eduroam AU Operational Objectives

NRO Responsibility

The basic responsibility of AARNet as the Australian eduroam National Roaming Operator is defined in the eduroam Compliance Statement (eCS) (the eduroam Global Policy) which AARNet has signed up to. AARNet satisfies its global responsibility for eduroam AU institutional participants through creation of an eduroam AU National Policy which institutions are required to comply with.

eduroam AU National Policy

AARNet is responsible for creating and maintaining an eduroam AU National Policy which satisfies the requirements of the eduroam Global Policy, and supports eduroam AU operational objectives. Institutional participants are required to comply with the eduroam AU national Policy, and AARNet is responsible for verifying and checking compliance, and taking appropriate action against institutions if they do not comply.

Content of the eduroam AU National Policy includes:

  • An overview of the eduroam global service, an eduroam AU glossary and bibliography.
  • State participating institutions’ requirement to comply with the National Policy, with implicit acceptance of the responsibility for policy compliance in connecting to eduroam AU.
  • Describe participating institutions’ liability and indemnity in participating in eduroam globally.
  • Specify eligibility requirements for Australian institutions to participate as an eduroam AU IdP and/or SP.
  • State the requirement for participating IdP and SP institutions to publish their institutional network Acceptance Use Policy.
  • Establish the requirement that IdP remote authentication is limited to users engaged in research and/or education, with users configuring authentication consistently and securely using scripts generated by the eduroam Configuration Assistant Tool, or equivalent scripts provided by the IdP institution.
  • That IdPs are responsible for their end-users when accessing an SP’s eduroam network, and expectation that IdPs will cooperate to identify and take action against their users in case of reported non-compliance of SP AUPs as if that behaviour occurred on the IdP’s own network.
  • Describe institutional participant roles and responsibilities, operational requirements (with reference to the appendices of the eCS, and AARNet’s eduroam AU Technical Specification which comprehensively conveys technical requirements and recommendations for eduroam AU IdPs and SPs).
  • Describe administrative responsibilities of institutions in capture and retention of logs to facilitate end-user traceability and accountability, maintaining up-to-date deployment information via the eduroam AU AdminTool, providing an eduroam AU participant information webpage, and providing local support.
  • State the requirement to provide institutional test accounts and configure trust for AARNet’s Test and Monitoring Server, and availability of SP test accounts hosted on AARNet infrastructure.
  • Describe AARNet’s responsibility to provide support to institutions, including providing security advisories as required, and the requirement for institutions to cooperate and support each other in troubleshooting end-user issues.
  • Describe how service usage issues (reported by SPs primarily due to non-compliance with Acceptable Use Policies) will be handled and AARNet’s role in mediation.
  • Describe the means AARNet will employ of ensuring and checking compliance, measures required if non-compliance is found or reported, and consequences for not implementing measures to satisfaction of AARNet.
  • Describe how the National Policy is formulated, the role of stakeholders in contributing to formulation of policy, and how suggested changes to policy can be informed to AARNet and how they will be acted upon, and how policy revisions will be handled and introduced to the participant community.

Operational Objectives

National RADIUS Servers (NRSs)

Provide a high availability and reliable national RADIUS infrastructure, to proxy/route authentication requests from and to Australian eduroam participating institutions. This involves hosting eduroam AU National RADIUS servers (NRSs), ensuring their availability and security, configured in order to route authentication requests nationally and globally (via APAN Regional RADIUS Servers).

AARNet’s SysAdmin team is responsible for production deployment and operational maintenance of eduroam AU National RADIUS Servers, and performing configuration (using Ansible scripts) for institutional participants when requested by AARNet’s Service Desk.

NRS Logs

AARNet will capture and retain NRS logs, ensuring that fields required to trace an access event with an authentication event and identify a user are captured (UTC timestamp, username@realm (outer-identity), user-device MAC address, SP server, authentication request result).

AARNet will use logs to provide troubleshooting and support, and will use NRS logs in order to track and monitor eduroam AU usage.

AARNet will take proactive action when logs indicate an institutional deployment issue or lack of appropriate user education (incorrect login, untrusted client, no response).

AARNet will retain NRS logs for a long period consistent with AARNet’s internal IT policy.

Institutional Joining Process

AARNet is responsible for enabling eligible Australian institutions to connect to eduroam in roles for which they are eligible. AARNet is responsible for the policy compliance of institutions. AARNet has defined a process and provides resources (e.g. application form, webpage templates, local support guidelines, tailored to specific roles i.e. IdP+SP, SP-Only, IdP-Only) to enable institutions to become operable with relative ease.

The eduroam AU Application Form is required to be completed by institutions to initiate the onboarding process in required role. The Application Form conveys information and expectations relating to:

  • RADIUS Server deployment and RADIUS logging.
  • Choice of authentication method and realm(s) for IdPs. (AARNet will liaise with TLRSs in case on non-country coded realms in order to register an ‘exception’ for regional routing.)
  • Requirements for the eduroam network service offered by SPs.
  • Security measures to ensure security, traceability (in particular, recommendation to IdPs to use of Configuration Assistant Tool scripts for end-user device configuration, and institutional RADIUS server information required to be logged).
  • Institutional development of a local support capability.
  • Requirements regarding provision of local test accounts and trust for AARNet Test & Monitoring Server, and availability of a test account for institutional SP testing.
  • Gaining access to the eduroam AU AdminTool in order to maintain up-to-date eduroam AU deployment information, a subset of which is shared globally via the Global Database.
  • Gaining access to the eduroam Configuration Assistant Tool (CAT) (for IdPs)
  • Gaining access to the eduroam AU usage metrics pages on AARNet’s customer dashboard.

AARNet supports a staged on-boarding process, which identifies 3 distinct stages: Deployment, Audit, and Production.

AARNet ensures various deployment options (institution 3rd-party service providers, in partnership with existing eduroam AU participants) are catered for and that policy compliance information is adequately conveyed.

Institutional Operability Auditing Process

AARNet is responsible for ensuring that institutions are operable & policy compliant prior to advertising their participation in eduroam AU.

AARNet has defined the process for conducting eduroam AU operability audits, and consequence of detected non-compliance (e.g. grace period) and provides institutions with audit check-lists and resources.

AARNet will conduct an audit at the conclusion of the on-boarding process. Additionally, institutions may request an audit, and AARNet may request a participating institution to undertake an ad-hoc audit if required (e.g. non-compliance identified).

Hosting the eduroam AU AdminTool

AARNet hosts the eduroam AU AdminTool which is used as a central repository of comprehensive information regarding institutional eduroam deployment.
Ensure users are able to maintain up-to-date deployment data which is shared globally.
AARNet enables access to the AdminTool (using SAML, same as that mechanism used to access CAT) by institutional administrators.
AARNet provides a mechanism (via the Australian Access Federation Virtual Home Organisation AAF-VHO) for SAML authentication for institutions that do not have a SAML IdP.

Sharing eduroam AU Deployment Data Globally

As a global service, and as specified in the global policy, AARNet is responsible for providing a data feed to the eduroam Global Database. AARNet provides a data feed (XML file) from the eduroam AU AdminTool, ensuring that data file is protected from unauthorised access.

Hosting the eduroam AU Test and Monitoring Server

AARNet hosts a Test and Monitoring server to enable effective troubleshooting.

The primary tool used is the rad_eap_test RADIUS/EAP client for testing EAP from the Linux shell. The rad_eap_test shell script calls the eapol_test executable from wpa_supplicant, and also works as a Nagios plugin hence has been used for eduroam AU RADIUS server monitoring.

AARNet can provide guidance on efficient troubleshooting mechanisms for institutions that wish to use rad_eap_test.

In the future, the eduroam AU troubleshooting tool targeted for development will be hosted on this server.

Providing Troubleshooting Resources

AARNet aims to provide troubleshooting resources in the form of

  • NRO eduroam specialists
  • Troubleshooting guidelines and advice
  • Troubleshooting tools

AARNet will develop an eduroam AU troubleshooting tool providing an interface for institutional administrators to trigger test authentications and view associated national infrastructure logs. This tool will use test account and RADIUS server configuration information stored in the eduroam AU AdminTool.

AARNet will also provide guidance on use of the eduroam Configuration Assistant Tool (CAT) for verifying international operability and performing limited troubleshooting from European sites.

Providing Institutional Support

AARNet is responsible for defining the support process, and providing NRO expertise in order to support institutional eduroam Administrators.

AARNet operates a 24×7 help-desk which monitors and assigns tickets, with an eduroam subject matter specialist trained and available to deal with eduroam support requests.

AARNet uses the JIRA ticketing system to track support requests, with request submission & correspondence via email.

Providing eduroam Information Resources to eduroam AU Institutions

Provide eduroam and wireless expertise (technical expertise on RADIUS server config, wireless infrastructure config, end-user device config.)
Provide information enabling interested institutions, participating institutions, and end-users understand the service
Maintain the eduroam AU Website where service information is published.
Provide information on participants, and eduroam coverage maps.
Provide advice regarding information available globally (URLs on eduroam website).

Handling Non-Compliance Issues

AARNet provides a communication link between service providers and identity providers in case of an SP reporting eduroam network abuse.
AARNet provides necessary contact information, and ensures that IdPs take appropriate action against users.

AARNet will also undertake ad-hoc operability audits if there is any evidence that institutions are non-compliant with the technical specification.

Links with Global eduroam

AARNet will advise institutions regarding other global information resources and eduroam tools. AARNet reports on global eduroam news to enable institutions to learn about global issues.

AARNet maintains links with the GeGC, providing a channel for institutions to submit input to meetings, and reports on meetings.

AARNet maintains awareness of security issues arising with eduroam service, and as NRO, receive security advisories from global eduroam. AARNet then ensures that security advisories are delivered to institutions and required follow-up is undertaken.

AARNet also provide a communications conduit between global eduroam institutional participants and eduroam AU institutions.

eduroam AU Usage Metrics

AARNet aims to provide both aggregate and detailed institutional usage information in order for institutions to assess the value of their participation in the service.

Aggregate metrics are published in the eduroam AU website.

Detailed institutional metrics are published via the AARNet customer dashboard, to ensure access to this institutional data is protected and remains confidential.

Metrics are anonymized, with AARNet’s communications carrier role requiring that personal data is not released except for targeted support purposes.

eduroam AU Infrastructure Monitoring

Currently AARNet’s NOC monitors eduroam AU National RADIUS Servers and the AARNet hosted APAN Regional RADIUS Server.

In future, AARNet aims to monitor operability of institutional RADIUS infrastructure participating in eduroam AU. This monitoring will make use of institutional test & monitoring credentials stored in the eduroam AU AdminTool.

Provision of Value-Added Services

AARNet provides eduroam AU institutions access to various value-added services:

eduroam @events: (currently available) AARNet provides an eduroam deployment (SP) at R&E events in Australia as requested and promote the eduroam service at events and conferences.

Managed IdP: (currently available) AARNet provides eligible Australian institutions with access to the Managed IdP Service (the first step being registration of the institution with which results in an invitation to the designated institutional administrator to make use of the service)

Managed SP: (in development) AARNet will provide eligible Australian institutions with access to the Managed SP Service which is currently under development by eduroam Europe.

eduroam Visitor Access Service: (under consideration) AARNet is considering the value in providing eduroam AU institutions with access to the visitor access service developed by eduroam Europe.

Managed evolution of the eduroam AU Service

AARNet seeks to improve the resilience of the eduroam AU service by moving from use of RADIUS over UDP to use of RadSec and Dynamic Discovery at NRS and institutional levels.

AARNet will provide technical knowledge resources enabling institutions to move to RadSec and Dynamic Discovery, and will provide test/demo environments to assist institutions understand the technology.

AARNet will also provide advice and guidance on obtaining required PKI certificates.

Wireless Technology Expertise

As eduroam is primarily used as a Wi-Fi access service by institutions, eduroam globally keeps track of trends and evolution of Wireless technologies (e.g. uptake of Hotspot 2, emergence of Cisco’s OpenRoaming initiative).

AARNet will provide technical bulletins to eduroam AU institutions as appropriate via the eduroam AU website.