Philippe, This statement, “each user that uses eduroam has a verified affiliation with a University/College somewhere in the world” while sort of true, is also meaningless. They are numerous universities out there that grant identities to anyone in their local community for the sake of services like the library and wireless. There is certainly a loose affiliation, but that in no way means the university has vetted that person or would attest to anything more than they filled out a form i.e. the fact that they have credentials doesn’t in any way add to the “eduroam is vastly superior” claim.
Trust – Sure, we need to trust each other, and that’s why we have mechanisms to do so such as federation. That’s only one part of the trust, and in the case of eduroam, what requirements are there concerning how client data will be handled as it terminates and transverses a participating college’s network? A campus is free to record all activity, from DNS records, URLs, flows, etc. And that’s the rub with eduroam. A member of my community has knowledge of our AUP and what we collect as part of normal network operation. When they auto-roam to another campus’ eduroam, there is no disclosure as to how it operates. The user falsely assumes it’s the same as the home campus. As for Passpoint/HT2.0, with its wider adoption, it will be interesting to see if universities accomplish this via eduroam or/and via affiliations with existing cellular or network providers, especially if there is a way to monetize the university’s wifi network. I’d rather get paid by Verizon for allowing a student’s Verizon cell phone access to our network, then to provide that service for free via eduroam. Jeff From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Philippe Hanset <phan...@anyroam.net> Reply-To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Friday, April 28, 2017 at 2:51 PM To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) On Apr 28, 2017, at 3:49 PM, Jeffrey D. Sessler <j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote: Philippe, I’m not arguing the “convenience factor” or OTA encryption, which eduroam certainly provides, just that users (and universities advocating for it) shouldn’t blindly trust it any more, or less, than any other guest network. Jeff, eduroam is authenticated and each user that uses eduroam has a verified affiliation with a University/College somewhere in the world. Each NRO signs an agreement, and each NRO makes each school agree to RADIUS logs holding and other privacy features. How is this “little behind it”? eduroam is vastly superior to other guest networks, unless you require direct identification with an ID at the help desk to join Wi-Fi (and even IDs can be very fake). The same way that schools trust other directory services with Shibboleth or even transcripts, at one point we have to rely on the fact that other members of our community are on a acceptable standard that we can relate to make our lives easier and save time for all of us. We do not ask schools to make it the primary SSID, most decide that it makes more sense. It is simpler to make users be ready to travel and reduces SSID confusion. As I mentioned earlier, users still need to me reminded that eduroam allows them to connect around the world. Having eduroam as the main SSID is not sufficient. Having a local secure SSID is still very useful especially when there are potential eduroam conflicts due to schools’ proximity. But this will soon be a moot point when Passpoint/HT2.0 becomes predominant. You will be able to welcome many roaming communities on your network and even set your own preference for your clients to avoid "SSID conflicts" when same SSIDs advertised by different locations conflict with each other (the client will always prefer the network from its own school) Philippe You touch on my concern with this statement, “Most Schools tend to give more privileges/bandwidth to eduroam because it is acommunity of trust.” eduroam should in no way be considered “…a community of trust” as there is little behind it to guarantee as such. In promoting it across EDUs, and making it the primary SSID, universities are certainly making it appear as if it is to those using it, but it’s an illusion. No matter how it’s painted, at the end of the day it’s still an unregulated, multi-ISP, guest network. I’m not arguing against broadcasting eduroam (which my campus does), or its convenience for guests, just don’t hold it up as something it’s not. Jeff From: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of Philippe Hanset <phan...@anyroam.net<mailto:phan...@anyroam.net>> Reply-To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>> Date: Friday, April 28, 2017 at 11:14 AM To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) Jeff, Why do I say this? • Organization - A university can’t assume and/or guarantee that “eduroam” is administered at another campus in the same way that it is at home. There is no guarantee of privacy, be it the data collected during authentication/authorization, or information being sent/received by the client while traversing the other organization’s network. There is no guarantee user data won’t be sold, studied, or otherwise used as the organization terminating the client’s connection sees fit. eduroam is a name only. • User – Assumption that “eduroam” away from their home campus is the same as “eduroam” at another organization. Assumption that there is the same level of data security, privacy, or other safeguards/guarantees as provided at home. Assumption that the same resources are available. Assumption “eduroam’ out in the world is superior than connecting to an open network. Connecting to eduroam is superior to connecting to an open network for at least 4 reasons: (other may add to the pile) 1-No wasted time “hunting” for an SSID that who knows what it is in a list that is larger every day (especially for Urban Campuses) 2 -If the network is accepting your RADIUS infrastructure certificate, you know that you are on a trusted network part of a community (I will send another email to respond to the MiTM attack on PEAP and EAP-TTLS…use the CAT tool to mitigate that, or EAP-TLS if you can afford it) 3-Encryption over the air as part of WPA2-enterprise for guests as a great side effect 4-The local school knows that if needed, the user can be found (infected machine, abuse, DMCA, etc…) I agree that all eduroam networks are not equal, but neither are Open Networks. It is in the end a guest experience. I actually have the same with my cellular network… sometimes it is LTE or 4G, sometimes 3G with very little capacity, even though it always references the same carrier and I pay the same! It is our job as Network Operators to inform our users that there is no guarantee of service Most Schools tend to give more privileges/bandwidth to eduroam because it is a community of trust. So, in most cases you will experience a better experience that classic Open Guest Networks. Certainly, some of the data privacy pieces could be mitigated by using a home-campus VPN while traveling, but now you are creating rules that the end-user must remember. These rules become confusing when you are in an area with multiple organizations all broadcasting “eduroam”, where to simplify the user experience i.e. they can get to the same resources, the default becomes using VPN all the time. Once you force the use of a VPN, then is “eduroam” any different than using an open/suest networ I would prefer to see “eduroam” in the same light as say, using Facebook to login to other applications i.e. The university advertises that the guest wireless SSID supports the “eduroam” authentication service. The visiting person connects to your branded guest SSID using their home college credentials – understanding that they are bound to your AUP or other local decisions on the use of their data. There is no confusion about who owns, administers, or otherwise controls the network the client is connected to and no assumptions about resource availability. So for every campus that you visit you have to suffer: Hunting for the SSID Trust that SSID Read the AUP Share your Social Identity (talk about big data here) And as a network Operator you have to hope that the Social Identity is somewhat real! Schools don’t have time to look at big data for their traveling users or their guests, and the only info is username@domain or if you want anonymous@domain. You actually have the choice to anonymize yourself, it is not against any rule. The same goes for NROs (National Roaming Operators for eduroam), we have all signed an agreement that we cannot use user data other than troubleshooting and monitoring unless required by law enforcement. I doubt that Facebook or any other Social Provider can guarantee that…they make money out of your data! Again, if you fear to be tracked on eduroam, definitely anonymize your outer-identity. It is accepted, and many do it (it can even be done automatically in the CAT tool). In case of abuse or infection, a user can be found by contacting the campus of origin (so you let the IDP decide how to deal with Privacy for their users!). Finally, there is a reason why the big carriers did a push for Hotspot2.0/Passpoint. Protocols like 802.1X/WPA2-enterprise are great for security and authentication (both of the infrastructure and users), and the guest Wi-Fi industry is moving toward those standards. We all have done it with eduroam way ahead of the carriers. The privacy issue with large carriers might be an issue, but we suffer the same with our Cellphones already. Privacy and Net Neutrality is at stake every day. Hope this helps, Philippe Philippe Hanset, CEO www.anyroam.net<http://www.anyroam.net/> www.eduroam.us<http://www.eduroam.us/> +1 (865) 236-0770 GPG key id: 0xF2636F9C Jeff From: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of Marcelo Maraboli <marcelo.marab...@uc.cl<mailto:marcelo.marab...@uc.cl>> Organization: UC Reply-To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>> Date: Thursday, April 20, 2017 at 2:16 PM To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>> Subject: [WIRELESS-LAN] Eduroam adoption (and migration process) Hello everyone. We are finally adopting EduROAM in our University and we currently have one SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x upgrade for us as well. Would you be so kind to respond a couple of questions?: If you adopted EduROAM as your primary SSID: - Did you leave an SSID for legacy devices ? (What AUTH mechanism for this SSID?) - How did you "force-move" your users to EdoROAM from your old SSID ? If you added EduROAM as just another SSID: - why not adopt EduROAM as your primary SSID ? (Branding or no interest? ) - Is your primary SSID also 802.1x o MAC-based ? - if 802.1x, why have 2 SSIDs with 802.1x ? thank you all, -- Marcelo Maraboli Rosselott Subdirector de Redes y Seguridad Dirección de Informática Pontificia Universidad Católica de Chile http://informatica.uc.cl/ -- Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul Santiago, Chile Teléfono: (56) 22354 1341 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
