connect • communicate • collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade, 12 September 2011
Eduroam debugging
Feb 24, 2016
Eduroam debugging. Gurvinder Singh and Gunnar Bøe , Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade, 12 September 2011. Eduroam in Norway. Eduroam Architecture. Top level RADIUS. Nation A Radsec Proxy. Nation B Radsec Proxy. Inst. B 2. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
connect • communicate • collaborate
Eduroam debugging
Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT
AMRES Wireless workshopBelgrade, 12 September 2011
connect • communicate • collaborate
Eduroam in Norway
connect • communicate • collaborate
Eduroam Architecture
Inst. A1 Inst. A2
Nation ARadsec Proxy
Inst. B1
Inst. B2
Nation BRadsec Proxy
Top levelRADIUS
connect • communicate • collaborate
Issues
User unable to connect while roaming. How to locate the problem ? Is it at the client device, station ID,
visiting institution's radius server, national proxy or home radius server ?
connect • communicate • collaborate
Challenges
Distributed architecture Inter-institution/international roaming Heterogeneous environment (FreeRadius, Microsoft radius server
etc..) Encrypted traffic Privacy issues
connect • communicate • collaborate6
History
• Radius log files are nice, BUT….• Debugging eduroam is complicated• Lack of access to radius logs on other
levels• The guys who did something about it
Gurvinder Singh Jardar Leira Kolbjorn
BarmenTore Kristiansen
Gunnar Boe
connect • communicate • collaborate
Edudbg Design
Due to the mentioned challenges, edudbg monitors the request logs at national radsec proxy level.
Parse and store the information in a easily accessible and searchable way to help in finding the problem at hand.
connect • communicate • collaborate
Edudbg's Components
Edudbg-logger Parse & store the radsec proxy log file in to
the database. Edudbg-webservice
Reads the database for search and make it easily accessible for users/administrators.
Authentication plug-in Authorisation plug-in
connect • communicate • collaborate9
Privacy issues
Access to RADIUS logs on higher level can expose information (who, where, when) about people from other organisationsSolution:
Supports federated security systems e.g. Feide.Only grant access to information related to your own organisationNo more information exposed than you already have access to
connect • communicate • collaborate
Edudbg Architecture
Federated login
connect • communicate • collaborate
Edudbg-webservice
Reads the database and allows user to access debug information in user friendly way.
Hides the complexity caused by eduroam architecture and makes debugging easy.
connect • communicate • collaborate
Edudbg Usage scenario
Edudbg can be used to detect the connection failure. It can also be used by administrators for proactive
maintenance e.g. detecting radius server loops.
connect • communicate • collaborate
Demo interface
file:///F:/all/GigaCampus/Mobilitet/edudbg/documentation%20examle.htm
http://eduroam.no
connect • communicate • collaborate
Eduroam Architecture
Inst. A1 Inst. A2
Nation ARadsec Proxy
Inst. B1
Inst. B2
Nation BRadsec Proxy
Top levelRADIUS
connect • communicate • collaborate
Use cases (missing realm)
Missing realm name causes the national proxy to forward the request to local radius server.
Whereas the given user does not belong to this organization, where request has been rejected.
connect • communicate • collaborate
Use cases (incorrect realm)
Misspelled realm name causes the national proxy to forward the request to top level servers and thus request has been rejected.
connect • communicate • collaborate
Use cases (incorrect password)
The contents of request seems to be fine and request has been routed to correct home server.
The reason for getting access-reject is at the home institution side and most likely is incorrect password.
connect • communicate • collaborate
Use cases (Radius Server Loop)
The contents of request seems to be fine and request has been routed to correct home server.
But the request comes from the same institution and routed back to the same.
This should not happen, as institution should forward request to national proxy only if the user is from another institution.
connect • communicate • collaborate
Edudbg Experience
Our experience from running the edudbg service till yet shows that almost 70 - 80% issues occurs due to incorrect information sent in request e.g. misspelled username, password or incorrect realm.
Edudbg helps in debugging of the mentioned cases. To get more deep in to the problem, it requires log
information from local institution which requires further discussion.
connect • communicate • collaborate
Discussion
Should we deploy at national proxy level or institutional level.
Should log information be in fixed format or default format.
For how long should such information records be kept in database.
connect • communicate • collaborate
Useful links
• Wireless best practice:• http://www.terena.org/activities/campus-bp/bpd.html
• Slides from this workshop:• https://ow.feide.no/geantcampus:wireless_sept_2011
connect • communicate • collaborate22
More information / Contact
GEANT3 NA3 Task 4: Campus Best Practicehttp://www.geant.net/About_GEANT/Campus_Best_Practice/Pages/home.aspxhttp://http://www.terena.org/activities/campus-bp/[email protected]
Look out for more BPDs coming along…Subscribe to announcements
connect • communicate • collaborate
Thank you!
Contact: campus@uninet
t.no
Related Documents
