As enterprises grapple with how to enable automated Wi-Fi roaming between campus networks and remote hotspots,...
research and education organizations may have found an answer in eduroam.
Using a set of federated RADIUS servers along with a unique behind-the-scenes agreement between hundreds of participating organizations, eduroam lets research and education (R&E) users authenticate on any participating wireless network or hotspot without manually logging on. A faculty member from the University of Illinois can step onto the Penn State campus and be automatically signed on to the WLAN.
Behind the scenes, campuses that join eduroam will implement 802.1x authentication using WPA2 on their WLANs, and will place matching software clients on user devices. They must also install RADIUS servers that are peered with centralized eduroam RADIUS servers. Then they can broadcast the eduroam service set identifer (SSID) across their access points.
When an eduroam user visits a new campus, his or her device automatically contacts the local RADIUS server, then routes a message to a central eduroam RADIUS server. The eduroam RADIUS server queries the user's home campus for a credential check. The home server sends a certificate challenge to the user's device through an encrypted tunnel and, if there is a match with the user database, the system finally alerts the visited campus that the user is safe for network access. All of this occurs automatically within a matter of seconds.
"It's like you're doing a local authentication, but you're far away," explained Philippe Hanset, a co-founder of AnyRoam LLC, which has spearheaded eduroam support among campuses in the U.S. "You're making [an access] request with an outer identity, but that doesn't matter because it ends up at your local database through an encrypted tunnel between you and your local RADIUS server."
Eduroam's primary technical role is in providing a fabric between RADIUS servers. It routes the user's local request to the right server, and then acts as an "extension cord" to the regular encrypted tunnel, Hanset said.
In the U.S., eduroam has now become part of the Internet2 Net+ portfolio. Internet2 runs a global 100 Gb Ethernet network that connects R&E campuses, and provides other shared technologies, including federated identity management, cloud resources and collaboration/video applications.
The eduroam labyrinth
Just as important as the technology behind eduroam are the unique partnerships that R&E institutions have formed in order to participate. Enterprises have grappled with Hotspot 2.0 to enable seamless Wi-Fi roaming, but these relationships require trust.
With eduroam, only members of R&E organizations or other educational institutions, such as K-12 schools, can be users, but anyone can become a service provider or run a network that broadcasts the eduroam SSID. Only teachers, students, researchers and staff members are logging onto each other's networks, but anyone from a university campus to a Starbucks could provide network access.
"The optimal goal is to have it in as many places as possible," Hanset said. This enables researchers to continue their work regardless of location.
Service providers and user institutions have to meet a few requirements to join eduroam, including keeping activity logs for at least six months, so if a user "misbehaves" on the network, the problem can be tracked, Hanset explained. Organizations are also required to provide information to law enforcement if a user committed a crime via the network.
While eduroam is somewhat new in the U.S. with about 120 participating R&E institutions that are either in production or testing, it's been deployed in Europe since 2003, and is deployed at hundreds of service provider spots in at least 35 countries. It's also deployed throughout the Asia Pacific and in some areas of Africa. In Europe, strides have already been made to extend seamless Wi-Fi roaming beyond campus boundaries into public spaces.
"In Sweden, for instance, some train stations are carrying eduroam SSID," Hanset said.
Recently on the Joint Information Systems Committee (JISC) blog, a U.K.-based blogger wrote, "If I had ever bothered to map the different locations in which I had accessed eduroam, it would be far-flung and global. I've accessed eduroam from an island in the middle of Sydney Harbour to a bus in Malaga through many conference facilities, offices and institutions across Europe."
Exciting technology, but eduroam faces challenges
The eduroam technology is promising, but it can be costly for campuses with small technology budgets. The University of California Santa Cruz had to upgrade its WLAN equipment to handle both WPA2 and Advanced Encryption Standard (AES) to support eduroam, said Senior Network Engineer Jim Werner. The team at UC Santa Cruz could have gotten started by replacing a couple hundred APs (access points) -- or just enough to enable authentication where totally necessary on campus, but then the network would have been "bifurcated" into new APs that could handle eduroam and old ones that couldn't, Werner explained. Instead the network team opted for an overall upgrade.
More on wireless LAN access
Wireless intrusion prevention system smartens school district Wi-Fi
BYOD policy: More than on-boarding and security
NAC technology evolves for a BYOD world
NAC for mobility: Vendor comparison
"We had to request money to upgrade wireless access points and we had to get techs to run around and do the upgrade, which turned out to be a big project," Werner said.
Installing the eduroam client on every user device is also a challenge. At Santa Cruz, the team automated that process by implementing CloudPath Networks' Wi-Fi configuration tool XpressConnect, which allows users to self-configure devices. With XPressConnect, users enter a captive Web portal that that prompts them through configuration and grants credential based on user group or other factors. Still, XpressConnect was yet another investment.
Legal issues also concern some campuses. Many U.S. schools are concerned that eduroam doesn't have a splash page that lists the accepted terms of agreement for network access, for example. Those agreements indemnify institutions from liability if users want to use them if anything goes wrong on the network. But Hanset said reading a splash page with hundreds of rules would be "nightmarish" for smartphone users and would "break" the system. Instead, the organization is working on agreed terms that all members would agree to once they join the federation.
Why bother with Hotspot 2.0 when you have eduroam?
Since eduroam has made so much progress, why wouldn't the enterprise drop its work with Hotspot 2.0, which aims to provide seamless Wi-Fi roaming between hotspots and enterprise campuses. Why not work toward a super system of federated RADIUS servers that interlinks back-end databases that can authenticate anyone wherever they go?
For one thing, Hotspot 2.0 aims to go further than eduroam, providing cellular-to-Wi-Fi handoff in addition to seamless roaming. But even just for roaming, there are technical challenges -- most hotspots aren't WPA2 or 802.1x-enabled.
"802.1x is a technology that is being used by corporate America and universities, but not Starbucks or airports because it's cumbersome. Installing it on the client side creates a lot of commotion," Hanset said.
An even bigger issue lies in the complicated partnerships that must be in place in order to support both eduroam and HotSpot 2.0. Eduroam functions based on reciprocal agreements between a bunch of like-minded R&E organizations that are working toward enabling collaboration between research teams. That same reciprocity may not work between private, sometimes competing enterprises.