The basic responsibility of AARNet as the Australian eduroam National Roaming Operator is defined in the eduroam Compliance Statement (eCS) (the eduroam Global Policy) which AARNet has signed up to. AARNet satisfies its global responsibility for eduroam AU institutional participants through creation of an eduroam AU National Policy which institutions are required to comply with.
AARNet is responsible for creating and maintaining an eduroam AU National Policy which satisfies the requirements of the eduroam Global Policy, and supports eduroam AU operational objectives. Institutional participants are required to comply with the eduroam AU national Policy, and AARNet is responsible for verifying and checking compliance, and taking appropriate action against institutions if they do not comply.
Content of the eduroam AU National Policy includes:
Provide a high availability and reliable national RADIUS infrastructure, to proxy/route authentication requests from and to Australian eduroam participating institutions. This involves hosting eduroam AU National RADIUS servers (NRSs), ensuring their availability and security, configured in order to route authentication requests nationally and globally (via APAN Regional RADIUS Servers).
AARNet’s SysAdmin team is responsible for production deployment and operational maintenance of eduroam AU National RADIUS Servers, and performing configuration (using Ansible scripts) for institutional participants when requested by AARNet’s Service Desk.
AARNet will capture and retain NRS logs, ensuring that fields required to trace an access event with an authentication event and identify a user are captured (UTC timestamp, username@realm (outer-identity), user-device MAC address, SP server, authentication request result).
AARNet will use logs to provide troubleshooting and support, and will use NRS logs in order to track and monitor eduroam AU usage.
AARNet will take proactive action when logs indicate an institutional deployment issue or lack of appropriate user education (incorrect login, untrusted client, no response).
AARNet will retain NRS logs for a long period consistent with AARNet’s internal IT policy.
AARNet is responsible for enabling eligible Australian institutions to connect to eduroam in roles for which they are eligible. AARNet is responsible for the policy compliance of institutions. AARNet has defined a process and provides resources (e.g. application form, webpage templates, local support guidelines, tailored to specific roles i.e. IdP+SP, SP-Only, IdP-Only) to enable institutions to become operable with relative ease.
The eduroam AU Application Form is required to be completed by institutions to initiate the onboarding process in required role. The Application Form conveys information and expectations relating to:
AARNet supports a staged on-boarding process, which identifies 3 distinct stages: Deployment, Audit, and Production.
AARNet ensures various deployment options (institution 3rd-party service providers, in partnership with existing eduroam AU participants) are catered for and that policy compliance information is adequately conveyed.
AARNet is responsible for ensuring that institutions are operable & policy compliant prior to advertising their participation in eduroam AU.
AARNet has defined the process for conducting eduroam AU operability audits, and consequence of detected non-compliance (e.g. grace period) and provides institutions with audit check-lists and resources.
AARNet will conduct an audit at the conclusion of the on-boarding process. Additionally, institutions may request an audit, and AARNet may request a participating institution to undertake an ad-hoc audit if required (e.g. non-compliance identified).
AARNet
hosts the eduroam AU AdminTool which is used as a central repository of
comprehensive information regarding institutional eduroam deployment.
Ensure users are able to maintain up-to-date deployment data which is shared
globally.
AARNet enables access to the AdminTool (using SAML, same as that mechanism used
to access CAT) by institutional administrators.
AARNet provides a mechanism (via the Australian Access Federation Virtual Home
Organisation AAF-VHO) for SAML authentication for institutions that do not have
a SAML IdP.
As a global service, and as specified in the global policy, AARNet is responsible for providing a data feed to the eduroam Global Database. AARNet provides a data feed (XML file) from the eduroam AU AdminTool, ensuring that data file is protected from unauthorised access.
AARNet hosts a Test and Monitoring server to enable effective troubleshooting.
The primary tool used is the rad_eap_test RADIUS/EAP client for testing EAP from the Linux shell. The rad_eap_test shell script calls the eapol_test executable from wpa_supplicant, and also works as a Nagios plugin hence has been used for eduroam AU RADIUS server monitoring.
AARNet can provide guidance on efficient troubleshooting mechanisms for institutions that wish to use rad_eap_test.
In the future, the eduroam AU troubleshooting tool targeted for development will be hosted on this server.
AARNet aims to provide troubleshooting resources in the form of
AARNet will develop an eduroam AU troubleshooting tool providing an interface for institutional administrators to trigger test authentications and view associated national infrastructure logs. This tool will use test account and RADIUS server configuration information stored in the eduroam AU AdminTool.
AARNet will also provide guidance on use of the eduroam Configuration Assistant Tool (CAT) for verifying international operability and performing limited troubleshooting from European sites.
AARNet is responsible for defining the support process, and providing NRO expertise in order to support institutional eduroam Administrators.
AARNet operates a 24×7 help-desk which monitors and assigns tickets, with an eduroam subject matter specialist trained and available to deal with eduroam support requests.
AARNet uses the JIRA ticketing system to track support requests, with request submission & correspondence via email.
Provide
eduroam and wireless expertise (technical expertise on RADIUS server config,
wireless infrastructure config, end-user device config.)
Provide information enabling interested institutions, participating
institutions, and end-users understand the service
Maintain the eduroam AU Website where service information is published.
Provide information on participants, and eduroam coverage maps.
Provide advice regarding information available globally (URLs on eduroam
website).
AARNet
provides a communication link between service providers and identity providers
in case of an SP reporting eduroam network abuse.
AARNet provides necessary contact information, and ensures that IdPs take
appropriate action against users.
AARNet will also undertake ad-hoc operability audits if there is any evidence that institutions are non-compliant with the technical specification.
AARNet will advise institutions regarding other global information resources and eduroam tools. AARNet reports on global eduroam news to enable institutions to learn about global issues.
AARNet maintains links with the GeGC, providing a channel for institutions to submit input to meetings, and reports on meetings.
AARNet maintains awareness of security issues arising with eduroam service, and as NRO, receive security advisories from global eduroam. AARNet then ensures that security advisories are delivered to institutions and required follow-up is undertaken.
AARNet also provide a communications conduit between global eduroam institutional participants and eduroam AU institutions.
AARNet aims to provide both aggregate and detailed institutional usage information in order for institutions to assess the value of their participation in the service.
Aggregate metrics are published in the eduroam AU website.
Detailed institutional metrics are published via the AARNet customer dashboard, to ensure access to this institutional data is protected and remains confidential.
Metrics are anonymized, with AARNet’s communications carrier role requiring that personal data is not released except for targeted support purposes.
Currently AARNet’s NOC monitors eduroam AU National RADIUS Servers and the AARNet hosted APAN Regional RADIUS Server.
In future, AARNet aims to monitor operability of institutional RADIUS infrastructure participating in eduroam AU. This monitoring will make use of institutional test & monitoring credentials stored in the eduroam AU AdminTool.
AARNet provides eduroam AU institutions access to various value-added services:
eduroam @events: (currently available) AARNet provides an eduroam deployment (SP) at R&E events in Australia as requested and promote the eduroam service at events and conferences.
Managed IdP: (currently available) AARNet provides eligible Australian institutions with access to the Managed IdP Service (the first step being registration of the institution with which results in an invitation to the designated institutional administrator to make use of the service)
Managed SP: (in development) AARNet will provide eligible Australian institutions with access to the Managed SP Service which is currently under development by eduroam Europe.
eduroam Visitor Access Service: (under consideration) AARNet is considering the value in providing eduroam AU institutions with access to the visitor access service developed by eduroam Europe.
AARNet seeks to improve the resilience of the eduroam AU service by moving from use of RADIUS over UDP to use of RadSec and Dynamic Discovery at NRS and institutional levels.
AARNet will provide technical knowledge resources enabling institutions to move to RadSec and Dynamic Discovery, and will provide test/demo environments to assist institutions understand the technology.
AARNet will also provide advice and guidance on obtaining required PKI certificates.
As eduroam is primarily used as a Wi-Fi access service by institutions, eduroam globally keeps track of trends and evolution of Wireless technologies (e.g. uptake of Hotspot 2, emergence of Cisco’s OpenRoaming initiative).
AARNet will provide technical bulletins to eduroam AU institutions as appropriate via the eduroam AU website.