Eduroam

eduroam

nueva red compartida universitaria manual de configuracion basico

eduroam Compliance Statement

This document outlines the minimum technical and organisational standards for roaming operators (RO) and roaming confederations (RC) in order to provide the global eduroam service. Implementing the minimum standard requires the coordination of roaming operators (RO) and roaming confederations (RC).

This document is subject to change by the Global eduroam Governance committee (GeGC), based on feedback from ROs, RCs or individual eduroam users. Any changes will be managed via version control and relevant TERENA change control processes.

The TERENA co-ordinated GeGC comprises of representatives from ROs and RCs; they have written this document. Any feedback regarding this document should be directed to <gegc@terena.org> for consideration.

In case of a dispute regarding the status of an entity (IdP, SP, RO) in the eduroam service that cannot be resolved by the responsible RO or RC, the GeGC will give the final ruling.

1. Terminology

1.1. eduroam

eduroam is a federated roaming service that provides secure network access by authenticating a user with their own credentials issued by their IdP.

1.2. eduroam Identity Provider (eduroam IdP)

An entity that is responsible for user credentials and operation of an authentication server for eduroam access for these users. IdPs are in some regions also known as “Home Institutions”.

1.3. eduroam Service Provider (eduroam SP)

An entity that operates an access network on which eduroam users are admitted to access Internet services once they are successfully authenticated by their IdP. SPs are in some regions also known as “Visited Institutions”.

1.4. Roaming Operator (RO)

The entity that operates the eduroam service for a country or economy and that is recognised as such by the RC to which it belongs or, in case the country or economy is part of a geographic region for which no RC is established, by the GeGC. The RO may be a National Research and Education Network operator, for example. ROs are sometimes referred to as the “eduroam operators”.

1.5. RADIUS Proxy Server (RPS)

RPSs are established and maintained in order to provide the technical infrastructure (i.e., RADIUS server hierarchy) for the global eduroam service.

Top-level RPSs for a geographic region are run by the corresponding RC. In cases where no RC is established for a specific region, the GeGC, advised by the ROs of that region, appoints the ROs that will run the top-level RPSs for the region.

1.6. Roaming Confederation (RC)

An entity that consists of a cohesive set of ROs serving a geographical region and that is recognised as such by the GeGC. The “European eduroam Confederation” is one example.

2. User identification process

2.1. eduroam uses technologies that allow the identification of every individual user which joins an eduroam SP network. The user identification process is defined via an out-of-band communication between the eduroam SP and the user's eduroam IdP to identify the inner EAP identity of an end-user. The user identification process requires sufficient logging information to be recorded at both the eduroam SP and eduroam IdP. The result of the user identification process is for the responsible eduroam IdP to uniquely identify the user who triggered a particular use of an eduroam SP network. The user identification process expressly does not include that this user identification is transmitted to the eduroam SP.

3. Technology compliance for eduroam EAP packet transfer

3.1. An RPS operated by an RC, RO, eduroam IdP or SP MUST forward EAP-messages it receives, destined for eduroam participants, unmodified to the appropriate RADIUS server (be it RC, RO or IdP) as determined by the eduroam routing mechanism defined and agreed by the GeGC.

4. Administrative and technology compliance for ROs

4.1. The RO is responsible for ensuring the eduroam service operation within a particular country or economy.

4.2. The RO may also be responsible for ensuring the eduroam service operation within another country or economy, if no appropriate entity exists in that country or economy that is able and willing to operate the eduroam service for that country or economy. Each case of this kind requires explicit approval from the RC for the geographic region that the country or economy is part of, or, in case the country or economy is part of a geographic region for which no RC is established, from the GeGC.

4.3. The RO has the authority to determine the eligibility of eduroam IdPs, being organisations engaged in research and/or education, in its country or economy.

4.4. The RO has the authority to determine the eligibility of eduroam SPs in its country or economy. There are no restrictions for the eligibility of eduroam SPs as long as the eduroam SP technical requirements are met and access is provided to all eduroam users, irrespective of their origin and without charge.

4.5. The RO MUST establish communication channels to all other ROs. This can be via an RC or via the eduroam regional operators list. An RO MUST be reachable within a reasonable time on this channel.

4.6. The RO SHOULD publish information about the available points of presence of eduroam (SP sites) in its country or economy in an adequate manner defined by the GeGC.

4.7. The RO MUST establish communication channels to the eduroam SPs in its country or economy to be able to communicate changes in requirements and resolve problems.

4.8. The RO MUST publish information about eduroam services on dedicated web pages containing the following minimum information:

4.8.1. Text that confirms adherence (including a url link) to an RC policy (if applicable);

4.8.2. A list of IdPs and a list or map showing eduroam access coverage areas with links to each eduroam SPs web page;

4.8.3. The contact details of the appropriate technical support that is responsible for eduroam services and mailing list(s).

4.9. The RO MUST make sure that the eduroam IdPs and eduroam SPs in its country or economy maintain sufficient logging

...