eAC Meeting 2022-12-22

Attendees: 

Brett Bieber

Jeff Egly

Jeremy Livingston

Mike Dickson

Neil Johnson

Rob Gorrell

With: 

Sara Jeanes

Ann West

Mike Zawacki

Regrets:

Kim Owen

John Buysse

Agenda

• Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework 
• Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.
• Agenda bash
• TechEx Report out
• Raspberry Pi monitoring/test nodes
• Approval of last meeting’s minutes
• https://spaces.at.internet2.edu/display/eduroam/eAC+Meeting+2022-12-2
• Jeremy approves
• Brett seconds
• Introduction of new members
• Waiting until January to introduce all members 
• Election of new chair & vice chair to be held after January meeting
• AI Mike send out poll after Jan 20th meeting
• Many thanks to Neil Johnson and Kim Owen for their years of service on the eAC! 
• The committee thanks you both! 
• Follow up on GEANT SP issue
• Paul Dekkers’ reply (see email to committee members) 
• Paul unable to join us for TechEx, replied via email
• Next steps
• Sara: Will include Nicole Roy in next meeting to provide additional detail, lay out options. There is some interplay between this issue and User/Device Onboarding. Also has implications for K12s/eSO. Will need to scope future discussions carefully. 
• Brett: Looking at Paul’s message I saw a recognition that changes would need to be coordinated internationally. We can let Paul know that we’d be happy to help coordinate with user populations and eduroam operators in the US, esp. When we start talking about changes to metadata, other IAM operating practices 
• SO Update
• Link Oregon
• Mike: Has moved to full eSO. Wrapping up 4 deployment of 4 pilot schools, getting ready to join the 2023 Cohort
• Network Nebraska
• Brett: Steady state lately. Have been working on awareness of security issues with dynamic VLAN assignment. Have been working with technical staff in our state. Some questions from our community on additional documentation and training around this for eSO staff. Looking at addressing knowledge gaps, continuing to grow documentation. Continuing to work on marketing materials, stickers, window clings. Also working on Allo (state ISP) and Cox on public deployments of eduroam.  
• The Sun Corridor Network
• (Mike to add update)
• UETN
• Jeff: Also working on marketing materials. In discussion with state dept of education, transportation. Would like to present at Westnet along with SCN. Focusing on outreach, presentation to keep generating interest in the intermountain states. Have an internal meeting next month to plan out approach for eduroam work within Utah. 
• Sara: Great - let me know if you need anything for the WestNet 
• Review of work priorities (standing item)
• MSCHAPv2 issue 
• Mike D: Some of the schools in our area have updated their Windows 11 implementation. Will break MSCHAPv2 authentication over 802.1x. Requires TLSv3 and doesn’t allow for integration with RADIUS as-is. Can be tweaked to work with TLS1 or 2, or can disable Credential Guard but no easy fix
• Mike D: Good article describing the issue: https://lists.geant.org/sympa/arc/cat-users/2022-10/msg00040.html  
• https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-known-issues#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2
• https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage
• Jeremy: TLS1.2 and below have serious security issues to be aware of.
• Jeff: Is Internet2 planning an update/info campaign on this?
• MikeD: The 22H2 update isn’t as widespread yet, so we aren’t seeing issues yet, but is trending upward. 
• Brett: Do we have a way to figure out which flavors of RADIUS, registry settings with W112, other factors that will cause problems, and communicate that out to our communities? 
• MikeD: Clearpass doesn’t reveal which version of FreeRADIUS it uses, so that’s hampered some of the work on our end. Some confusion even among vendors which platforms are impacted. One thing I’m looking into is SecureW2’s service to onboard users and whether it’s impacted. Also need to consider impacts of disabling TLS3 for the sake of making eduroam work. Could be a bigger issue int he coming academic year. 
• Amel: Upgrade to ClearPass 6.11 requires fresh install and restoring config and insight data afterward. 
• MikeD: That’s on the docket for us this summer. 
• Sara: This seems like  something we would want to alert the eduroam admins to, but need to be careful since some of the protocols/solutions needed to fix the issue are still in draft
• Mike Z: Does this rise to the level of needing a working group? 
• MikeD: I’d welcome some help with messaging if nothing else, forming up of best practices. The real answer is to do EAP-TLS but needs to take the TLS version into account. 
• Jeff: So is there an action item for this committee: 
• Brett; I’d like to get some input from SMEs on this. An awareness campaign seems like the next logical step. 
• MikeD: Do the TLRS run TLS1.3 or does it matter? 
• Sara: I believe we function as a pure proxy, aren’t looking at the inner layer of the request. We can just route requests. 
• MikeD: Maybe it would make sense to create a matrix of factors that will play into breakage, 
• Sara: I believe we don’t specify the version of TLS in the best practices Guide
• Rob:  I agree we (the eAC) has more to do with advising of the issue, less to do with coming up with an explicit fix
• MikeD: Often we see these issues treated as device level problems, then progress upward. Having messaging around what the issue is would help staff fix the actual issue rather than chasing lots of device issues, then lots of AD issues, etc. 
• Sara: I’m hearing a note that I should send to the eduroam admins, drafted by this group, alerting the community to the issue
• Brett: I like that idea. We could start by summarizing the discussion here. Awareness is key here
• MikeD: Feels like we’re still getting our hands around the size and scope of this issue. Some confusion from others, even from Microsoft
• Jeff: Also sounds like we’d need to update best practices guide in addition to messaging campaign
• Brett: We (ConnectEd Nebraska) would benefit from this. Lots of NPS schools in Nebraska
• MikeD: Need to consider that the Windows registry fix inherently involves a reduction of security
• Rob: ANd that doesn’t easily address BYOD for student populations.
• MikeD: Perhaps TLS 1.3 is finalized? https://datatracker.ietf.org/doc/rfc8446/
• Stats and metrics for the service
• Brett: One of the things I was thinking about is a retrospective for the whole eduroam community, stats that would be helpful for that. So there are things like total number of service locations,etc. Building on Sara’s presentation on the next 1,000 subscribers. These metrics could be good to educate the community, stakeholders, and help with narrative engagement/service storytelling
• Jeff: Agree with Brett’s points. Maybe we should lay out what the metrics are that we’re interested in hearing. Does Internet2 track stats internally
• Sara: Yes, two-fold. Publicly we have the info presented on monitor.eduroam.org. Internally we have access to a rollup report for all subscribers. We can also look at ways to capture additional info
• MikeZ: So we can look at the reports we all get and extrapolate what’s possible from there
• Brett: The total number of service locations is a good one. We have several states coming onboard the eSO program - those will help drive that number. Seeing that number tracked over time would be great. 
• Sara: We can add a standing item to each eAC planning call to track that. 
• Brett: THinking about the collective sense of accomplishment around Baseline Expectations for the InCommon Federation. Great for building excitement. 
• CURRENT, 2022-12-22: United States of America Internet2 Service Locations: 2959 IDPs: 942 SPs: 1021
• Sara: Brazilian NREN mentioned their SPs scaled massively with Raspberry Pi type SP-in-a-box
• Availability of 2022 SO Report
• Draft report: https://docs.google.com/document/d/1GYLZ9CbJC2srCTTWlwejIHcF4KC1W7WIWyr9_wbFiH4/edit
• Next steps
• Publish next month, promote in upcoming presentations
• Brett: One thing I’ve been working on is a better way to explain Network Nebraska and ConnectEd Nebraska. Lots of effort to market the eduroam project, less so messaging the organization. Ongoing internal discussion on this point - how to differentiate eduroam from the network from the organization but make the connection clear
• MikeD: One way to frame this - eduroam is the ROI, the fiber was the investment
• Jeff: A great point - it’s an important part of how to engage with stakeholders in your state, make the value clear
• Brett:  That’s a great point, Mike. Could be a way to talk about eduroam and the value at all levels. 
• Jeff: Speaks to questions we’re hearing from other RENs. It’s a good way to frame those discussions. 
• Next meeting
• Friday January 20, 11am-12:30pm ET 
• AOB? 
• TechEx Report out
• eduroam in k-12 slides, work with Mark from Painless Security 
• Brett: Presentation from myself, Neil Brown, Mark Donnelly from Painless. Got to engage with international community, including Klaas Wierenga (creator of eduroam). Good presentation from Mark as well (link to slides…). Talked about topics from programmatic/SO to technical items like Mark’s segment on integrating Google IDs with eduroam. Lots of good discussion, engagement from North Carolina (thanks Rob!), Nevada, Washington DC, French NREN (RENATER). 
• Jeff: Will also be meeting next month with Nevada on wireless front
• eduroam BoF
• Overview of service updates for 2022, solicited feedback from audience. Lots of discussion around content filtering, implications of K12 traffic on eduroam. Good comments from Andrew Buker, Rob Gorrell on that front. 
• Rob: Good summary there. Lots of interest in K12 and content filtering. 
• OpenRoaming and eduroam / CACTI
• Klaas Wierenga and Margaret Cullen (Painless, eduroam team, IETF) put session together. Main outcome was a need for whitepaper on positioning around OpenRoaming. Some interplay with CACTI as well. Could be a joint project between the two bodies. 
• https://docs.google.com/document/d/18rJ6A69p0UzI8FCdIKpsHcwYGKCBtpcOUGCvqHJkhjw/edit
• Raspberry Pi test nodes? (Outgrowth of session from TechEx) 
• Umich sent out devices, initially for perfsonar monitoring/etc. Could also be used for service modeling and more proactive monitoring of wireless/eduroam performance. This could possibly be an item that the eAC takes up next year or there may be some additional interest.
• Sara: Worth noting that the topography of eduroam vs networks is different and likely won’t yield as much detail as, say, perfSONAR.  
• MS-CC - https://www.ms-cc.org/
• NTIA program director - all hand meeting call
• MS-CC Meeting on October 27, 2022