eAC Meeting 2023-1-20

Friday January 20, 11am-12:30pm ET

Attendees

Brett Bieber - Nebraska

Rob Gorrell - UNCG

Nadim El-Khoury - Springfield College

Kendra Ard - CSU Chancellor’s Office

Dion Baird - Oregon State University

Tom Rixom - SecureW2

Jeremy Livingston - Stevens College

Mike Dickson - UMass Amherst

Saira Hasnain - University of Florida

Jeff Egly - UETN

With

Nicole Roy

Sara Jeanes

Kevin Morooney

Ann West

Margaret Cullen (CACTI Chair)

Mike Zawacki

Regrets

John Buysse

Tania Mahood

Josh Howlett

Amel Caldwell

• Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework 
• Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.
• Agenda bash
  • Bashed!
• Approval of last meeting’s minutes
• https://spaces.at.internet2.edu/display/eduroam/eAC+Meeting+2022-12-22
  • Rob approves, Brett seconds
• Introduction of new members, next steps for committee (MikeZ)
  • Quick word from our chairs
    • Relatively new committee, lots to do!
  • Intro from Kevin
  • Introductions
  • Intro meeting for new committee members Thursday, Feb 3rd 4pm ET
  • Process for voting for chair, vice chair 
• Update on GEANT SP issue (Nicole Roy)
  • Overview/refresher
    • Letter from eAC to GEANT on SP issue
    • Nicole: eduroam service depends on several applications external and internal. eFM is one, operated by Internet2. GEANT operates several more, many sitting behind a SAML Service Provider/SSO endpoint. SAML federations have a number of policy requirements, esp around user attributes (email address, other unique identifiers, membership in certain groups, etc). Privacy concerns mean that release and storage of these attributes need to be handled securely from both ends of the transaction. Attributes and release have national and local policy differences, need to be coordinated to ensure users have a smooth experience. Research and Scholarship attribute set provides interoperability between identity sources and service providers, tuned for the needs of the R&E community. The SP managing access to the eduroam Configuration Assistant Tool (CAT) uses the R&S attribute set. However, there are problems with user identifiers in the SAML space. One attribute in particular (eduPersonTargetedID) was found to have vulnerabilities around upper/lower case (aka case folding). The attribute has been deprecated, in the process of being replaced by other attributes. The CAT requires that if a user releases eduPersonTargetedID they MUST also release additional attributes. This is causing issues where users (in particular US institutions) that aren’t releasing both attributes cannot access the CAT using their institutional/InCommon credentials. TL;DR version - users who should have access to the CAT cannot access it because there’s a policy discrepancy between GEANT and InCommon participants. 
    • Saira: Is there a diagram that lays out the structures you’ve covered? 
    • Nicole: I’ll share one with this group. 
    • Sara: The eAC sent a letter to GEANT asking for their assistance resolving the issue. The ask now is for 1-2 volunteers from this group to join Mike Zawacki and myself to join a call with GEANT and talk through some possible approaches to resolving this problem. We can report back to the committee on the next call
    • Saira: What’s the number of people who are impacted?
    • Nicole: Hard to gauge impact because privacy requirements prevent us from seeing the authentication process and outputs. IdP and SP are communicating directly without sending any logs/results/etc to us. We’d have to survey InCommon participants or ask GEANT to share anonymized log data. 
    • Sara: This issue was acute enough to raise to the level of the eAC’s attention. 
    • Brett: One higher level consideration - the confidence of our community in these tools is very important. Having membership from the eAC involved in the discussion is critical. 
  • Next steps
    • Volunteers to join call?
      • Jeff Egly
      • Rob Gorrell
      • Nadim EL-Khoury
      • Saira Hasnain
      • (Contact MikeZ if you decide to join)
    • Thank you!
• Privacy Preserving KB article (Sara/Margaret) 
  • Preserving end user privacy in eduroam
    • Sara: Deeply tied into past activities by this committee, in particular the Best Practices Guide. This is not just a best practice document but also an articulation of the value in adoption of community standards and practices. Looking for feedback from this committee, especially as it relates to the eduroam Best Practices Guide
    • Jeff: Would you like us to add this to the agenda for the next call? 
    • Sara: If the committee feels like it warrants further discussion then yes, otherwise likely not
• eSO Update
  • Jeff: Overview of the program - the eduroam Support Organizations are responsible for leading their states in driving K12 adoption of eduroam in their state. Also keep in mind that the 2023 eSO cohort will 
  • Link Oregon
    • (Mike to add notes)
  • Network Nebraska
    • Brett: Gave presentation at TechEx22 on our eSO work. Up to 88% of our ESUs (educational support unit) are signed up, represents 54% of all Nebraska K12s. Have been working with Cox Communications and Allo Communications (commercial ISPs) on public deployments of eduroam. Have more presentations, including at CoSN, where we’ll jointly present with UETN, and at Great Plains Network’s annual conference
    • Slides from TechEx22
  • The Sun Corridor Network
    • (Mike to add notes) 
  • UETN
    • Jeff: Similar efforts to Network Nebraska. Are also working with remaining charter schools (nearly all public schools are now using eduroam) on deployments. Have an eduroam User Group call coming up (tech staff from K12, HE, others from Utah and other states. Attendees from other orgs are welcome (contact Jeff for info). Have been developing additional promo materials, working on hotspots in cooperation with state agencies including Dept of Ed, UDOT, etc. Will be presenting at WestNet with Sun Corridor Network on work to date. 
• Review of work priorities (standing item)
  • This item intended to be a standing check in on how the eAC can contribute 
  • Windows TLS issue (MSCHAPv2 deprecation) 
    • Rob: Brought to our attention by Chris Philips of CANARIE (Canadian NREN). Windows 11 updates around Credential Guard and how network authentications are handled. Could cause problems with Windows 11 users
    • Nadim: We’ve been dealing with this issue with our users. When forcing users to TLS1.2 it works. Using cert based authentication also fixes the issue. We were thinking of running FreeRADIUS on BSD to alleviate issues. 
    • MikeD: Also heard of issues from our schools after Windows 11 rollout. We haven’t had as much trouble with it as others. You can also tweak the reg file to disallow 1.3 but that comes with its own issues. Having RADIUS that supports TLS 1.3 also fixes, as Nadim mentioned. Some commercial products also have issues with this as well. Changes that offer long term fix will need to wait for holiday break. Some confusion around which version of Windows and associated components play nice with which versions of RADIUS. Bigger issue for BYOD environments.
    • Post on GEANT’s mailing list: https://lists.geant.org/sympa/arc/cat-users/2022-10/msg00040.html
    • Some background info on why MSCHAPv2 was deprecated:
      • Article that explains the vulnerability:  https://www.securew2.com/blog/peap-mschapv2-vulnerability
      • The issue occurs when clients do not check (or allow users to ignore invalid checks) of the server certificate.
  • Update of Best Practices Guide
    • Jeff: One of the first items the eAC worked on. Has been 2 years since created and vetted by community. Time to review and update. 
  • Distributed eduroam testing/monitoring (update from December eAC meeting) 
    • MikeZ: Internet2 will be taking in some of the proposals that grew out of the TechEx session, will likely be coming back to the committee with more specific asks
  • Sara: Mike and I take direction from the chair and vice-chair on activities and outputs like working groups, position papers, etc. 
• Closeout of community consultation on user/device onboarding requirements 
  • https://spaces.at.internet2.edu/pages/viewpage.action?pageId=243080614
  • No public comment given
  • Jeff: This is another area where the eAC has provided outputs and community facing documents. 
  • Brett: Great document, and we were really happy to help provide community perspective. There’s material in this document that will also inform future work especially around multi-factor auth, etc. 
• Removal of BASNET and JSCC from eduroam (Belarusian and Russian NROs from eduroam)
  • Sara: GeGC was informed about the removal of these NRENs. Decision was made by GEANT, as they were sponsoring these NRENs in eduroam. No action needed, just wanted to make the committee aware of the decision in case it comes up in other contexts
• Next meeting time
  • Friday Feb 17th, 11am-12:30pm ET
  • New day/time needed?
    • Jeff: Comments from committee? 
      • Consensus is that the time works for most/all on current call
• AOB?
  • Brett: Update on the 2022 eSO annual report?
  • Mike: It’s been finalized, will be published shortly. I’ll take an action item to share the link with this committee when available.
    • Blog post and copy of eduroam Support Organization 2022 Annual Report