aai@eduhr (from radius hierarchy to aai)

AAI@EduHr(From Radius Hierarchy to AAI)

Miroslav Milinović Miroslav Milinović University Computing Centre - SrceUniversity Computing Centre - Srce

<[email protected]>

EuroCAMPLjubljana, March 2006

EuroCAMP, Ljubljana 2006: 2/23

Contents

History hrEdu radius/LDAP hierarchy AAI@EduHr project hrEdu schemas AOSI (adding AAI flavour) AAI@EduHr today Future development (PKI@EduHr?)


History

Directories and directory services http://ds.carnet.hr Netfind, Whois++, X.500 LDAP killer application needed

Network access AAA for dial-up access introducing radius instead of tacacs+

(highly) distributed user community 200 member institutions

(variable size of institution and amount of ICT resources) expert knowledge is not equaly distributed/available


We started with ...

(hrEdu) radius/LDAP hierarchy limited function, primarily for dial-up access LDAP schema development started AAI foreseen as a long-term goal / dial-up as a killer

application for LDAP deployment

fully operational radius/LDAP hierarchy since Feb. 2003 eduroam member since the very begining


hrEdu radius/LDAP hierarchy

≈ 200 (170) Home orgs

≈ 180000 users

SW: FreeRadius & OpenLDAP

Dial-up access (CMU)

ID: user.realm

(Lucent Navis) proxy radius server(s)

central LDAP server for backup

Home Org X

Radiusserver

LDAP server

Radiusserver

Radiusserver

LDAP server LDAP server

Network

Home Org ZHome Org YHome org X

Radius proxy service

user

resource


Missusing the radius attributes

Use of radius in AA(A) process: AuthN AuthZ = AuthN + “few simple attributes”

We use: Connect-Info hrEduPersonExpireDate Class hrEduPersonUniqueID (hrEduPersonUniqueNumber) Configuration-Token hrEduPersonPrimaryAffiliation

but actually ... not good enough


Project AAI@EduHr

raising demands (network access & applications) Radius/LDAP hierarchy is not good enough project started in May 2004 main goals:

define HrEdu schema(s) set up IdPs Set up the AAI for EduHr

• Shibboleth was found as too complex

• idea: add AAI flavour to the existing radius/LDAP infrastructure

• http://www.aaiedu.hr/


hrEdu hierarchy evolved

≈ 200 (170) Home orgs

≈ 180000 users

SW: FreeRadius & OpenLDAP

Dial-up access (CMU)

StuDOM (8149 “student beds” connected)

Wireless/wired access (Srce, CARNet, ...)

eduroam (http://www.eduroam.org)

UNIX/Linux PAM

(ID: user.realm)

ID: [email protected]

(Lucent Navis) proxy radius server(s)

(central LDAP server for backup)

Home Org X

Radiusserver

LDAP server

Radiusserver

Radiusserver

LDAP server LDAP server

Network

Home Org ZHome Org YHome org X

(radius) proxy service

user

resource


hrEdu schemas

hrEduPerson HrEduOrg

registry: http://schema.aaiedu.hr

transition/migration from earlier versions all LDAPs at the same version since Feb. 2006

more work to do: harmonisation (with SCHAC, ...)


AOSI – adding AAI flavour

AOSI is: an application for maintaing the content of the LDAP directory an access tool for LDAP (e.g. local AAI component)

AOSI has two parts: web service (core AOSI) client application (“only” proof of concept; any other client can be

used localy)

FWS/HLS = central (AOSI) service

AOSI “ShibLite”


Home org

AOSI System

LDAP dir.

AOSI-WS

AOSI Client

AAI@EduHr

Schema (XML)

Codes, ... (XML)

Data (XML)User access

Administrator access


Home org

AOSI System (2)

LDAP dir.

AOSI-WS

AOSI Client

AAI@EduHr

Schema (XML)

Codes, ... (XML)

Data (XML)

PHP.NetJava


Organization A

Application

AAI@EduHr

Federation WS

FWS in AAI@EduHr

Organization B

AOSI

Directory

“routing” information

user@realm


Organization A

Application

AAI@EduHr

Federation WS

HLS in AAI@EduHr

Organization B

AOSI

Directory

“routing” information

user@realm


AOSI WS and FWS Currently based on Perl; FWS to be implemented in Java Local AOSI WS:

Local service is described in http://ldaphost.homeorg.hr/aosi/aosi.wsdl Generally runs at https://ldaphost.homeorg.hr:1443/AOSI

Client platforms working with service: Perl PHP .Net Java

FWS/HLS: Based on AOSI http://www.aaiedu.hr/fws/fws.wsdl

Documentation: http://www.aaiedu.hr/aosi/aosi_wsdl.html http://www.aaiedu.hr/fws/fws_wsdl.html


Resource

Entry Point

AAI Compone

nt

AAI@EduHr today

Central AAI@EduHrServices

(proxy, FWS/HLS...)

Central AAI@EduHrServices

(proxy, FWS/HLS...)

User: uid@realm.

hrHome Org

AAI Compone

nt

Directory

197 (166) Home orgs

FreeRadius

AOSI WS

Open LDAP


AAI@EduHr in real life

in full operation since Feb. 2006

basic monitoring (http://www.aaiedu.hr/status_li.php)

197 Home organisations (IdPs)

number of services: Network access: dial-up, wireless & wired (eduroam, 802.1x) www.eduroam.hr (fully operational by the end of April) Application access: Web-based aplications, WebCT, Moodle, ...


PAP to EAP/TTLS Bridge

Improving security

multithreaded UDP server

based on TinyRadius Radius server API, (http://tinyradius.sourceforge.net/) and eapol_test (http://hostap.epitest.fi/)

works on Linux (we still work on Solaris version)


PAP EAP/TTLS

Radiusserver

LDAP server

Home Org

NAS BridgeRadiusproxy

PAP

Radius(PAP)

Radius

(EAP /TTLS)

Converts PAP to EAP/TTLS and back


An example: CARNet mobile service

RADIUS serverMobile CARNet radius server

CARNet

AAI@EduHr

radius proxy

XYZ

APNMobile AAA DB

LDAP dir.

XYZ client

[email protected]

Mobile CARNet AAA Home org.


An example: CARNet mobile service (2)

RADIUS serverMobile CARNet radius server

CARNet

AAI@EduHr

radius proxy FWS/HLS

Mobile AAA DB

LDAP dir.

HTTP client

[email protected]

Mobile CARNet AAA Home org.

Mobile CARNet Web


Future work become a “real” federation (policies, policies, ...) central (vs. local) login page in production resource registry (based on SWITCH solution) certficates for services from TERENA SCS (provided by CARNet) improved monitoring

start “speaking” SAML Add ARP functionality to AOSI “Shib gateway” in production interoperate with eduGAIN

SSO PKI@EduHr? (SX project)


AAI@EduHrhttp://www.aaiedu.hr/

[email protected]@aaiedu.hr

aai@eduhr (from radius hierarchy to aai)

Documents