proper confederation TLR.
|
Federation TLR
A federation RADIUS server has a list of connected institutional servers and the associated realm. It receives requests from the confederation servers and institutions it is connected to and forwards them to the proper institution or in case of a request for a confederation destination to a confederation server.
|
Institutional RADIUS
The Institutional RADIUS server is responsible for authenticating its own users (at home or visiting another institution) by checking the credentials against a local identity management system and for forwarding requests from visiting users to the respective federation RADIUS server. Upon proper authentication of a user the local institutional RADIUS server may assign a VLAN to the user.
Note that the institutional RADIUS server is the most complex of all, whereas the other RADIUS servers merely proxy requests, the institutional server also needs to handle the requests, and therefore needs to be able to terminate EAP requests and perform identity management system lookups.
The Identity Management System contains the information of the end users, for instance usernames and passwords. They must be kept up-to-date by the responsible institution.
|
Supplicant
A supplicant is a piece of software, often built into the Operating System but as well available as a separate program, that uses the 802.1X protocol to send authentication request information using EAP
|
Access Points
Access Points need to be 802.1X capable and able to forward access requests coming from a supplicant to the institutional RADIUS server, to give network access upon proper authentication and to possibly assign users to specific VLANs based on information received from the RADIUS server. Furthermore Access Points exchange keying material (initialization vectors, public and session keys, etc.) with client systems to prevent session hijacking.
|
Switches
Switches need to be able to forward access requests coming from a supplicant to the institutional RADIUS server, to grant network access upon proper authentication and to possibly assign users to specific VLANs based on information received from the RADIUS server.
|
| | | |
|
|
|
|
| © Copyright 2007, Ο Δικτυακός τόπος www.eduroam.gr δημιουργήθηκε και συντηρείται από τηνΟμάδα ΑΤΛΑΝΤΙΔΑ - Πανεπιστήμιο Κρήτης. |
|
Διαδρομή: 
