Date, Time, and Location

Thursday, June 11, 2020
1:00pm ET | 12:00pm CT | 11:00am MT | 10:00am PT

Minutes

eAC wiki: https://spaces.at.internet2.edu/display/eduroam/eduroam+Advisory+Committe

Attendees: Kim Owen, Rob Gorrell, Miroslav Milinovic, Andrew Buker, Neil Johnson, Stefan Winter, Theresa Semmens, Jeff Egly, Tim Capalli

With: Mike Zawacki, Ann West, Nick Roy, Jessica Fink, Shannon Roddy, Romy Bolton

Regrets: Jeremy Livingston

Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework.

Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.

Agenda and Notes

• Best Practices Guide
  • Examples 
    • Federation Best Practice Guide
    • Plug-ins/tools in Confluence
    • Grouper Deployment Guide is another resource/example

• • Primary goal is less a “how to” guide and more of a resource to assist readers at points of implementation and support decisions
  • Example - why or why not to use eduroam as the SSID.  Not only the how but the why
  • Timeline - complete within two months in preparation for Internet2 scheduled training in August
  • Create a working group who will bring a draft back in July.  Ultimately want to build this in Confluence. Maybe do rough work in Google docs and bring into the Confluence
  • Miro offered GEANT’s eduroam wiki as a resource.  Aside, if you have feedback for that wiki it can be sent to the admins>  It’s undergoing revisions and and any input would be helpful to the admins.  The guide attempts to address various use cases and included documentation for participants from end users up to Roaming Operators. 'How to....' (deploy, promote and support) eduroam - 'How to....' eduroam.

Draft outline of eduroam Best Practices Guide

• • One way to possibly approach this would be to point to UETN’s documentation as a case study and GEANT’s documentation as a reference source for more in depth information, but focus on creating our guide specifically for consumption by US subscribers. Pointers to UETN and GEANT resources would round out content and serve to inform the US eduroam community about these parallel efforts. 
  • Consider new subscribers, especially from segments like K12, and how we can guide them through implementation and support. 
    • Maybe jot down key decision points that could come up for each item. Gather recommendations from group on each point (e.g. going EAP-TLS vs EAP-PEAP, anonymizing outer identity vs allowing user names)
    • Logging requirements would be good to include Miro - in line with global requirements and recommendations
    • Include distributed approach to support - what’s expected of participants in their various roles. 
    • Could use a security section. WPA3-Enterprise considerations, RadSec, EAP server certificate options, etc would all be in that section
    • AI Mike add 1) security, 2) logging practices to the outline
    • Include reference to document on EAP server cert considerations and eduroam IdP considerations
    • Format suggestion -  Ultimately there needs to be a "here's the recommendation" at the top and then "Here's alternative options" aka, you should be using EAP-TLS and non-public EAP server certificate because XYZ. "Here are alternatives... blah blah. Most secure = recommendations. Alternative = additional info"

    • Best Practices Guide working group review the resources listed here and come to that call ready to discuss.  Mike will include the list in the meting invite to the working group.
  • Would also be good to include SP only info, keeping in mind that ANYROAM is the owner of most of those SP-only relationships. Advise having a callout to the role of IdP/SP members of the academic community, and explaining the difference between that community and SP-only subscribers
  • Unsure the SP-only option is only for private/corporate entities. Consider teaching hospitals - they need to allow students to connect while on prem, but may not need to allow their employees to roam.  Could be a technical or organizational question. For example, teaching hospitals could be IdP/SP, maybe with main university managing both the IdP and SP portion, etc. In Croatia, Slovenia, Hungary for example, the NREN provides Wifi for K12s and acts as SP.,  Similarly, in Luxembourg there is a national database for all K12 students which serves as an IdP. Schools are  SP-only. Not sure we should be overly picky about SP-only, everyone loves more service. Restrictions do make sense for IdPs to ensure they stick to the RE “mission” of eduroam.
  •  Reference role of GeGC, other NROs
    • Add section for content/URL filtering practices? Especially critical as we look toward K12 
      • Tim might present on this at a later date future
    • Could be included under the security section 
    • Need to make it clear that filtering at a K12 location won’t extend to other service locations, set expectations 
    • Tim is happy to talk offline with people about emerging tech that could help K12s with filtering outside of their schools. 
  • Working group composition - UETN representative, Neil, Tim, Andrew, Mike Z/Romy
  • Timeline - Draft available for July 9 meeting.  Understand the need for the aggressive timeline
• Next meeting of eAC: July 9th, 1pm-2:30pm ET
• Next meeting of BPG working group TBD. Mike will send out scheduling poll.