Friday January 20, 11am-12:30pm ET
Attendees
Brett Bieber - Nebraska
Rob Gorrell - UNCG
Nadim El-Khoury - Springfield College
Kendra Ard - CSU Chancellor’s Office
Dion Baird - Oregon State University
Tom Rixom - SecureW2
Jeremy Livingston - Stevens College
Mike Dickson - UMass Amherst
Saira Hasnain - University of Florida
Jeff Egly - UETN
With
Nicole Roy
Sara Jeanes
Kevin Morooney
Ann West
Margaret Cullen (CACTI Chair)
Mike Zawacki
Regrets
John Buysse
Tania Mahood
Josh Howlett
Amel Caldwell
- Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework
- Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.
- Agenda bash
- Bashed!
- Approval of last meeting’s minutes
- https://spaces.at.internet2.edu/display/eduroam/eAC+Meeting+2022-12-22
- Rob approves, Brett seconds
- Introduction of new members, next steps for committee (MikeZ)
- Quick word from our chairs
- Relatively new committee, lots to do!
- Intro from Kevin
- Introductions
- Intro meeting for new committee members Thursday, Feb 3rd 4pm ET
- Process for voting for chair, vice chair
- Quick word from our chairs
- Update on GEANT SP issue (Nicole Roy)
- Overview/refresher
- Letter from eAC to GEANT on SP issue
- Nicole: eduroam service depends on several applications external and internal. eFM is one, operated by Internet2. GEANT operates several more, many sitting behind a SAML Service Provider/SSO endpoint. SAML federations have a number of policy requirements, esp around user attributes (email address, other unique identifiers, membership in certain groups, etc). Privacy concerns mean that release and storage of these attributes need to be handled securely from both ends of the transaction. Attributes and release have national and local policy differences, need to be coordinated to ensure users have a smooth experience. Research and Scholarship attribute set provides interoperability between identity sources and service providers, tuned for the needs of the R&E community. The SP managing access to the eduroam Configuration Assistant Tool (CAT) uses the R&S attribute set. However, there are problems with user identifiers in the SAML space. One attribute in particular (eduPersonTargetedID) was found to have vulnerabilities around upper/lower case (aka case folding). The attribute has been deprecated, in the process of being replaced by other attributes. The CAT requires that if a user releases eduPersonTargetedID they MUST also release additional attributes. This is causing issues where users (in particular US institutions) that aren’t releasing both attributes cannot access the CAT using their institutional/InCommon credentials. TL;DR version - users who should have access to the CAT cannot access it because there’s a policy discrepancy between GEANT and InCommon participants.
- Saira: Is there a diagram that lays out the structures you’ve covered?
- Nicole: I’ll share one with this group.
- Sara: The eAC sent a letter to GEANT asking for their assistance resolving the issue. The ask now is for 1-2 volunteers from this group to join Mike Zawacki and myself to join a call with GEANT and talk through some possible approaches to resolving this problem. We can report back to the committee on the next call
- Saira: What’s the number of people who are impacted?
- Nicole: Hard to gauge impact because privacy requirements prevent us from seeing the authentication process and outputs. IdP and SP are communicating directly without sending any logs/results/etc to us. We’d have to survey InCommon participants or ask GEANT to share anonymized log data.
- Sara: This issue was acute enough to raise to the level of the eAC’s attention.
- Brett: One higher level consideration - the confidence of our community in these tools is very important. Having membership from the eAC involved in the discussion is critical.
- Next steps
- Volunteers to join call?
- Jeff Egly
- Rob Gorrell
- Nadim EL-Khoury
- Saira Hasnain
- (Contact MikeZ if you decide to join)
- Thank you!
- Volunteers to join call?
- Overview/refresher
- Privacy Preserving KB article (Sara/Margaret)
- Preserving end user privacy in eduroam
- Sara: Deeply tied into past activities by this committee, in particular the Best Practices Guide. This is not just a best practice document but also an articulation of the value in adoption of community standards and practices. Looking for feedback from this committee, especially as it relates to the eduroam Best Practices Guide
- Jeff: Would you like us to add this to the agenda for the next call?
- Sara: If the committee feels like it warrants further discussion then yes, otherwise likely not
- Preserving end user privacy in eduroam
- eSO Update
- Jeff: Overview of the program - the eduroam Support Organizations are responsible for leading their states in driving K12 adoption of eduroam in their state. Also keep in mind that the 2023 eSO cohort will
- Link Oregon
- (Mike to add notes)
- Network Nebraska
- Brett: Gave presentation at TechEx22 on our eSO work. Up to 88% of our ESUs (educational support unit) are signed up, represents 54% of all Nebraska K12s. Have been working with Cox Communications and Allo Communications (commercial ISPs) on public deployments of eduroam. Have more presentations, including at CoSN, where we’ll jointly present with UETN, and at Great Plains Network’s annual conference
- Slides from TechEx22
- The Sun Corridor Network
- (Mike to add notes)
- UETN
- Jeff: Similar efforts to Network Nebraska. Are also working with remaining charter schools (nearly all public schools are now using eduroam) on deployments. Have an eduroam User Group call coming up (tech staff from K12, HE, others from Utah and other states. Attendees from other orgs are welcome (contact Jeff for info). Have been developing additional promo materials, working on hotspots in cooperation with state agencies including Dept of Ed, UDOT, etc. Will be presenting at WestNet with Sun Corridor Network on work to date.
- Review of work priorities (standing item)
- This item intended to be a standing check in on how the eAC can contribute
- Windows TLS issue (MSCHAPv2 deprecation)
- Rob: Brought to our attention by Chris Philips of CANARIE (Canadian NREN). Windows 11 updates around Credential Guard and how network authentications are handled. Could cause problems with Windows 11 users
- Nadim: We’ve been dealing with this issue with our users. When forcing users to TLS1.2 it works. Using cert based authentication also fixes the issue. We were thinking of running FreeRADIUS on BSD to alleviate issues.
- MikeD: Also heard of issues from our schools after Windows 11 rollout. We haven’t had as much trouble with it as others. You can also tweak the reg file to disallow 1.3 but that comes with its own issues. Having RADIUS that supports TLS 1.3 also fixes, as Nadim mentioned. Some commercial products also have issues with this as well. Changes that offer long term fix will need to wait for holiday break. Some confusion around which version of Windows and associated components play nice with which versions of RADIUS. Bigger issue for BYOD environments.
- Post on GEANT’s mailing list: https://lists.geant.org/sympa/arc/cat-users/2022-10/msg00040.html
- Some background info on why MSCHAPv2 was deprecated:
- Article that explains the vulnerability: https://www.securew2.com/blog/peap-mschapv2-vulnerability
- The issue occurs when clients do not check (or allow users to ignore invalid checks) of the server certificate.
- Update of Best Practices Guide
- Jeff: One of the first items the eAC worked on. Has been 2 years since created and vetted by community. Time to review and update.
- Distributed eduroam testing/monitoring (update from December eAC meeting)
- MikeZ: Internet2 will be taking in some of the proposals that grew out of the TechEx session, will likely be coming back to the committee with more specific asks
- Sara: Mike and I take direction from the chair and vice-chair on activities and outputs like working groups, position papers, etc.
- Closeout of community consultation on user/device onboarding requirements
- https://spaces.at.internet2.edu/pages/viewpage.action?pageId=243080614
- No public comment given
- Jeff: This is another area where the eAC has provided outputs and community facing documents.
- Brett: Great document, and we were really happy to help provide community perspective. There’s material in this document that will also inform future work especially around multi-factor auth, etc.
- Removal of BASNET and JSCC from eduroam (Belarusian and Russian NROs from eduroam)
- Sara: GeGC was informed about the removal of these NRENs. Decision was made by GEANT, as they were sponsoring these NRENs in eduroam. No action needed, just wanted to make the committee aware of the decision in case it comes up in other contexts
- Next meeting time
- Friday Feb 17th, 11am-12:30pm ET
- New day/time needed?
- Jeff: Comments from committee?
- Consensus is that the time works for most/all on current call
- Jeff: Comments from committee?
- AOB?
- Brett: Update on the 2022 eSO annual report?
- Mike: It’s been finalized, will be published shortly. I’ll take an action item to share the link with this committee when available.
1 Comment
Rob Gorrell (uncg.edu)
I approve these minutes