Why iotroam?

Background

There is a huge technology push of devices that need network connectivity to deliver the promised "smart" applications, both in the business, non-profit and consumer markets. Think of smart doorbells, smart lighting, the microwave, coffee maker and washing machine that you can control with an app or check the status, solar panel inverters, etc.. In the enterprise market, we are talking about products such as coffee machines, mobile PIN equipment, security cameras, sensors for building or room management.

In the research and education sector this includes medical devices, smart sensors, fitness equipment, smart watches, VR glasses, robots, digi- or smart boards and 3D printers. These devices all need (Internet) connectivity to be able to work. That is why they are also called Internet of Things (IoT) devices. This trend fits into the expected developments which also led to SURFs Smart Campus vision.

It has been reported in the media for years that the security of IoT devices is often poor. This is partly due to user behavior (not changing admin password), but also to the technical capabilities in the device itself. This poses serious security risks. On the one hand, malicious actors can use large numbers of IoT devices to generate DDoS attacks. On the other hand, it can provide a potential entry point into an organization's infrastructure with serious consequences. Although the European commission plans to impose requirements on smart device manufacturers in 2024, vulnerable systems will continue to circulate for the time being and there are no guarantees about new devices.

So for our sector, it is very important to have a solution that ensures IoT devices can be connected to the network in a secure and traceable way, but also easy for the user.

Proposition

The use of IoT devices within institutions is growing substantially. All these devices need secure connectivity without having to perform complicated operations. Various technologies are available to realize this, like LoRaWAN, 5G, WiFi and Bluetooth Low Energy. The SURF service iotroam focuses primarily on connectivity via WiFi. For (IoT) devices that support 802.1X authentication, it is clear how to securely connect to the network. By using a "device-bound credential," clients/devices can securely authenticate themselves using a strong user and/or device identity. SURF provides eduroam for this purpose.

Many IoT devices are not able to support network security functionality such as 802.1X, or institutions do not want to create (shared) user accounts for this for technical or policy reasons. However, if IoT devices are connected to the network without authentication and unmanaged, this creates security risks: unwanted devices or devices belonging to unwanted individuals or organizations can access the network. On the other hand, it should be easy for the user of IoT devices to start using the devices and focus on the application. iotroam is a solution to get IoT devices online in a controlled, traceable and easy way.

iotroam offers users within institutions the advantage of easy network authentication for IoT devices in facilities, education and research without the intervention of the ICT department.

In addition, iotroam also offers the ICT department of institutions a number of benefits:

  • Keep the responsibility for managing IoT devices at the user level, which reduces management burden on the ICT department. The ICT administrator can create groups with group responsibilities. As a result, the operational tasks are executed by the user, but ICT remains in control;
  • Ability for students or researchers to collaborate with IoT devices from different institutions. This is a great differentiator with other (vendor specific) solutions available on the market;
  • No worries about unknown IoT devices on the network. IoT devices are traceable to a user or group of users. In other words, every IoT device can be traced to a responsible person and only those with permissions from SURFconext can have IoT devices connected to the Wi-Fi network;
  • IoT devices are connected in a secure manner (within the possibilities offered by the technology). Separate security policies can be assigned to different groups within iotroam;
  • No procurement, maintenance and development of a proprietary system is required. In addition, iotroam is set up as a unified system for all institutions, which also facilitates collaboration and shared applications on campus between institutions.

The service can be seen as an extension of eduroam and eduroam Visitor Access. By using iotroam, institutions can focus more on the use cases they want to support with the IoT devices than managing an access platform for IoT devices themselves.

Future Development

iotroam is part of SURF's Smart Campus vision. iotroam enables the secure use of smart or IoT devices within the campus WiFi infrastructure. In doing so, it provides a foundation to further develop the Smart Campus.

iotroam is designed to also provide "roaming" use cases and functionality in the future, facilitating IoT collaboration between institutions. There are also ideas to use iotroam more broadly than just for WiFi. This could include connectivity provisioning for sensors on LoRaWAN, BLE, NB-IoT or other 5G technologies. Furthermore, it can be integrated with SURFwireless and, in the future, SURFwired, as part of SURF CNaaS.

Functional description of the service

Summary

With iotroam, SURF offers participating institutions the possibility for IoT devices that cannot use eduroam to still connect to the institution's WiFi network. With eduroam, a username/password or certificate is always required on the device to get online. iotroam addresses the need to be able to connect devices that do not have this capability and can only use WPA2 personal with PSK (Pre Shared Key).

The advantage of iotroam over a commercial solution is that iotroam is set up with the application in education and research and is therefore scalable and made for all institutions. There is no lock-in with any product vendor and flexibility in further development of functionalities. For example, iotroam has worked with groups for various applications (facilities, education, research, lab, etc.) from the beginning. For each group it is then possible to apply policies, putting the ICT department in control of where in the network these devices connect and who is responsible for the device. This increases security when using IoT devices.

We currently distinguish 2 different roles within iotroam. One is aimed at ICT administrators and the other at users of IoT devices. These are elaborated further below.

For ICT administrators

The ICT administrators of an institution using iotroam are responsible for the technical setup of the service within the institution. When connecting the service, the administrator must perform a number of actions and design choices must be made about groups and VLANs, in combination with IP addresses. Within iotroam, the administrator has the ability to:

  • Create and manage groups. Users can be assigned to the groups. For example, groups can be created for all security cameras, coffee machines, VR glasses, or by departments using IoT devices;
  • Assign VLANs to the groups to also separate different types of IoT devices from each other and the rest of the network;
  • Assign security policies to the groups. Consider also the maximum retention time, the time which a device can access the network;
  • Authorize users for iotroam and assign them to groups;
  • Set limits on the number of users' personal devices;
  • Create, manage and delete IoT devices;
  • Using CSV import to add large amounts of IoT devices in a group at once.

An administrator's manual is available.

For users of IoT devices

A user with IoT devices, for example a teacher, student or researcher, has the ability to perform the following tasks through the self-service portal:

  • Personal IoT devices to add, modify and delete. These are personal devices, such as smartwatches. The administrator can also determine that users will not have this ability;
  • Add, modify and delete IoT devices to a group, but only in groups for which the user has permissions. For example, a student can add a lab device for his/her practicum or a robot for the time period he/she will experiment with it;
  • View all IoT devices and their details within the group(s) to which the user has permissions.

A user can also be assigned to the role of group owner. The group owner can invite others to join the group. The group owner can manage the users of the group and also make another user group owner.

The image below shows how iotroam works for the user.

  1. The user goes to https://www.iotroam.nl and logs in via SURFconext. Next, the user enters his/her IoT device by entering a MAC address, giving the device a name and adding a description if necessary. The MAC address can often be found on a sticker on the IoT device or on the box. The portal then presents the user a WiFi password (pre shared key);
  2. The user enters the SSID iotroam and WiFi password in the WiFi settings of the IoT device;
  3. The IoT device attempts to connect to the institution's WiFi network with the assigned WiFi password;
  4. The WiFi network performs a check with iotroam's RADIUS server whether the combination of MAC address and WiFi password is correct and returns a response to the WiFi network (possibly with a specific VLAN for the group used);
  5. If the combination is correct, the device is connected to the WiFi network in a VLAN reserved for it.

A user manual is available with more detailed description.

  • No labels