Hi Phillip,
You can find all you want to know at the website: http://www.eduroam.org,
especially the Service Definition at:
http://www.eduroam.org/downloads/docs/GN2-07-327v2-DS5_1_1-_eduroam_Service_Definition.pdf
you may also want to watch the cartoon at:
http://www.youtube.com/watch?v=TVCmcMZS3uA
In short:
There is a hierarchy of RADIUS proxy-servers (institution, country,
European/APAC/Americas) that form a web of (transitive) trust.
This RADIUS infrastructure is used to forward EAP requests from the
visited institution to the home institution of the user, the home
institution of the user verifies the credentials and sends back an ACK
or NAK.
When the visited institution receives an ACK from the home institution
the user gets access.
Users connect using 802.1X with WPA2/AES
Hope this helps,
Klaas Wierenga
> Any chance of a link to specs showing how it is done?
> Might be something that maybe deserves to see wider use.
On Sat, Jul 24, 2010 at 9:19 AM, IETF Chair <chair@xxxxxxxx> wrote:
> > eduroam (education roaming) is the secure, world-wide roaming access
> > service developed for the international research and education
> > community. eduroam allows students, researchers and staff from
> > participating institutions to obtain Internet connectivity across
campus
> > and when visiting other participating institutions by simply opening
> > their laptop. Since we expect a reasonable attendance at IETF from
> > eduroam-connected sites, IETF participants with an eduroam account
> > configured, should get connected to the wireless network right away
with
> > their usual credentials.
> >
> > Enjoy,
> > Russ
> >
> > On 6/30/2010 5:55 PM, IETF Chair wrote:
>> >> I am writing to let you know about a change in the IETF meeting
network.
>> >> At IETF 79 in Beijing, the IETF network will be connected to the open
>> >> Internet with absolutely no filtering. However, we have agreed
with our
>> >> hosts that only IETF meeting participants will have access to the
>> >> network. Following sound engineering practices, we will deploy
>> >> admission control mechanisms as part of the IETF 78 meeting
network in
>> >> Maastricht to ensure that they are working properly before they are
>> >> mission critical.
>> >>
>> >> I am writing to let you know what to expect in both Maastricht
and Beijing.
>> >>
>> >>
>> >> ADMISSION CONTROL CREDENTIALS
>> >>
>> >> To gain access to the IETF network, you will need to provide a
>> >> credential. Your primary credential will be your registration ID.
You
>> >> can find your registration ID on the registration web page, in the
>> >> response email confirmation you received from the Secretariat, on
your
>> >> payment receipt, and on the back of your IETF meeting badge. Your
>> >> Registration ID will be your user name, and it will be used with a
>> >> password that will be provided at a later date. This same
password will
>> >> be used by all attendees.
>> >>
>> >> We recognize that IETF 78 registration IDs are very easy to
guess. We
>> >> expect to use less easily guessed registration IDs for IETF 79.
>> >>
>> >> If for any reason you are uncomfortable using your Registration ID,
>> >> there will be a supply of completely anonymous Registration
ID/Password
>> >> pairs on slips of paper available at the help desk and registration
>> >> desk. You will be asked to show an IETF meeting badge to ensure that
>> >> slips are only provided to registered meeting attendees.
>> >>
>> >> Each set of credentials will allow up to three separate MAC
addresses on
>> >> the network, allowing attendees to use the same credential for their
>> >> laptop, phone, or other devices. The limit is to prevent the
leak of a
>> >> single credential from undermining the entire system.
>> >>
>> >>
>> >> GAINING ACCESS TO THE NETWORK
>> >>
>> >> The primary mechanism to gain access to the wireless network will be
>> >> either the "ietf.1x" or "ietf-a.1x" SSID. These will be
configured with
>> >> WPA1 and WPA2 Enterprise. You simply provide your credentials to
your
>> >> supplicant software for authentication to the network. I personally
>> >> encourage you to use WPA2 over WPA1 if your software and hardware
>> >> support both.
>> >>
>> >> If your software does not support WPA Enterprise, you can use the
>> >> captive portal. To use this portal, associate with either the
>> >> "ietf-portal" or "ietf-a-portal" SSID. Upon initial connection,
>> >> Internet connectivity will be blocked. Simply open a browser and
go to
>> >> any web site, just like many hotel networks, and you will be
redirected
>> >> to a portal page where you can enter your credentials. Once the
>> >> credentials are validated, your MAC address will have unrestricted
>> >> access to the network for some period of time. The portal page will
>> >> also have links to the internal wiki page with helpful information as
>> >> well as a way to create trouble tickets prior to authentication.
>> >>
>> >> If your small devices does not support WPA Enterprise and does
not have
>> >> a browser, then you will be able to visit the help desk and
register the
>> >> device MAC address for access to the network. If you need to
register
>> >> your device, please know the MAC address of your device before
you show
>> >> up at the help desk.
>> >>
>> >>
>> >> FALLBACK PLAN
>> >>
>> >> Implementing this plan at IETF 78 in Maastricht is important, but
>> >> obviously not without risk. The IEEE 802.1X-based access mechanisms
>> >> have been well tested at previous meetings, and this mechanism is not
>> >> likely to be a source of trouble. The captive portal, however, is a
>> >> greater unknown. Please use the WPA SSIDs if at all possible to
reduce
>> >> the load on the portal machines. If the portals do experience
problems,
>> >> the NOC team will implement a backup plan. The backup plan will
only be
>> >> used as a last resort as the backup plan will not be an option at
IETF
>> >> 79 in Beijing.
>> >>
>> >>
>> >> Safe Travel and Best Wishes,
>> >> Russ Housley
>> >> IETF Chair
>> >>
>> >> _______________________________________________
>> >> Ietf mailing list
>> >> Ietf@xxxxxxxx
>> >> https://www.ietf.org/mailman/listinfo/ietf
>> >>
> > _______________________________________________
> > Ietf mailing list
> > Ietf@xxxxxxxx
> > https://www.ietf.org/mailman/listinfo/ietf
> >
-- Website: http://hallambaker.com/
_______________________________________________ Ietf mailing list
Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf