> On Apr 28, 2017, at 3:49 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> > wrote: > > Philippe, > > I’m not arguing the “convenience factor” or OTA encryption, which eduroam > certainly provides, just that users (and universities advocating for it) > shouldn’t blindly trust it any more, or less, than any other guest network.
Jeff, eduroam is authenticated and each user that uses eduroam has a verified affiliation with a University/College somewhere in the world. Each NRO signs an agreement, and each NRO makes each school agree to RADIUS logs holding and other privacy features. How is this “little behind it”? eduroam is vastly superior to other guest networks, unless you require direct identification with an ID at the help desk to join Wi-Fi (and even IDs can be very fake). The same way that schools trust other directory services with Shibboleth or even transcripts, at one point we have to rely on the fact that other members of our community are on a acceptable standard that we can relate to make our lives easier and save time for all of us. We do not ask schools to make it the primary SSID, most decide that it makes more sense. It is simpler to make users be ready to travel and reduces SSID confusion. As I mentioned earlier, users still need to me reminded that eduroam allows them to connect around the world. Having eduroam as the main SSID is not sufficient. Having a local secure SSID is still very useful especially when there are potential eduroam conflicts due to schools’ proximity. But this will soon be a moot point when Passpoint/HT2.0 becomes predominant. You will be able to welcome many roaming communities on your network and even set your own preference for your clients to avoid "SSID conflicts" when same SSIDs advertised by different locations conflict with each other (the client will always prefer the network from its own school) Philippe > > You touch on my concern with this statement, “Most Schools tend to give more > privileges/bandwidth to eduroam because it is acommunity of trust.” > > eduroam should in no way be considered “…a community of trust” as there is > little behind it to guarantee as such. In promoting it across EDUs, and > making it the primary SSID, universities are certainly making it appear as if > it is to those using it, but it’s an illusion. No matter how it’s painted, at > the end of the day it’s still an unregulated, multi-ISP, guest network. > > I’m not arguing against broadcasting eduroam (which my campus does), or its > convenience for guests, just don’t hold it up as something it’s not. > > Jeff > > > From: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of Philippe Hanset > <phan...@anyroam.net <mailto:phan...@anyroam.net>> > Reply-To: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@listserv.educause.edu>> > Date: Friday, April 28, 2017 at 11:14 AM > To: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@listserv.educause.edu>> > Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) > > > Jeff, > > > > Why do I say this? > · Organization - A university can’t assume and/or guarantee that > “eduroam” is administered at another campus in the same way that it is at > home. There is no guarantee of privacy, be it the data collected during > authentication/authorization, or information being sent/received by the > client while traversing the other organization’s network. There is no > guarantee user data won’t be sold, studied, or otherwise used as the > organization terminating the client’s connection sees fit. eduroam is a name > only. > · User – Assumption that “eduroam” away from their home campus is the > same as “eduroam” at another organization. Assumption that there is the same > level of data security, privacy, or other safeguards/guarantees as provided > at home. Assumption that the same resources are available. Assumption > “eduroam’ out in the world is superior than connecting to an open network. > > > Connecting to eduroam is superior to connecting to an open network for at > least 4 reasons: > (other may add to the pile) > > 1-No wasted time “hunting” for an SSID that who knows what it is in a list > that is larger every day (especially for Urban Campuses) > 2 -If the network is accepting your RADIUS infrastructure certificate, you > know that you are on a trusted network part of a community > (I will send another email to respond to the MiTM attack on PEAP and > EAP-TTLS…use the CAT tool to mitigate that, or EAP-TLS if you can afford it) > 3-Encryption over the air as part of WPA2-enterprise for guests as a great > side effect > 4-The local school knows that if needed, the user can be found (infected > machine, abuse, DMCA, etc…) > > I agree that all eduroam networks are not equal, but neither are Open > Networks. It is in the end a guest experience. > I actually have the same with my cellular network… sometimes it is LTE or 4G, > sometimes 3G with very little capacity, even though > it always references the same carrier and I pay the same! > It is our job as Network Operators to inform our users that there is no > guarantee of service > > Most Schools tend to give more privileges/bandwidth to eduroam because it is > a community of trust. > So, in most cases you will experience a better experience that classic Open > Guest Networks. > > > > > Certainly, some of the data privacy pieces could be mitigated by using a > home-campus VPN while traveling, but now you are creating rules that the > end-user must remember. These rules become confusing when you are in an area > with multiple organizations all broadcasting “eduroam”, where to simplify the > user experience i.e. they can get to the same resources, the default becomes > using VPN all the time. Once you force the use of a VPN, then is “eduroam” > any different than using an open/suest networ > I would prefer to see “eduroam” in the same light as say, using Facebook to > login to other applications i.e. The university advertises that the guest > wireless SSID supports the “eduroam” authentication service. The visiting > person connects to your branded guest SSID using their home college > credentials – understanding that they are bound to your AUP or other local > decisions on the use of their data. There is no confusion about who owns, > administers, or otherwise controls the network the client is connected to and > no assumptions about resource availability. > > > > So for every campus that you visit you have to suffer: > Hunting for the SSID > Trust that SSID > Read the AUP > Share your Social Identity (talk about big data here) > And as a network Operator you have to hope that the Social Identity is > somewhat real! > > Schools don’t have time to look at big data for their traveling users or > their guests, and the only info is username@domain or if you want > anonymous@domain. > You actually have the choice to anonymize yourself, it is not against any > rule. > > The same goes for NROs (National Roaming Operators for eduroam), we have all > signed an agreement that we cannot use user data other than troubleshooting > and monitoring unless required by law enforcement. > I doubt that Facebook or any other Social Provider can guarantee that…they > make money out of your data! > > Again, if you fear to be tracked on eduroam, definitely anonymize your > outer-identity. It is accepted, and many do it (it can even be done > automatically in the CAT tool). > In case of abuse or infection, a user can be found by contacting the campus > of origin (so you let the IDP decide how to deal with Privacy for their > users!). > > Finally, there is a reason why the big carriers did a push for > Hotspot2.0/Passpoint. Protocols like 802.1X/WPA2-enterprise are great for > security and authentication (both of the infrastructure > and users), and the guest Wi-Fi industry is moving toward those standards. We > all have done it with eduroam way ahead of the carriers. > The privacy issue with large carriers might be an issue, but we suffer the > same with our Cellphones already. > Privacy and Net Neutrality is at stake every day. > > Hope this helps, > > Philippe > > Philippe Hanset, CEO > www.anyroam.net <http://www.anyroam.net/> > www.eduroam.us <http://www.eduroam.us/> > +1 (865) 236-0770 > > GPG key id: 0xF2636F9C > > > > > > > > > Jeff > > > From: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of Marcelo Maraboli > <marcelo.marab...@uc.cl <mailto:marcelo.marab...@uc.cl>> > Organization: UC > Reply-To: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@listserv.educause.edu>> > Date: Thursday, April 20, 2017 at 2:16 PM > To: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@listserv.educause.edu>> > Subject: [WIRELESS-LAN] Eduroam adoption (and migration process) > > Hello everyone. > > We are finally adopting EduROAM in our University and we currently have one > SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x > upgrade > for us as well. > > Would you be so kind to respond a couple of questions?: > > > If you adopted EduROAM as your primary SSID: > - Did you leave an SSID for legacy devices ? (What AUTH mechanism for this > SSID?) > - How did you "force-move" your users to EdoROAM from your old SSID ? > > If you added EduROAM as just another SSID: > - why not adopt EduROAM as your primary SSID ? (Branding or no interest? ) > - Is your primary SSID also 802.1x o MAC-based ? > - if 802.1x, why have 2 SSIDs with 802.1x ? > > > thank you all, > > -- > Marcelo Maraboli Rosselott > Subdirector de Redes y Seguridad > Dirección de Informática > Pontificia Universidad Católica de Chile > http://informatica.uc.cl/ <http://informatica.uc.cl/> > -- > Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul > Santiago, Chile > Teléfono: (56) 22354 1341 > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found > athttp://www.educause.edu/discuss <http://www.educause.edu/discuss>. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss <http://www.educause.edu/discuss>. > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found > athttp://www.educause.edu/discuss <http://www.educause.edu/discuss>. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss <http://www.educause.edu/discuss>. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
