TOP 100 Vulnerabilities Step-by-Step Guide Handbook
20160224 eduroam for IT Managers forum
1. BYOD and eduroam
for Eastern Region IT Managers Group– JonAgland, Jisc
22/07/2016
https://www.flickr.com/photos/usask/8161628476/
2. My background
»Jisc Subject specialist (2015 ->)
› Network technologies and infrastructure
»Jisc Regional Support CentreWales (2006-2014)
› Technical infrastructure advisor, mostly to FE.
»Prior to that..
› Network/Technical Support Desks
–Public Sector, ISP, Business and Consumer
22/07/2016 BYOD and eduroam 2
3. eduroam
»secure, world-wide roaming
access service
»research and education
»single Wi-Fi Profile
»participating organisations
»seamless and automatic
»Jisc UK provider of eduroam
What is it?
22/07/2016 BYOD and eduroam 3
5. Comparing Wireless Access Methods
WirelessAccess Method Accountability Security User Experience
Key-based (your House) Poor Good (withWPA2-AES) OK
Open Poor Poor Excellent
Open with Captive Portal
(Wireless Hotspots – O2Wifi,
_The Cloud etc..)
Good Poor OK
WPA2 Enterprise (802.1x)
(eduroam, most corporate
Wifi)
Excellent Very Good – Excellent Moderate - Excellent
22/07/2016 BYOD and eduroam 5
7. Customer quotes
»From threeWelsh FE Colleges
› Seamless
› Secure
› Bring your own Device
› Low cost
› Policy and User based permissions
› Flexibility
22/07/2016 BYOD and eduroam 7
8. Recent joiners
Organisation Date Operational
Heythrop College UoL 07/09/2015
AberystwythTown Council 21/09/2015
Southern Regional College 30/09/2015
The College of Richard Collyer 21/10/2015
The Mary Ward Settlement 23/10/2015
City of Glasgow College 27/10/2015
Cambridge EducationGroup 18/11/2015
Luton Sixth FormCollege 18/11/2015
Trinity LabanConservatoire of Music and Dance 18/11/2015
Telford College of Arts andTechnology 18/11/2015
Mullard Space Science Laboratory 20/11/2015
Epping Forest College 30/11/2015
Nescot College 04/12/2015
South andCity College Birmingham 07/12/2015
Loughborough College 10/12/2015
Cornwall College 17/12/2015
The FrancisCrick Institute 18/12/2015
22/07/2016 BYOD and eduroam 8
20. Monitoring visited access
»eduroam ‘self-declared’
»Some visitors have issues at some
locations
»Organisation's may not be monitoring
enough.
»Monitoring probes being rolled out
› Status of visited service
»msg to users -‘Do not adjust your set!’
22/07/2016 BYOD and eduroam 20
21. What can you do?
»Compliance withTech Spec
»Update eduroam (UK) support
site
› Status
› Add locations
› Check them on monitor
»Monitor your service
»Signup for eduroamCAT
If you already have eduroam;
› Talk
› Check eligibility
› Sign-up
› Collaborate
If you don’t have eduroam
22/07/2016 BYOD and eduroam 21
22. What support is available?
»Network andTechnology training
»eduroam UK Support
› Technical specialists manage eduroam day-to-day
»Jisc subject specialists
› Primarily me
»Online documentation
»Community - Jiscmail
› Wireless-Admin and Janet-Roaming
»Paid consultancy
22/07/2016 BYOD and eduroam 22
Guide available on
Walled garden for on-boarding user devices to eduroam
23. jisc.ac.uk
Except where otherwise noted, this work
is licensed under CC-BY-NC-ND
Jon Agland
Subject specialist
NetworkTechnologies and Infrastructure
Jon.Agland@jisc.ac.uk
02038198207 / 07443984222
22/07/2016 BYOD and eduroam 23
24. jisc.ac.uk
Except where otherwise noted, this work
is licensed under CC-BY-NC-ND
eduroam (UK) Support
service@ja.net
www.jisc.ac.uk/eduroam
22/07/2016 BYOD and eduroam 24
Editor's Notes
eduroam (education roaming) is the secure, world-wide roaming access service developed for the international research and education community.
Allows users to access to the internet through a single Wi-Fi Profile and set of credentials, wherever the service has been made available by participating organisations. Connection can be seamless and automatic.
Jisc is the UK provider of eduroam.
Key-based – your House.
Poor accountability, if someone does something bad on your Internet, they will probably come after you.
Therefore not a good solution for Home
Security – usually good (assuming your using WPA2 with AES). Issue around Shared keys (you need to trust the other users)
User Experience – actually pretty good
Open
Accountability – See above
Security – Poor
I wouldn’t do your banking!
Man-in-the-middle attack/Hi-jack.
User Experience – usually Excellent (assuming your Wifi and Internet connection can come with all the connections and users!
Open with Captive Portal
Good – because you have to ‘login’ and give some details before they let you pass traffic
Security is poor
All other above don’t do your banking, MITM. Even the ‘login’ bit is open to MITM, which would affect the Accountability of!
User Experience
Usually OK.
Common compliant is why do I need to keep logging in?
WPA2 Enterprise
Accountability is Excellent
Security is again Very Good-Excellent. Some devices don’t allow you to easily configure them securely, sometimes easier to configure them insecurely! A correctly and securely configured device is as good as a wired connection, if not better! Risks are low!
User Experience – Will talk about this in a bit, but there is some ‘one-time’ pain in connecting to these types of network. Should be seamless following that!!
All HE institutions in Wales participating in eduroam
12 of 14 FE have participating after ‘Jisc’ involvement. Majority using or intending to use as their primary solution for BYOD and Wireless Access.
2 Local Authorities mostly providing visited access.
Visited access across a number of Health sites usually in partnership with Universities
Cost savings and Collaboration
Other interesting places have access thanks to Collaboration
Rugby – Scarlets stadium
Leisure – Swansea LC2, and Wales National Pool
Not forgetting Greyhound Buses!
College 1 - eduroam at our college has provided a secure Wireless platform for staff and learners. It also provides visitors from other eduroam organisations an easy way to access Wifi at the College. It hasn't cost us anything tangible to setup other than time and some virtual server resource.
College 2 - Want a secure WPA2 enterprise wireless network that doesn’t ask for authentication every five minutes? eduroam is for you! Our college has recently superseded its Active Directory integrated firewall authentication will eduroam. The results are a much happier student cohort with easier administration and added flexibility with user based permissions, rather than computer based. This is the ideal platform for us to undertake Bring your own Device in earnest (BYOD). Many thanks Jisc!
College 3 - We realized the importance of providing a secure 802.1x (enterprise grade) wifi network service early on. The ability to segregate, easily route traffic based on policy, and ability to easily identify people and devices from logs was essential. We then needed to decide on an SSID for this network. eduroam was the obvious choice because we didn't want to confuse people with multiple SSIDs, and didn't want to waste bandwidth and wifi frequencies by using multiple SSIDs. We regularly have staff and students from other HE institutions using our site. Providing seamless secure internet access with no day to day administrative overhead is valuable with our small IT team. We have avoided many vendor costs by using open source vendor agnostic software for management.
277 operational members (just in the UK)
368 registered organisations
Taking the last point about Multiple SSIDs
It’s also a usability issue for users. See this example from a Sixth Form School.
5 SSIDs
Each ‘Wireless Name’ SSID will impact Wireless performance
Often would limit each of those Network Virtual Lans is or should be limited to 1000 devices.
Organisation often aggregate the traffic from Multiple Access points using controllers/concentrators.
Meraki – 3 SSIDs
Using eduroam (or in fact WPA2 Enterprise (802.1x) solution), you can achieve this.
6/7 down to 2/3
Scaling
In order to Support User and devices, Configuration tools are required to setup the initial ‘eduroam’ profile
These ensure the users connection is configured correctly and securely!
Following this user experience should be seamless!
eduroam CAT is one such tool (will comeback to that)
Sometimes a Walled Garden is required.
Transparent filtering is a requirement for BYOD and therefore eduroam.
If your using eduroam, you can also make the filtering for users more transparent (e.g. no need to login twice) – marrying VLANs, Subnets to Web Filtering rules
One college using a web filtering product has used RADIUS accounting, so you it’s even easier..
The RADIUS infrastructure behind eduroam can sometimes help and be tied into your webfiltering.
The defined levels of access required and offered by eduroam, can sometimes be broader than an institution offers their users, this often brings up safeguarding as a consideration.
Many of the solutions are to educate users on e-Safety,
There are workarounds that institutions can implement
Capable of more in this space.
What’s being done to improve user experience.
Configuration Assistance Tool
Each ‘eduroam’ organisation can sign-up
Free and central tools for your users to setup eduroam
Every organisation should signup (even if they are using other tools)
Most platforms supported
Eduroam CAT is co-ordinated by GEANT – European association of NREN’s (Jisc/Janet)
Recently released
Available from the Play Store
User goes to eduroam CAT
Better user experience
eduroam ‘self-declared’
Some visitors have issues at some locations
Organisation's may not be monitoring enough.
Jisc are trialling probes
Report status of visited access
Key message to visitors with an eduroam issues is
If it works at your home organisation then..
‘Do not adjust your set!’
Report issues via your home organisation
They can report to Jisc who can try to trace.
Network and technology training
Courses in July London, and October Birmingham
Network and Technology training
eduroam UK Support
Technical specialists who manage eduroam UK
Jisc subject specialists
Online documentation
Community - Jiscmail
Wireless-Admin and Janet-Roaming
Paid consultancy
Via eduroam UK Support, but also commercial offerings.
Guide (e-mail me currently for latest/final draft), but will be going onto Jisc community site shortly.