Date, Time, and Location
Friday, April 15, 2022
11:00am ET | 10:00am CT | 9:00am MT | 8:00am PT
Amel Caldwell - UW
Brett Bieber - Nebraska
Neil Johnosn - IOWA
Kim Owen - NDSU
Stefan Winter - RESTENA
Michael Hacker - University Heights Charter School District
John Buysse, Notre Dame
Rob Gorrell, UNCG
Jeremy Livingston, Stephens University
Michael Dickson, University of Massachusetts
- Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework
- Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.
- Agenda bash
- Bashed! No new items
- Approval of last month’s meeting minutes
- Kim has moved to approve
- Jeff approves
- Update on working groups
- Discussion on geteduroam (special guest Stefan Winter)
- Link to recording: https://internet2.box.com/s/v430s18c60h8ndlnrjwcorv9cwdrlueu
- Geteduroam app info: https://www.geteduroam.app/
- Brett: WRT the pseudo-IdP portion - SURFNet is running one instance that is backed by multiple IdP’s or is it a one to one relationship?
- Stefan: This is a multi tenant deployment, so it’s one instance that talks to multiple IdPs.
- Brett: Thanks. Point of confusion for me when I was trying out geteduroam was which institutional credentials I had to plug in
- Stefan: There’s documentation that can help with this (https://www.geteduroam.app/idp/cat/)
- Brett: Regarding certs - they’re generated on the geteduroam IdP and then installed via the app?
- Stefan: Yes. We have a similar service (Managed IdP). In that service we found it easier to generate the cert on the server and then provide to the end user. Working on client side generate but
- Brett: Is there a way to manage the certs which are installed via geteduroam? A revocation list, etc?
- Stefan: Basic idea was that you wouldn’t need revocation because the certs were shortlived (4ish weeks). Turns out that OSes are bad at having to frequently load new certs. We extended the life of the certs and have not yet added in management functionality. It’s on the roadmap but not
- Brett: Is there any ability to manage other aspects of the cert? And is any of this visible to the user?
- Stefan: Not right now. Users will get a notice that their cert is expiring.
- Brett; Excited about this. One thing we’ve been working on is how to encourage orgs to follow Best Practices around relying on EAP-TLS if they’re smaller, less technically capable. THis could help solve for that. What we’re missing is that many of the institutions we would work with don’t have a SAML IdP. Need to look at how to either work around that or provide SAML elsewhere. Maybe containerized SAML IdP to run locally? Maybe leverage external IdP (e.g. Azure AD)?
- Steve: Anything is "possible" in this way - but what is "probable and practical" is the biggest question due to the variability of combinations/permutations.
- Ann: Google would be in scope for that too, since it’s OIDC
- Brett; True. Is that possible, Stefan?
- Stefan: Would be best to talk to Paul Dekkers about this. We’ve been talking about how to handle IdP requirements. No solution now.
- Brett: Not much experience with federation in K12 space. Eduroam is the first taste of that for them. Want to bring them into that space, show them what’s possible.
- Ann: Agree. Baby steps - Google is common in K12, maybe work on that first
- Sara: We have a layer of capabilities (geteduroam, other services we’re working on). As we push down to K12 there’s another level of abilities, limitations, and there’s the functionality of various eduroam and related services like geteduroam, CAT, etc. Need to work on linkages between all those portions. Challenge is identifying dependencies of linkages and putting those into place
- Brett: Where is the development occurring, what’s the roadmap for those projects? Having a sense of that will help us sequence our work and figure out where we can contribute.
- Stefan: I’ll ask for the roadmap and share back with this group
- UPDATE: At this time there’s no publicly sharable roadmap for geteduroam
- Solution reviews
- Sara: Context was proposal of functions to provide parity with legacy service.
- Brett: It’s a good point. No objections to his statements.
- Amel: Agree. Don’t think validating the server cert is enough.
- Brett: So are there suggestions for validation?
- Amel: Really difficult/impossible to enforce validations if it’s a ‘one and done’ with just username/password
- Sara: Idea was to use short lived certs to address these challenges, require regular validation
- Brett: If username/password reliance is a problem/weakness then we need to consider how to move people off that model and onto methods like EAP-TLS. I feel like that’s well understood, so we just need to continue to work on lowering the bar to move to cert based authentication (additional services, documentation, etc).
- Michael H: Coming from K12s, we see this problem. We’re scattered between Google and 3rd party on prem solutions (Azure AD). Are looking toward the community to close those gaps.
- Ann: Also see that in HE. If we solve for K12 we also solve for HE. Solution may be a collection of partners who come together under community standards and policies. InCommon has started that sort of work (InCommon Catalyst program). First work there is a SAML IdPaaS. Could see that sort of work factoring into questions like the need for SAML in geteduroam. Trust is also backed up by legal agreements that “give the community teeth”
- Jeff: Next steps?
- Sara: It sounds like we’re in good shape, that our recommendations are in line with community standards. Next steps would be to have the group dig into technical needs. For example, for monitoring piece we could just write up a knowledge base article. For IdP we need to write up technical description of how to make the various pieces interoperate. For SP side we’d want to figure out how to manage credential issuance and removal. We see IdP coming first, would want testing.
- Brett: I think to documents hit the mark for what’s needed.
- Amel: Agree.
- Sara: I’d encourage us to dig into the conversational fork Brett was taking us down. Want to continue discussion around end user onboarding.
- Note from Michael Dickson: Regarding the SP section of the “eAC review of eduroam services proposals” on April 6th, I agree that ensuring validate server cert is enabled in the OS to prevent MiTM attacks is critical to a safe connection. We use EAP-TTLS with a 3rd party onboarding service. Fac/staff devices that are managed can get a supplicant config pushed via GPO but because there are no client side certs needed students and unmanaged Win/Android devices simply see eduroam in the hunt list and click. They just enter their username and their done, often without validate server cert being enabled. We strive to convince users to run the onboarding tool but it’s just plain easier to click to connect.
- User/Device Onboarding working group (Brett)
- Version/MVP table
- Brett: With info Stefan provided this document will need some updating! Intent was to identify existing community tools that will meet the requirements of various components. I started off listing out features, what the MVP would be for initial version, and then looking ahead to v2, etc. Hearing Stefan’s demo I’m seeing where those fit into this document. Next step would be to get the road map for geteduroam, identify where upcoming features slot into needs for our solution, and plan around gaps.
- Jeff: I agree. Do you feel like we need to get some additional representation. Assistance from the WG to fill this in?
- Brett: I like the idea of doing a technical pilot with Paul Dekkers. I could find a pilot K12 candidate that would benefit from this solution, esp. those with no RADIUS service/experience and then building a team from there.
- Jeff: UETN would be interested in putting forward a pilot as well
- Sara: I’d like to tease Brett’s points apart and discuss what would be needed next. Not sure the pressing need exists between a SAML IdP and geteduroam. I felt like device provisioning was the greater need and am not sure scaling SAML IdPs is the next step
- Brett: Wonder if there’s a simple recipe for connecting an existing identity store with geteduroam’s pseudo-IdP. We can set aside the SAML question for now. Michael, does that make sense to you?
- Michael H: Yes. We deal with a lot of intricate problems (for example balancing the need for MFA with teacher’s union). Need to think about how to work within our community to solve for these. That said, would like to move away from Google, but not a blocking point.
- Brett: Maybe think about how to hook into on prem Azure AD, other IDPs.
- Sara: Want to use next call to dig into technical needs, work on how to meet those needs.
- Next call: Will include Michael Hacker
- AI Mike: Get roadmap for geteduroam then share out and schedule call with working group, add Michael H, Nicole Roy, Margaret Cullen. Move Tim to highly desired, but non blocking.
- UPDATE: At this time there’s no publicly sharable roadmap for geteduroam
- SO update (Jeff/Brett/Mike)
- Jeff: Attended COSN. eduroam came up, including discussion with Kajeet (mobile wifi provider) about adding eduroam to metro busses, esp with availability of new federal funding. They will be attending our next User Group meeting. Working on new marketing and promotional campaign, new promotional collateral.
- Brett: Bringing on 3 new ESUs. Up to about 75% of all ESUs having deployed eduroam. Next week we present at state edu conference on topics including eduoam. Working with Cox Communications on public wifi deployments, SP-Only opportunities
- Ongoing work with pilot district. Working with state library consortium on adding SPs to their sites.
- Network Nebraska
- Sun Corridor Network
- SO Proposals
- Jeff Egly
- Brett Bieber
- Michael Hacker
- Proposal deadline is April 22nd
- Committee members interested in helping review proposals
- AI Mike to set up scheduling poll for review meetings
- Standing check in on work priorities for the eAC in 2022
- Jeff: Spoke with Merit Network and there’s some interest. Happy to set up a conversation.
- Mike: That would be great. Please include Sara on the email thread.
- Jeff: Discussed some activities today WRT solutions reviews, ongoing work on User/Device onboarding and upcoming work on Guest Access as well. Any other topics that others see as high priorities?
- Brett: Work with SO proposals is important, good topic for this committee
- eduroam team believes the service is now in a ‘good for now’ resilience state. Do you agree? (Sara)
- Jeff: I recall that there’s a number of subscribers that point exclusively to one TLRS or another. Is that correct?
- Sara: Yes, the failover between TLRS1 and 2 needs to be configured on subscriber end. The only way to address that is with communication, documentation. So on the most recent maint on TLRS2 there were a few (20ish) who appeared to only hit TLRS2, which would cause an outage. Goal for us is to make sure that service failover can happen at infrastructure level rather than endpoint level.
- Next meeting - Friday May 13th, 11:00am-12:30pm ET
- Approval of minutes - Jeff will review and second (email Romy)
Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework.
Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.