header2
 
orangearrow Διαδρομή: Αρχική σελίδα » Αρχιτεκτονική » General Overview

title_arrow  General Overview
The crucial agreement laying the foundation of eduroam is that the authentication of a user is done at his home institution using their specific authentication method, whereas the authorisation decision allowing access to the network resources upon proper authentication is done by the owner of the visited network.


In order to transport the authentication request of a user from the visited institution to his home institution and the authentication response back, a hierarchical system of RADIUS servers is created. Typically every institution deploys a RADIUS server, which is connected to a local user database, this RADIUS server is connected to a central national RADIUS server which in turn is connected to a European (or global) RADIUS server. Because users are using usernames of the format ‘user@realm’, where realm is the institution’s DNS domain name, often of the form institution.tld (tld=country code top-level domain), the RADIUS servers can use this information to route the request to the appropriate next hop in the hierarchy, until the home institution is reached. An example of the RADIUS hierarchy is shown in the following image.



To transfer the user’s authentication information securely across the RADIUS-infrastructure to his home institution and to prevent other users from hijacking the connection after successful authentication, the access points or switches use the IEEE 802.1X standard which encompasses the use of EAP, the Extensible Authentication Protocol. Using the appropriate EAP-method either a secure tunnel will be established from the user’s computer to his home institution through which the actual authentication information (username/password etc.) will be carried (EAP-TTLS or PEAP) or mutual authentication by public X.509 certificates, which is not vulnerable to eavesdropping, will be used (EAP-TLS).

RADIUS transports the user's name in an attribute User-Name, which is visible in cleartext. It also transports the EAP payload, which is encrypted and not visible at all to intermediate servers, only to the home authentication server. In order to ensure privacy, it might be desireable not to put the real username in the RADIUS User-Name attribute (this attribute is the "outer" identity). Instead, it might be prefered to put anonymous@realm in this attribute. The realm part still must be the correct one - it is used to route the request to the respective home server. Once the home server decrypts the TLS tunnel in the EAP payload, it gets the real user name - the "inner" identity.

Whereas anonymous@realm might be prefered because of privacy concerns, it might cause problems with the upcoming development of the DAMe project , as there is a need for a certain handle to request user attributes.

After successful authentication by the home institution and authorisation by the visiting institution, this visited institution grants network access to the user, possibly by placing the user in a specific VLAN intended for guests.

In the next chapter the various elements of this architecture and their functions will be shortly described.

A note on responsibility for actions of the user: Directive 2001/31/EC article 12 defines the liability of a service provider:

  1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:
    • (a) does not initiate the transmission;
    • (b) does not select the receiver of the transmission; and
    • (c) does not select or modify the information contained in the transmission.
  2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.
  3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement.


 
ipv6
Home Sitemap Contact Administration









Eduroam
                © Copyright 2007, Ο Δικτυακός τόπος www.eduroam.gr δημιουργήθηκε και συντηρείται από τηνΟμάδα ΑΤΛΑΝΤΙΔΑ - Πανεπιστήμιο Κρήτης.