Setting up an eduroam Service Provider

About This Presentation

Title:

Setting up an eduroam Service Provider

Description:

Setting up an eduroam Service Provider COURSE OBJECTIVES By the end of the training, you will be able to: Describe eduroam services and technology. – PowerPoint PPT presentation

Number of Views:347

Avg rating:3.0/5.0

Slides: 102

Provided by: pwe76

Category:

more less

Transcript and Presenter's Notes

Title: Setting up an eduroam Service Provider

1
Setting up an eduroam Service Provider
2
COURSE OBJECTIVES

By the end of the training, you will be able to
Describe eduroam services and technology.
Implement a Service Provider in accordance with
eduroam policy.
Deliver eduroam training to other organisations
within your country.
The training will also give you the opportunity
to provide feedback about eduroam and the eduroam
service.

3
COURSE OUTLINE

Module 1 eduroam Overview.
Module 2 Setting up an eduroam Service
Provider.
Module 3 Log Files, Statistics and Incidents.
Module 4 Participant Feedback about eduroam
Technology and Services.

4
Module 1 eduroam Overview
5
WHAT IS eduroam?

eduroam
Stands for EDUcation ROAMing.
Provides secure internet access for academic
roamers.
User experience - Open your laptop and be
online.

6
WHY eduroam?

Researchers
Travel with WLAN-enabled notebooks.
Want transparent, secure network access.
Want similar experience at visited institution as
home.
Experience facilitated by seamless sharing of
network resources.
Better for roamers, easier for administrators.

7
A BRIEF HISTORY OF eduroam (1)

Initially developed out of the TERENA Mobility
Task Force.
Now part of the GÉANT2 project
Joint Research Activity 5 (JRA5). Roaming and
Authorisation. Aim
Research and develop roaming infrastructure
enabling full mobility for European scientific
community.

8
A BRIEF HISTORY OF eduroam (2)

Service Activity 5 (SA5). eduroam Service
Activity.
Build on JRA5 work.
Roll-out and maintain operational pan-European
eduroam service.
Realise Open Your laptop and be online.

9
HIGH-LEVEL REQUIREMENTS

The eduroam design
Enables guest usage of visited networks.
Guarantees reasonable security and data
integrity.
Identifies users uniquely at the networks edge.
Complies with privacy regulations.
Is verifiable.
Is open.
Is scalable, robust, easy to install and use.
Local user administration and authentication.

10
eduroam AUTHENTICATION AND AUTHORISATION

Authentication
Is the user who they say they are?
Carried out by users home institution.
Authorisation
What network access should the user be granted?
Determined by visited institution.

11
TERMINOLOGY AND CONCEPTS

Home institution Identity Provider.
Provides identity management database.
Responsible for user authentication.
Visited institution Service Provider.
Provides network infrastructure (e.g. Access
points, VLANS, internet access, RADIUS servers).
Responsible for user authorisation.

12
AUTHENTICATION AND 802.1x (1)

eduroam uses IEEE 802.1x.
Layer 2 port-based Network Access Control
standard.
Detects user at networks edge.
Networks edge a port on Network Access Server
(NAS).
NAS could be
A Wireless Access Point.
An 802.1x compatible wired switch.

13
AUTHENTICATION AND 802.1x (2)

Until identity is proven
Allows only 802.1x Extensible Authentication
Protocol (EAP) traffic to enter the network.
All other traffic (e.g. DHCP, HTTP) blocked at
data link layer.

14
AUTHENTICATION AND 802.1x (3)

Advantages of 802.1x
Uses EAP, allows several authentication methods.
Therefore compatible with range of authorisation
protocols E.g.
TLS, TTLS, PEAP.
Secure
Encrypts all data using dynamic keys.
Easy to integrate with dynamic VLAN assignment
(802.1q).
Scalable
RADIUS back-end re-uses existing trust
relationships.
802.1x supplicants (clients) easy to find and
configure
MAC OSX, Windows XP, 2000, VISTA built-in
supplicants.
UNIX and Linux supplicants readily available.

15
AUTHENTICATION AND 802.1x (3)
Supplicant
RADIUS server Institution A
Authenticator (AP or switch)?
User DB
jan_at_student.institution_a.nl
Internet
Guest VLAN
Employee VLAN
Student VLAN
signalling
data
16
THE AUTHENTICATION PROCESS (1)

Steps
User opens laptop in range of Network Access
Server (NAS).
Attempts to connect to SSID eduroam.
NAS detects new supplicant.
Port enabled and set to unauthorised.
Only 802.1x traffic allowed other traffic
blocked.

17
THE AUTHENTICATION PROCESS (2)

Steps (Continued)
NAS sends out Extensible Authentication Protocol
(EAP) request.
Supplicant returns credentials in EAP response.
Logs on using same credentials as at home.
NAS forwards credentials to users Identity
Provider.
Identity Provider validates credentials against
local user database.
Validation forwarded to Service Provider.
Port set to authorized.
Normal traffic is allowed.

18
FORWARDING THE USERS CREDENTIALS (1)

Users credentials forwarded via hierarchy of
RADIUS servers

19
FORWARDING THE USERS CREDENTIALS (2)

Realm-based proxying
User names in format user_at_realms DNS-like
domain name.
Used to forward request to next hop in hierarchy.
Institutions RADIUS server only communicates
with
Its federations RADIUS server.
Its institutions NASs.
Shared secrets authenticate other servers in
hierarchy.

20
FORWARDING THE USERS CREDENTIALS (3)

European confederation has Top-Level RADIUS
servers (ETLRs)
In the Netherlands, and
In Denmark.
Each has a list of connected country domains.
.nl, .dk, .hr, .de etc.
Each ETLRs
Accepts requests for its connected countries.
Forwards them to appropriate Federation Level
RADIUS server.
Forwards requests for other countries to other
ETLRs.

21
FORWARDING THE USERS CREDENTIALS (4)

Federation Top Level RADIUS servers (FTLRs)
One for each National Roaming Operator (NRO).
Hold lists of connected institution servers and
associated realms.
Forwards requests to appropriate institutions
server,
or
Forwards requests to its ETLRs.

22
FORWARDING THE USERS CREDENTIALS (5)

Institutional RADIUS Servers
Forwards requests from roamers to its FTLRs.

23
ENSURING USER CREDENTIAL SECURITY

Users credentials are tunnelled through the
RADIUS hierarchy.
User credential security is a necessity in
eduroam.
Recommended approach
EAP combined with TLS-type protocol.
Mutual user-server authentication.
Encrypted user credentials.
Sending unencrypted credentials is prohibited.

24
eduroams TECHNICAL INFRASTRUCTURE
25
THE AUTHORISATION PROCESS

VLANs in Service Provider each have different
permissions.
Each VLAN connected to different parts of campus.
When authentication is successful
Service Providers RADIUS server sends
configuration options to NAS.
NAS assigns client to a VLAN.

26
MAIN COMPONENTS OF eduroam

Network Access Server (NAS)
Wireless Access Point or
802.1x compatible wired switch.
Client with configured supplicant.
Hierarchy of RADIUS Authentication Servers (AS).
IEEE 802.1x.
IEEE 802.1q.
Standard for VLAN assignment.

27
HOW DO THE PIECES FIT TOGETHER? AN EXAMPLE
28
KEY eduroam TECHNOLOGIES (1)

Security based on IEEE 802.1x
Standard for port-based network access control.
Provides protection of credentials.
Integrates with VLAN assignment through IEEE
802.1q
Standard for VLAN assignment.
Authentication based on Extensible Authentication
Protocol (EAP)
Facilitates a variety of authentication
mechanisms at users Identity Providers.

29
KEY eduroam TECHNOLOGIES (2)

Roaming based on RADIUS proxying.
RADIUS Remote Authentication Dial in User
Service.
A transport protocol for authentication
information.
Trust fabric based on
Hierarchy of RADIUS servers.
The eduroam policy.

30
THE eduroam CONFEDERATION POLICY

What is the eduroam policy?
Documents and contracts that define the
responsibilities of
The European confederation.
Federations / NRENS.
Institutions.
Users.
A contract between the NRO and DANTE.

31
LOCAL eduroam POLICIES

In addition to the confederations policy,
NROs may also have their own local eduroam
policy.
Allows for regional variations.

32
THE EUROPEAN eduroam CONFEDERATION

Hierarchical structure
Institutions with eduroam service points
Belong to
Federations one for each country / NREN,
Which belong to
The European eduroam confederation,
Which covers the whole of Europe.
Provides the experience Open your laptop and be
online.
Users given secure network access within the
confederation.

33
WHAT IS THE EUROPEAN eduroam CONFEDERATION?

Members
Are European NRENs / NROs (National Roaming
Operators).
Must sign the European eduroam policy.
Commits them to technological and organisational
requirements.

34
PRINCIPLES OF THE EUROPEAN eduroam CONFEDERATION

Mutual network access without fees.
Authentication at home authorisation at Service
Provider.
Identity Providers remain responsible for
roamers.
Member NRENs promote eduroam in their countries.
European confederation may peer with other
international confederations.

35
MAKING THE EUROPEAN SERVICE WORK

The GÉANT2 Service Activity, SA5
Encompasses everything necessary to make the
eduroam service work
Confederation technical infrastructure.
Establishing trust between the member
federations.
Monitoring and diagnostic facilities.
The eduroam database, a central data repository.
The eduroam web site (www.eduroam.org).
Confederation level user support.
Trouble Ticketing System (TTS).
Mailing Lists.

36
THE eduroam SERVICE MODEL
European eduroam service (governed by SA5)?
eduroam confederation service (provided by the
Operations Team the O.T.)?
national eduroam service(provided by NREN/NRO)?
...
national eduroam service(provided by NREN/NRO)?
37
USER TYPES AND SERVICE ELEMENTS
38
MONITORING eduroam

What must be monitored?
Servers.
Are they accessible?
Infrastructure.
Is it working?
User experience.
Is it satisfactory?

39
MONITORING CONCEPT OVERVIEW
40
THE MONITORING PROCESS (1)

Monitoring is a two step process
Reject test.
Accept test.

41
THE MONITORING PROCESS (2)

For both steps
Client creates RADIUS attributes.
Client creates RADIUS request for selected AuthN
type.
Client sends RADIUS request. Starts measuring
response time.
Monitored RADIUS proxy handles request and
returns response.
Client evaluates response and updates database.
Monitored server marked okay if it passes both
tests.

42
MONITORING SERVERS
ETLRs
monitoring client
monitoring database
FTLRs
43
MONITORING INFRASTRUCTURE
ETLRs(s)?
TLRS(s)?
monitoring client
monitoring database
FTLRs(s)?
FTLRs(s)?
44
TESTING ON DEMAND
realm A FTLRs(s)?

monitoring client
ETLRs(s)?
TLRS(s)?
monitoring database
realm B FTLRs(s)?

45
THE eduroam DATABASE

Database includes
National Roaming Operator (NRO) representatives
and contact details.
Local institutions official contacts.
Both Service Provider (SP) and Identity Provider
(IdP).
Information about eduroam hot spots.
SP location, technical information.
Monitoring information.
Information about the usage of the service.

46
NROs AND THE eduroam DATABASE

NROs
Should provide the necessary data (general and
usage data).
Data must be provided in the agreed XML format.
Data will only be accessible from the eduroam
database server.

47
eduroam DATABASE THE DATA MODEL
48
THE eduroam WEB SITE

www.eduroam.org will include private areas to
support eduroam operations.
E.g. Information from NROs
Contact details.
Service coverage.
Usage statistics.
Number of eligible / active users.
Infrastructure monitoring information.

49
USER SUPPORT PROBLEM ESCALATION SCENARIO 1
50
USER SUPPORT PROBLEM ESCALATION SCENARIO 2
home federation
OT
visited federation
4a
4b
fed.-level admin.
4
local institution admin.
3
fed.-level admin.
5
local institution admin.
1,2
6
user
51
CURRENT eduroam STATUS (1)

As of April 2008, 33 countries were connected to
the two European Top Level Radius Servers (ETLRs).

52
CURRENT eduroam STATUS (2)

The Monitoring Service is up and running.
It covers ETLRs and Federation Top Level RADIUS
Servers (FTLRs).
Publicly available via www.eduroam.org since May
2008.
Further development is planned.

53
CURRENT eduroam STATUS (3)

Demographics and user maps.
No of SPs.
No of IdPs.
Location of SPs.
Usage.
Coverage.
Contacts.
User-oriented maps, based on eduroam Database.
Publicly available via www.eduroam.org by end of
June 2008.
Further development planned.

54
IMPLEMENTATION PLAN
Service Definition Policy
Monitoring
Web site
TTS
eduroam database
55
eduroam OVERVIEW RECAP

Secure, robust, stable service.
Easy to set up and install.
Allows European scientific community to roam.
Open your laptop and be online.
Authentication at home, authorisation at Service
Provider.
eduroam service now rolling out across Europe.
Confederation technical infrastructure,
monitoring, trouble ticketing, web-site,
database, mailing lists.

56
Module 2 Setting up an eduroam Service Provider
57
EACH SITE CAN BE UNIQUE

Each eduroam-enabled institution may use
different
Equipment.
Software.
Topology.
Details of eduroam configuration depend upon
factors above
But broad principles are the same on any
platform.

58
A WORD OF WARNING

First things first
An eduroam wireless network is a wireless
network.
Sounds trivial, but
you need to know your stuff regarding Wireless
LAN
if you have a bad layer 2 WLAN, putting the SSID
eduroam on it won't magically make it better
if the SSID eduroam doesn't perform, it hurts
the global brand, even if it is a local problem

59
REFERENCE eduroam SETUP (1)

This module describes a reference set-up.
Based on frequently-used equipment
An 802.11g Enterprise-level Access Point.
We have a few LANCOM L-54g in the exercise.
Radiator OR FreeRADIUS RADIUS server.
We will use FreeRADIUS 2.0.4 in the exercise.
Reference model assumes ETLRs and FTLRs already
set-up.

60
REFERENCE eduroam SETUP (2)
61
SETTING UP YOUR SERVICE PROVIDER STEPS

Connect your workstation to the Ethernet switch.
Set up the RADIUS server
Connect clients.
configure proxy server(s).
Configure the access point for eduroam.
Configure the supplicants.

62
SETTING UP THE RADIUS SERVER (1)

EAP authentication requires a PKI.
But you don't have to care when setting up an SP
only
Compile and install FreeRADIUS
./configure --prefix... --sysconfdir...
make
make install
, edit
SYSCONFDIR/raddb/
Use vi or another text editor.

63
SETTING UP THE RADIUS SERVER (2)

Defining the clients
NAS devices act as clients to RADIUS server.
Other RADIUS servers in hierarchy also act as
clients.
Each client must be defined using ltClientgt or
client ... clause.
Definition must include a shared secret.
May include a lot more.

64
SETTING UP THE RADIUS SERVER CLIENT EXAMPLE

ltClient 1.2.3.4gt
Secret somesecretsecret
lt/Clientgt
client antarctica-access-points
ipaddr
192.168.10.200
netmask 28
secret
abcdefgh
require_message_authenticator no
shortname
antarctica-ap-v4
nastype other
virtual_server
eduroam

65
SETTING UP THE RADIUS SERVER (3)

Forwarding of requests
eduroam routing is based on _at_suffix realms
(RFC4282).
ltHandlergt clause is the recommended method, more
flexible than the ltRealmgt clause. ltHandlergt
...(forward to FTLR)... lt/Handlergt.
home_server, home_server_pool and realm DEFAULT
(see proxy.conf) suffix module.

66
SETTING UP THE RADIUS SERVER (4)

Proxy example
ltHandler Client-Identifier/(?!Proxy-Identifier)
/gt
ltAuthBy RADIUSgt
Host 192.87.36.3
Secret super_secret!
AuthPort 1812
AcctPort 1813
StripFromReply Tunnel-Type, Tunnel-Medium-Type,
Tunnel-Private-Group-ID
lt/AuthBygt
lt/Handlergt

67
SETTING UP THE RADIUS SERVER (4)

proxy.conf
home_server tld1-antarctica-v4
type authacct
ipaddr
192.168.10.253
port 1812
secret abcdefgh
response_window 20
zombie_period 40
revive_interval 60
status_check status-server
check_interval 30
num_answers_to_alive 3
home_server_pool EDUROAM
type fail-over
home_server
tld1-antarctica-v4
home_server
tld2-antarctica-v4

68
REQUEST FORWARDING CAVEAT

Don't blindly accept all RADIUS attributes
filtering is in order!
IdP might send VLAN assignments.
If you keep the assignment unchanged, the
(remote) IdP decides in which VLAN your users end
up!
StripFromReply and the attr_filter module.

69
ACTIVITY

Exercise

Welcome to Antarctica! .aq is one of the few
top-level domains on the planet without an
eduroam hotspot. You are here to change this
today. There is already a FTLR for .aq on
192.168.10.253, port 1812 and 1813. Compile,
install and configure FreeRADIUS 2.0.4 in your
home directory. Connect it as a client to the .aq
server. Test the connection with a plaintext
login attempt and the test account tld_at_aq,
testpass (use the utility radtest for that)?
70
OPTIONAL USING RADSEC INSTEAD OF RADIUS

Radiator already has (and FreeRADIUS will soon
have) support for RADIUS over TCP and TLS
ltHandlergt
ltAuthBy RADSECgt
Host etlr1.eduroam.org
Host etlr2.eduroam.org
Secret mysecret
UseTLS
TLS_CAPath
/.../certs/CAs/
TLS_CertificateFile
/.../certs/tld1.eduroam.lu.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile
/.../certs/tld1.eduroam.lu.key
lt/AuthBygt
...
(the equivalent on the server side is an
ltServerRADSECgt clause

71
CONFIGURING THE ACCESS POINTS (1)

Access Point setup is a set of LANCOM L-54g
Series Access Points.
It's alright if you've never seen this brand
before -).
Setup (as per appendix B.2 on Cookbook v2)
SSID.
Encryption.
NTP.
RADIUS uplink.
IP address.

72
ACTIVITY

Exercise
Configuring an access point.
use Cookbook v2 (on CD) for walk-through on
LANCOM APs

73
CONFIGURING THE ACCESS POINTS (2)

RADIUS / AAA Section
Must define at least one group. E.g.
ap1200(config)aaa new-model
ap1200(config)radius-server host 192.168.10.253
auth-port 1812 acct-port 1813 key ltsecretgt
ap1200(config)aaa group server radius radsrv
ap1200(config-sg-radius)server 192.168.10.253
auth-port 1812 acct-port 1813
ap1200(config-sg-radius)!
ap1200(config-sg-radius)aaa authentication login
eap_methods group radsrv
ap1200(config)aaa authorization network default
group radsrv
ap1200(config)aaa accounting send stop-record
authentication failure
ap1200(config)aaa accounting session-duration
ntp-adjusted
ap1200(config)aaa accounting update newinfo
periodic 15
ap1200(config)aaa accounting network default
start-stop group radsrv
ap1200(config)aaa accounting network
acct_methods start-stop group radsrv

74
CONFIGURING THE ACCESS POINTS (3)

SSID Configuration
One dot11 ssid must be configured for each SSID.
Also configured
Default VLAN for the SSID.
Authentication framework.
Accounting.
SSID to be broadcast (guest mode).
ap1200(config)dot11 ssid eduroam
ap1200(config-ssid)vlan 909
ap1200(config-ssid)authentication open eap
eap_methods
ap1200(config-ssid)authentication network-eap
eap_methods
ap1200(config-ssid)authentication key-management
wpa optional
ap1200(config-ssid)accounting acct_methods
ap1200(config-ssid)guest-mode

75
CONFIGURING THE ACCESS POINTS (4)

Configuring the Radio Interface
Map SSIDs to the radio interface.
Specify ciphers for each VLAN.
ap1200(config)interface Dot11Radio 0
ap1200(config-if) encryption vlan 906 mode
ciphers aes-ccm tkip wep128
ap1200(config-if) encryption vlan 909 mode
ciphers aes-ccm tkip wep128
ap1200(config-if)ssid eduroam

76
CONFIGURING THE ACCESS POINTS (5)

Configuring VLAN interfaces
For each VLAN used for wireless clients, define
One on the air (DotRadio) virtual interface.
One on the wire (FastEthernet) virtual
interface.
Bridge the two virtual interfaces together with a
bridge group.
Configure administrative VLAN.
For maintenance / management and authentication /
accounting traffic.

77
THE SUPPLICANT (1)

The reference setup assumes use of EAP-TTLS.
Easiest way to implement eduroam in large
community.
MS Windows has no built-in support for EAP-TTLS
But you can use SecureW2.
Application from Alfa Ariss Network Security
Solutions.
Can be some security issues around installation
You can overcome these using a preconfigured
distribution.

78
THE SUPPLICANT (2)

To prepare a preconfigured SecureW2 exe file
Prepare SecureW2.INF file.
Prepare NSIS configuration file.
Create the exe file with NSIS.
Digitally sign the exe file.

79
THE SUPPLICANT (3)

User Installation of SecureW2
Download the preconfigured exe file.
Confirm the signature of the exe file.
Start the exe file and enter credentials when
prompted.
Reboot computer.
Choose SecureW2 as the authentication method for
the eduroam network.
Connect to eduroam.

80
THE SUPPLICANT (4)
81
ACTIVITY

Exercise
Working with a supplicant.

82
Module 3 Log Files, Statistics and Incidents
83
WHY KEEP LOG FILES?

Log files are used to track malicious users and
to debug possible problems.
Aim provide evidence to government agencies
Offenders realm and login time.
Why not provide the User-Name?
User-Name attribute could be obfuscated.
Outer identity could be anonymous or forged.

84
TRACING THE USERS REALM (1)

You should keep
DHCP or ARP sniffing log.
RADIUS Authorisation log.
Clock synchronised with Network Time Protocol
(NTP).

85
TRACING THE USERS REALM (2)

Steps
Identify IP address of malicious user.
Find MAC address in DHCP or ARP sniffing log.
Find authentication session in Auth log.
Take realm and timestamp from Auth log.

86
NEXT STEPS

Approach eduroam Operations Team (OT).
OT can link realm to a home federation.
Home federation can find users identity
provider.
Identity provider can find the user name.
Cross-reference timestamp from service providers
auth log with own logs.

87
A CLOSER LOOK AT LOGGING REQUIREMENTS

Lets look more closely at logging requirements
Network addressing.
Auth logs.
Reliable time source.
Technical contact.

88
NETWORK ADDRESSING

Service Providers
Should provide visitors with publicly routable
IPv4 addresses using DHCP.
Side-thought why is NAT considered bad?
Must be able to find a MAC address from the IP
address.
Must log
Time clients DHCP lease was issued.
MAC address of client.
IP address allocated to client.

89
AUTH LOGS

Identity Providers must log all authentication
attempts, recording
Authentication result returned by authentication
database.
Reason for denial or failure of authentication.

90
AUTH LOGS (2)

At what point should logs be kept?
after packet reception from client
before handing off to proxy
after getting reply from proxy
before sending reply back to client
pre-configured modules exist in FreeRADIUS
auth_detail, pre_proxy_detail,
post_proxy_detail, reply_detail

91
RELIABLE TIME SOURCE

All logs must be synchronised to a reliable time
source.
E.g. using Network Time Protocol (NTP).
SNTP also okay.

92
TECHNICAL CONTACT

Each federation must designate a technical
contact
Must be available via email and telephone during
office hours.
May be a named individual or an organisational
unit.
Cover during absence from work must be provided.

93
STATISTICS WHO CAN DELIVER WHAT INFO?

your NRO has the FTLR server
can count international roaming usage (for now).
can count national roaming usage (for now).
can not count local usage.
only IdP's can count own local usage! SPs as
well, if RadSec is used.
How to do this depends on server in use.

94
STATISTICS FreeRADIUS

FreeRADIUS.
use a script to parse log files and generate
statistics out of it
like http//www.eduroam.lu/files/eduroam-daily-st
ats-03.sh
Generates output like below, can be sent to SSH
dropbox at NRO

Order of fields successful-own
successful-national successful-intl failed-own
failed-national failed-intl 6 1 0 0 0 0
95
ACTIVITY

Exercise
Log files and statistics.

96
OTHER INCIDENTS

Other attacks you might find interesting (not
directly related to eduroam).
Authentication spamming someone without a proper
user account starts as many authentication
processes as he can.
Disassociation of connected clients.
poisoning MAC tables.
All of these are generic WLAN attacks.

97
ACTIVITY

Exercise
Dealing with incidents.

98
Module 4 Feedback on eduroam Technology and
Service
99
ACTIVITY

Feedback
Please give your feedback about eduroam
technology and the eduroam service.

100
FOR MORE INFORMATION

www.eduroam.org
www.geant2.net
www.dante.net
For information about GÉANT2 training
www.geant2.net/training

101
RECAP OF COURSE OBJECTIVES

By the end of the training, you will be able to
Describe eduroam services and technology.
Implement a Service Provider in accordance with
eduroam policy.
Deliver eduroam training to other organisations
within your country.
The training will also give you the opportunity
to provide feedback about eduroam and the eduroam
service.

Write a Comment

User Comments (0)