Date, Time, and Location
Friday, February 18, 2022
11:00am ET | 10:00am CT | 9:00am MT | 8:00am PT
Minutes
eAC wiki: https://spaces.at.internet2.edu/display/eduroam/eduroam+Advisory+Committe
Attendees:
Brett Bieber, Nebraska, Neil Johnson, Iowa, Rob Gorrell, UNCG, John Buysse, Notre Dame, Jeff Egly - UETN, Mike Dickson - UMA, Amel Caldwell -UW, Kim Owen -NDSU, Tim Cappalli - Microsoft
With:
Ann West, Kevin Morooney, Mike Zawacki, Sara Jeanes, Steve Zoppi
Regrets:
Jeremy Livingston, Michael Hacker
Agenda
- Approve previous month’s minutes
- https://spaces.at.internet2.edu/display/eduroam/eAC+Meeting+2021-02-18
- Rob approves, Jeff seconds
- SO update (Jeff, Brett, Mike)
- UETN: Held technical retreat for Utah edu community. Provided workshops around eduroam (lead by Amanda Molinari). Focus continues to be on SP-Only deployments. Have been working with state/local stakeholders to identify candidates for SP-Only. Working with UDOT to deploy eduroam on public wifi along highway/roadway systems. Working on survey for community, forming up metrics, tracking costs of marketing/promotional efforts. Meeting with marketing team in SOs and monthly Regional calls to develop SP-Only “one sheet” for engaging with SP-Only candidates, esp commercial partners. Report on marketing efforts https://docs.google.com/document/d/1pq-H_2EYO0nhug-63Oc6qU55F4E5imIxuX34eti2YBA/edit
- Network Nebraska: Making headway on promoting at conferences. Getting eduroam set up in conference centers as well. Seeing traction WRT eduroam advocates that emerge from the community. Working with Allo, local ISP, on public deployments of eduroam. Also working with Cox on SP-Only deployments. They’ve gravitated toward signing I2’s agreement. Cox team to meet with I2 this afternoon. Appreciate the progress on eFM development
- Allo blog post: https://docs.google.com/document/d/1pq-H_2EYO0nhug-63Oc6qU55F4E5imIxuX34eti2YBA/edit
- Jeff: Comcast is the main ISP in Utah, so we may engage with them based on the work being done by Network Nebraska
- Network Nebraska: Making headway on promoting at conferences. Getting eduroam set up in conference centers as well. Seeing traction WRT eduroam advocates that emerge from the community. Working with Allo, local ISP, on public deployments of eduroam. Also working with Cox on SP-Only deployments. They’ve gravitated toward signing I2’s agreement. Cox team to meet with I2 this afternoon. Appreciate the progress on eFM development
- Sun Corridor : Working agreements - different SP agreements, refining standard IdP agreement. In discussions with state library organization, interested in becoming SP-Only sites. Continuing deployment with Pinal school district, have identified next round of pilot. Laura has also been working with the SO and Regional team on the aforementioned SP-Only “one sheet”.
- NN Interested in circling back with libraries in our state. There’s a natural synergy between libraries and K12s.
- Also thinking back to mapping discussion. Working with our higher-eds to ensure they’re adding service locations to the eduroam map.
- This is a great item to include on general punch list for SOs - make sure your HEs are mapping appropriately.
- Sun Corridor : Working agreements - different SP agreements, refining standard IdP agreement. In discussions with state library organization, interested in becoming SP-Only sites. Continuing deployment with Pinal school district, have identified next round of pilot. Laura has also been working with the SO and Regional team on the aforementioned SP-Only “one sheet”.
- Standing item: check in on work priorities for the eAC in 2022
- Temperature taking of the eduroam community – No new issues have surfaced in your world that should be addressed by this committee?
- Recap of the Quarterly Working Group chair call (Jeff/Brett/Mike Z)
- Jeff: Good dialogue. Some of the focus was on eduroam. Also dug into IAM and how to work with the community. One item that Brett surfaced was the role that eduroam could play in driving awareness of IAM
- Ann summarized the topline priorities for each group. Intention was also to foster awareness across the WG community on work being done, where work might intersect. One thing that came up was the work being done by orgs like Network Nebraska, UETN, etc and how network efforts tend to be less visible. By contrast, eduroam is much more visible. Starting to think about how the work we’ve done deploying eduroam can be leveraged into work deploying IAM across the edu space. eduroam could play in getting the community involved and thinking about what federated identity means and what it can do. It’s a good point to start engagements with audiences that are less familiar with IAM. From eduroam, you springboard into the concept of baseline practices, other key IAM concepts.
- Jeff and Brett would like to continue to bring items that come up at those quarterly meetings back to this group for discussion and/or situational awareness of this committee. We’ve seen the benefit/awareness that Brett highlighted in our state as well. Great for engaging with external stakeholders on the value of IAM.
- Eduroam is access to wireless, InCommon is access to services. There’s an opportunity we have to help with branding of InCommon.
- There’s been discussion in Apple, Google, others about how user authentication can be federated and cross federated. Could be interesting crossing points for eduroam, thinking about how eduroam could incorporate/benefit from that work. Useful to think about implications for the service. I’d be happy to set up a call with interested folks from this committee to talk more deeply about that.
- Thinking about implications for student populations and needs of more transient users. Would there be implications for alumni users? Yes, also has some commonalities with OpenRoaming. More focused on user identities than authentication of individual services.
- If we succeed in getting more SP-Only subscribers this could be a good value proposition for them, help make participation eduroam more valuable.
- AI MIKE: Follow up with Tim, and Netta (I2 community engagement lead) on a presentation
- Logging update
- Notes are posted from most recent release to eduroam-admin lists. On Logging, we’re working on a prototype that might be ready to test within next 24 hours. Recent releases have put the backstage plumbing in place. Hope to announce date for logging release within the next few days.
- Proposed/recent changes
- Suggestion to auto approve realms in eFM
- A realm will be accepted if the name is unique and properly formatted
- Pending realm approval section of SO dashboard to be removed
- Already a good process in place to ensure new subscribers are vetted and legitimate users. Additional, manual approval process was increasingly seen as unnecessary.
- The automated approval process will check for realm uniqueness. It would address situation some years ago where an individual department tried to sign up for eduroam even though we were already running eduroam at an institutional level.
- This would catch that before the realm approval process. The contracting and initial service management would catch a duplication like you’ve identified.
- Waiting for realm approval has been a bottleneck for Network Nebraska as an SO. Is the check across InCommon and eduroam, or just eduroam?
- These are separate services operating on separate infrastructures, so since there isn’t a cross-service touch point we only check for uniqueness within eduroam
- Thinking about things longer term there might be some value in encouraging the community to think about the uniqueness requirement across both InCommon and eduroam, especially as we think about promoting IAM in K12 and other communities.
- Operator-name updates implemented (ie returned to prior behavior)
- If SP doesn’t pass operator-name attribute we will automatically inject it.
- The operator-name is helpful in troubleshooting, identifying potential bad behavior
- Legacy infrastructure also injected attribute if it was missing, there were some requests from the community to restore it so we included it in the most recent release.
- Included infrastructure needed for greater resilience, ability to remain available even through AWS outages.
- Organizations which are closer to the west coast could see some benefit from optimizing
- Is RadSec officially on the roadmap?
- Definitely looking towards it, but are still in early stages of investigation. There are two pieces of implementing. Upstream is lighter lift and would probably come first. The more complex aspect is getting all of eduroam subscribers to deploy RadSec. Would require lots of coordination with the community, and likely this committee as well. Could warrant a working group if/when we approach it.
- Update on User/Device Onboarding group (Tim/Rob lead out)
- https://docs.google.com/document/d/1bWYEvM1lRP18-iko1Sj1Uh9QdJcYfVp3SYSfQdf-HFA/edit
- Internet2 seeks clarification on…
- How RADIUS service, PKI service, and client provisioning service would interoperate
- How configuration management portion would fit into a finished service
- Overview of the document and then dig into next steps, discuss soft points.
- During previous year we identified some authentication/onboarding requirements in the Best Practices Guide. TLS/cert authentication was put forward as the recommended auth method. Question arose on how to implement cert issuance/management, especially for smaller orgs (K12 and smaller HE in particular). Also wanted to think about how to use cloud architecture to offer some service to handle user and device onboarding. That lead us to form up the User/Device Onboarding working group and develop this document. Looked at how we could simplify onboarding for smaller orgs. Tim came up with some good models for approaching this work
- Conclusion was that the work being done in GEANT is a great starting point, esp where balancing costs and value are concerned. Three service components were identified
- RADIUS service
- PKI Service
- Client Provisioning
- Commercial solutions bundle all three. Idea was to have a hybrid model where an institution takes on some portion of those three components. Group settled on an approach where the institution owned the RADIUS service (didn’t need to management - they could have it hosted elsewhere), and the User/Device service would host the client provisioning and PKI. Configuration management would be “headless” - clients would communicate with the service to pull down configurations. Centralizes client configuration/OS flavors.
- This service is intended for smaller orgs that can’t afford ClearPass or other commercial solutions. Could be aimed at other audiences but more of a business discussion around who uses the service, who owns which portions of the service etc. Goal was that it could be deployed from an IaaS app store.
- Most likely use case is for a smaller institution that has no better route toward onboarding.
- It’s possible that this could serve to get smaller, less technically capable orgs to get off AD, other less flexible identity stores, set them up for easier time integrating with IAM.
- Because PKI is infrequently invoked we felt it will be easier for people to get comfortable with not having control of their PKI.
- Talk more more about cert revocation? How would that be handled?
- Level of detail you could get would be the ability to block an individual cert or device. Want to avoid overly complex options, keep things simple.
- Very helpful context. Was there a set of requirements that drove you toward option C? Did you do any digging into use stories, other decision making?
- That’s the next step - look at where cost, complexity are a problem. Maybe solution could end up being “offer all three”. We felt Option C was the one which met the needs of those less technical and less resourced institution.
- Formation of requirements and understand the thinking that drove the group to choose option C.
- There are notes from previous meetings, but not formal artifacts. We considered community feedback that all pointed toward challenges around onboarding, difficulty of cert management.
- No formal surveying but lots of considering feedback from UETN’s K12 population. For example, PKI management was prohibitively expensive from a staff expertise standpoint
- Consider upstream load shedding when you try to optimize like this. Trying to figure out how to share that load so that it doesn’t all land on Internet2.
- Tried to consider what the minimum we could put onto the school/institution. Considered a balance that would allow the service would work but not crush the schools with cost/staff expertise requirements.
Consider fiscal sustainability vs sustainability of adoption. I understand that you thought through that balance here - any thinking this group has already done would be helpful
- This is almost like an architectural thought piece that encourages consideration of what the service is composed of and how an entity like Network Nebraska could engage with its community, set up service for different segments of community. Eventually that set of practices could coalesce into a service.
- nterest in how to go from modeling solutions to execution of solutions.
- The working group believe that this is pretty high level, less about a rigidly defined set of functional requirements. We’d like to hear from this group, others adjacent to the eAC on what they feel those requirements would be so that we can incorporate them into a more detailed requirement set. We can think about what should be greenfield and what existing solutions could be adapted/integrated.
- Next steps: Reconvene working group. Add Brett to group. Mike to discuss additional I2 or community staff with Sara. Mike to send scheduling poll
- Best practices for managing users/esp. former students who have wireless profiles on their devices and cause authentication failure
- Next meeting: March 18th, 11am-12:30pm ET
Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework.
Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.
2 Comments
Neil Malcolm Johnson
I approve
Brett Bieber
I approve