12 - Authorization-based Flexible Network Service for Wi-Fi Roaming Systems

Hideaki Sone, Hideaki Goto (Tohoku University), Motonori Nakamura (NII)

The poster will illustrate recent research by eduroam JP on system configuration on a flexible network service based on authorization and OpenFlow network.
This presentation is related to “OpenFlow-based authorization mechanism for Wi-Fi roaming systems” by Hideaki Goto at the 29th TF-MNM Meeting, Nov. 22, 2012, Belgrade, Serbia
(a) “DEAS” in eduroam JP eduroam JP has grown as a community of 46 institutions. This growth is assisted by a distinguishing feature of eduroam JP, the federated Delegate Authentication System “DEAS”, which reduces the entire cost for building and operation eduroam service at participating
institution by providing some centralized authentication servers. The system has been proved to be quite effective in deploying eduroam in small institutions.
(b) Nation-wide eduroam access network A nation-wide, IPv4/v6-dual access network is being operated by eduroam JP and SINET. The network helps universities separate guest and local networks and hides local service
resources from visitors. This is quite useful for solving various security and legal issues such as access control for internal web services and electronic journal services.
(c) Policy-based authorization for WLAN roaming systems Basic access policy to restrict access to local resources can be implemented by use of visitors access network described above. More flexible access control is possible using users’ attributes to forbid the access to some Internet sites upon the host and home institutions’ network use policy. The attribute information such as affiliation and position can be supplied through
response to authentication inquiry for roaming.
(d) OpenFlow-based authorization and access control mechanism for eduroam
Flexible network services for various demand for access control is enabled by a powerful standard OpenFlow which controls packet flows at OpenFlow switches by referring packet headers and associated rules configured by an OpenFlow controller. Our access control mechanism introduces a policy DB which is connected to the Radius IdP at the home institution, and RADIUS response sends the policy and the attributes to the eduroam SP at the
hosting institution. Switch control rules are derived from the IdP/SP policies, and the access control is performed.

Download file