Friday March 17, 11am-12:30pm ET
- Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework
- Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.
- Agenda bash
- Approval of last meeting’s minutes
- Mike D. motions
- Rob approves
- Mike D approves
- Updates from around I2
- CACTI - Rob
- Rob: Need to get invites sorted out
- Mike Z: Will coordinate with CACTI flywheel to get invite sent
- Solicit guest blog post - value of eduroam in relation to OpenRoaming
- Some work in the community on Passpoint/wifi calling - John Simpkins’ KB article: https://its.umich.edu/communication/telephone/cellular/passpoint
- SecureW2 - OpenRoaming v PassPoint - https://www.securew2.com/blog/difference-openroaming-passpoint
- Sara: This group has been aware of OpenRoaming since its inception. Have heard a few requests for clarity for the eAC, am lining up SME for April’s meeting to provide briefing. Would like to ask for a member of this committee create a blog post on eduroam and the value of eduroam, perhaps with some words on differentiation between eduroam and OR and where each might be appropriate to use. Looking for a community voice to reference when the topic comes up. Article could be lightweight. Can develop more substantive stance in time if that feels appropriate.
- Brett: With that ,does anyone have an immediate interest in this?
- Saira: I do, especially interested from an institutional perspective. I’m happy to do some research and write up a post.
- Brett: Also seeing that there are folks in the community who are working on this, could be worth checking out their work
- Nadim: Seeing there’s a Cisco app that touches this service
- Brett: I propose we ask Saira to coordinate a post, investigate, share any resources you’ve found. Can present at next month’s call along with briefing at next meeting
- Jeff: Sounds great. I’m eager to learn more about it. At recent WestNet meeting the topic came up as well. Have heard some debate in Utah’s User Group meeting around merits of each, especially as we look at eduroam and SLC airport.
- Working group updates
- - cost benefit rationalization (Brett)
- Similar to InCommon Baseline Expectation project: https://incommon.org/federation/baseline-expectations-for-trust-in-federation/
- Brett: May not have provided sufficient background on this at last meeting, so would like to provide that here. Looking at Baseline Expectations push with InCommon. May be reaching the point of eduroam US evolution to look at service maturity. InCommon is an identity federation, some analogies with eduroam - IdP, SP similarities. Some of the service aspects they looked at were
- User Experience - Does the service act as expected all the time?
- Security - Is access and info release being managed appropriately?
- Brett: Began with a voluntary program where participants asserted compliance. Ended up creating a set up compliance requirements, asked all participants to meet those requirements. Program was several years in the making, but successful. Question for us is whether we’re ready to take that sort of step?
- Brett: Curious to hear others’ thoughts on this. Does this make sense? Kevin, thoughts? Was that accurate?
- Kevin: All sounds good
- Rob: Wonder if one of those core elements doesn’t apply - SIRTIFI (incident response framework). Could transfer almost directly to eduroam
- Brett: Good point. Would be of particular interest to commercial providers. Heard concerns on that from Cox Communications on public hotspots for example. Right now the risk falls primarily on IdP. Could be useful in convincing partners like Cox. Need a way to connect reported issues for SPs to appropriate IdP. Also need to ensure accurate contact info
- Rob: I’d also add maintaining the accuracy of service locations.Very important at the user level. So that could be an item to include in the requirements
- MikeD: We process DMCA complaints. Requests come in, we have to trace IP address - if the user is from another college all we can do is forward that information to that institution. We’ve also gotten those forwarded notices for our students form other schools. Often have an “email@example.com” contact point. That’s the end of the liability chain for us
- Brett: Not a new problem, there are processes in place for a lot of these issues already. Codifying those as part of eduroam service could be helpful for the community, make partnerships with commercial entities easier.
- Brett: On federation side, we formed up list of requirements, looked at ways to drive compliance. Ended up modifying InCommon participation agreement with requirements and any penalties for non-compliance. Held input sessions from the community to see if the requirements were realistic, achievable, contract changes made sense. Worked with community to drive adoption of those requirements. For eAC need to recognize that we’re part of a global federation, so may be dealing with users and institutions that haven’t taken on this level of compliance. Could be an opportunity to lead by example
- Kevin: One of the things I’m noodling about is selling this to the broader eduroam US community. Imagining telling them why we’re doing this, why it’s needed. In BE we sold the effort as making the service safer, more reliable
- Security angle - Rob’s example of SIRTIFI is a good example of this.
- Variability of edge - there are more ways to access wifi than eduroam. Users may work around, use guest accounts, etc if eduroam is too hard to use. Want to be sensitive to that reality, consider impacts of a BE effort on usability
- Jeff: One thing we as an eSO get is feedback when people can’t authenticate at eduroam locations. We take those seriously - good user experience is important for maintaining the value of eduroam. As we work with our stakeholders we find they want that too. So this is a conversation we’re comfortable having.
- Brett: Good points, all. Think there’s value in exploring this, possibly even have a webinar to discuss this with the community. If you’re interested in joining this working group signal your interest here:
- Kendra A
- Mike Z will add to calendar invite, set up next call for this WG
- Rob: Maybe the baseline expectation becomes a certain percentage of Access-Accepts as witnessed by TLRS1/2 for your site... drop below for a long enough period of time and you're no longer "meeting expectations" as an eduroam site.
- MikeD: I’ll add that it might be possible with Access/Rejects for simple fat fingering to skew metrics. If there was a way to do more comparative analysis could be a way to separate noise/signal.
- Brett: Good point. Speaks to possible inclusion of a requirement for alerting/monitoring features from the service (e.g. possible eFM feature requests).
- Rob: The primary issue I’m looking at is when a new school comes on, focuses on IdP side, ignores SP functionality. Would be a good first step for compliance.
- MikeD: Agree. If you’re greenfield and aren’t configured to handle other EAP types you could be failing other users 100%. Feedback loop for visiting users doesn’t include a way to provide feedback to bad/misconfigured SP. The challenge is the demarc between schools. Are IdPs being too slow to dig into these sorts of issues? This represents some good low hanging fruit
- Brett: Think first chunk of work will be refining a possible list of requirements, value prop to this work.
- Technology Transitions (Mike D.)
- Mike: Focusing on deprecation of MSCHAPv2 and Credential Guard moving form TLS 1.2 to 1.3. Group found that if you have a RADIUS server that’s running TLS 1.3 that isn’t fully IEEE compliant it won’t negotiate down from 1.3 to 1.2. If Windows only sees 1.2 it will continue ahead with negotiation. Nadim found that with some implementations this negotiation is broken though. We’re building a table to spell out interactions that can cause issues, workarounds. Also looking at positioning this not as a “you must do this thing” but a “be aware of this issue, here are some possible workarounds”. Considers resource costs of approaches, as moving to EAP-TLS can be expensive, complex. For some schools we’ve found that the process of figuring out what’s going on involves teasing out a number of variables (what OS, what OS version, what RADIUS type and version). Forming up an impact statement with some steps to work around that.
- Sara: Seems like there’s also a lot of chatter of Wifi6e. Is this in scope for this?
- MikeD: Good question. There was a recent talk on several topics, including 6e. Amel posted something as a result of that
- Amel: I did. Pointed them to the 6e guidelines form GEANT. https://eduroam.org/eduroam-deployment-considerations-on-wi-fi-certified-6e/ This morning saw that there was some confusion in responses to that info.
- MikeD: Good opportunity to provide some guidance to the community. Wondering if there’s existing work we could point to to provide clarity
- Sara: Work from GEANT doesn’t always get as much visibility. Could be an opportunity for this community to help guide the US community toward those resources.
- MikeD: A lot of these challenges are around emerging technologies and findings. Need to guide people to appropriate resources
- Brett: Grateful to folks like Mike and Nadim for staying on top of these. Mike, what are your next steps?
- MikeD: Group is plumbing institutional sources to figure out what the impacts are for interactions vis a vis RADIUS, OS, and versions of each. Want to build those into the table.
- Saira: I’ve sent out a note to my team with goal of understanding impact of disabling Credential Guard. We’re moving MS licencing from A3 to A5, currently heavily invested in moving everything under Windows Defender (on prem and cloud). WRT disabling CredentialGuard we can do that automatically, but need to understand the impacts. We’re working toward EAP-TLS for staff, but still find student deployment daunting. Need to form up plan around that. Will share our findings with this group.
- MikeD: As wireless engineers you can look at disabling CredentialGuard as the easiest way to fix, but need to be mindful of security implications. Also future Windows patches might break that as a workaround.
- Saira: A message form this body could be that “Here are some challenges on the horizon, and if you’re not thinking about them you should, and here are some results of our testing.” Include statement that they should also consider their own security posture, implications of turning off security services.
- MikeD: Spot on. Also consider that TLS1.2 will sunset. That’s not an MS thing, it’s a evolution of tech thing. We don’t have a timetable for that, but it’s a trend to keep in mind. Don’t know if we’ll go down this path, but BYOD could have one fix, managed devices could be another.
- MSCHAPv2 issue table
- Update of Best Practices Guide Working Group (Rob)
- Rob: Talked through existing areas that are still applicable, which needed to be refreshed. About half of the content needs updates
- MikeZ: Group decided to reformat guide into IdP and SP sections, address each section as a set of decision tree like structures. Next step will be to reformat guide, members will update the sections they’ve volunteered to draft language
- Pending work items
- TAC is currently launching a Pilot for (InCommon) IdP as a service (Sara)
- Typically deployed by a close collaborator organization/company in the community, but with a ‘good housekeeping seal’ that it meets community requirements as validated by a designated working group
- Requested solutions
- Guest Services report from 2021 - https://spaces.at.internet2.edu/x/cICQD)
- ‘Cloud Bridge’ / hosted radius for K12/others
- part of User/Device onboarding discussion in Summer 2022
- Containerized solution demoed at TechEx 2022
- User/Device Onboarding Requirements report - https://spaces.at.internet2.edu/x/ph19Dg
- Sara: These are all at the point where they’re kind of looking for solutions. We’d likely look to partners within the community to build/run these. InCommon Catalyst Program could be a framework for that engagement. Catalysts are companies that participate in community discussions. Want to be sure that any solutions deployed come from these sorts of partners who are already working with we the eduroam US community.
- Sara: We’re looking internally at work you’ve all done, will ask this group to prioritize work. Will need to be approached in sequence. When we’re ready we’d ask to spin up a group to identify the ordering for development these services.
- Brett: Thanks Sara. As an eSO we see things like IdPaaS/RADIUSaaS as important, could be useful for any smaller organization. I’ll be an advocate for that, happy to help.
- Support Organizations Update (Mike Z.)
- FM updates
- RP testing (aka eduroam hotspot testing) added
- Release Notes: https://spaces.at.internet2.edu/x/eAzABg
- Link Oregon
- Working with Oregon State to set up support structures and processes, hiring a part time PM to assist. Standing up eduroam for a number of schools in the Linn Benton district.
- ConnectEd Nebraska
- Brett: Currently attending NTEA to present on eduroam. Looking at ways to engage remaining school districts. Have been working with Cox Communications on public deployments in Omaha. Agreement discussions moved over to Internet2, they’re currently working with Cox on an agreement structure. Seemed like a good logical step, given Cox’s national footprint.
- The Sun Corridor Network
- Working with additional pilot school district (recently completed PoC on eduroam enabled Mifi hotspots). Talking to Arizona Department of Ed, looking at options for further funding, promoting eduroam statewide.
- Jeff: We’re also in the midst of UCET, Utah edu tech conference. Presented to WestNet with Derek Masseth on our programs. Good discussion with participants. Also had interest from Airforce Academy. Presenting next week at CoSN with Brett and Amanda Molinari (UETN PM) on our work with eduroam. Looking at continuing to grow hotspot deployments
- Volunteers to review proposals for 2023 cohort?
- Call for proposals went out Wednesday for 2023 cohort
- Rob Gorrell
- Nadim El-Khoury
- 2022 year eduroam Support Organization year in review
- When: Tuesday, March 28 4-5pm ET
- Next meeting time
- Friday, April 14, 11am-12:30pm ET
- Committee members attending Community Exchange? May 8-11, Atlanta
- Sara will be holding a bird of a feather session (no eAC meeting)
- Saira Hasain
- Brett Bieber