UbuntuNet-Connect 2017

Governance model for Educational Roaming (eduroam) in African research institutions

3 Nov 2017, 08:20

20m

Hilton Hotel (Addis Ababa | Ethiopia)

Reviewed Presentation Technical support required for intra-African collaboration Session 4a - Tools and e-Infrastructure required for Intra-African Collaboration

Speaker

Mr LLOYD SSENTONGO (Rakai Health Sciences Program)

Description

Abstract Educational Roaming, “eduroam” is a globally accessible, secure wireless service for members of participating universities and research institutions. eduroam is a widely used example of a technology that uses trust and identity federations to share essential tools for collaboration and research by enabling visiting partners to use the Internet at trusting institutions. Identity is a key service provided by eduroam service, and use of the service is limited to active users from collaborating institutions and potentially collaborating institutions. As the popularity of eduroam increases, this freedom is in jeopardy as ransomware worms and network saturation potentially impinge upon providing consistent service levels at African member institutions. In addition, the high cost of an adequate Internet gateway in Africa, creates a supply side constraint, leading to de facto restrictions that other continental partners may not have to consider. The effects of this tension can cause degradation in services for the roaming user and could also spill over into the existing pool of network resources offered by the service provider. Some member institutions may address these problems by implementing overly restrictive policies, creating a very inconsistent experience when using eduroam between member institutions. These challenges may lead member institutions to discontinue support for eduroam or for prospective members to chose not to adopt eduroam. We used quantitative and qualitative methods to establish a baseline of Internet priorities. We performed deep packet inspection to reveal common categories of Internet resources, applications, and specific Internet hosts that are used at research institutions under our administration. We assigned a bandwidth cost of applications and used surveys to gauge relative importance of Internet resources, applications and hosts. After one year of service at NIAID African research institutions, this body of work produces a proposed convention for eduroam member institutions that introduces a behavioral policy for eduroam users and a scalable, platform independent configuration policy for member institutions.

Summary

I. Notes

Configuration policy

1. Bandwidth Caps
2. Filtering internet content on what users can access
3. Network behavioral guidelines
4. Incident response policies for administrators when responding to behavioral incidents
5. How do we make eduroam a single SSID on our network. That is, getting rid of other network broadcast SSIDs.

Monitoring

1. How do we automate monitoring eduroam to ensure it’s working at the local institution?
2. How do we automate monitoring eduroam to ensure its working for RHSP users roaming at other visited institutions worldwide?
3. How do we know if the service at the home national radius proxy server is up or down?

Security concerns

1. Packet and disassociation spoofing because 802.1x doesn’t use a keyed MIC
2. Need to physically segregate the eduroam wireless Aps from the institution Local area network.
3. The eduroam wireless network is on a separate Virtual local area network

Presentation materials

Slides

https://repository.ubuntunet.net/bitstream/handle/10.20374/87/Llyod%20Ssentogo.pdf?sequence=1&isAllowed=y