eduroam Development VC Minutes 2023-02-28 1530 CET

Attendance

Attendees

  • Stefan Winter (Restena)
  • Alan DeKok (FreeRADIUS / Network RADIUS s.à.r.l.)
  • Tomasz Wolniewicz (PSNC)
  • Zenon Mousmoulas (GRNET)
  • Mike Zawacki (Internet2)
  • Jan-Frederik Rieckers (DFN)
  • Philippe Hanset (ANYROAM)
  • Christian Rohrer (SWITCH)
  • Maja Górecka-Wolniewicz (PSNC)
  • Anders Nilsson (SUNET)
  • Zbigniew Ołtuszyk (PSNC)
  • Chris Phillips (CANARIE)
  • Ed Kingscote (CANARIE)
  • Louis Twomey (HEAnet)
  • Fabian Mauchle (SWITCH)
  • Ingimar Jonsson (RHnet)
  • Stefan Paetow (Jisc)
  • János Mohácsi (KIFÜ)
  • Ed Wincott (Jisc)

Regrets

Agenda / Proceedings

  1. Welcome / Agenda Bashing

  2. radsecproxy development

    • NetworkRADIUS (Alan DeKok) offered to put work into radsecproxy (focus on “more than 256 packets in flight”).

    • Alan attended the meeting today. Features in roughly descending order of felt importance:

      • Windows port would be useful for many low-profile orgs that need just an adapter from NPS to “real RADIUS” (cygwin? libpthread? WSL? Also consider standard windows tools to enable it as a Service/auto-start/MSI installer for easy installation …
      • more than 256 packets in flight
      • TLS-PSK also interesting
      • RADIUS “traceroute”
      • Maybe also compile on/for MacOS?
      • dynamic disocvery on DTLS would also need fixes

    • Fabian and Alan to sync so that they don’t simultaneously work on the same feature. @Stefan to mutually introduce mail addresses

    • Alan reports NPS is dead - compiles, and ships as-is, but do not expect any feature development.

    • NPS in the cloud seems to exist - no details available.

    • There is also AADDS that FreeRADIUS can talk to (eliminating the need for NPS)

    • geteduroam is doing Windows packaging - so knowledge about Windows ports is near. Alan to talk to Paul.

    • Keep community posted on radsecproxy ongoing work - GitHub issues:

  3. Aftermath of the PEAP protocol/MS implementation vulnerability

    • As seen here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21689
    • NROs sent out advisories, not much feedback about patches actually being applied
    • Not a good idea to take and run PoC exploit codes to find out who has patched and who not.
    • Handle similar to Heartbleed in terms of communication: better be proactive and issue advisory on eduroam.org
    • With a wider view: this is one more nail in the coffin of PEAP and password-based authentication in general.
    • Is EAP-TLS the cure? If done right, maybe; but need to handle the complexities -> geteduroam, Managed IdP, SecureW2, XpressConnect, your own CA and cert deployment, … ?
    • Be wary to not centralise authentications too much (e.g. fully centralised or done only on NRO level - give institutions the option to run their own show)

  4. EAP-FIDO updates

    • more thoughts for EAP-FIDO: need key derivation (no secrets available on both sides)
    • probably best done by doing a post-authentication Diffie-Hellman exchange
    • How to do onboarding/registration?
      • one-time token as User-Name (as initially sketched)
      • web registration, with same-scope as subsequent EAP conversation
      • TEAP with an initial username/password authentication, doing a step-up to FIDO?

  5. Recurring: Passpoint hardware and onboarding chit-chat

    • Alan now in the WBA
    • Is the inertia around OpenRoaming slowing down? Just a feeling anyway.
    • Paul could probably grep usage statistics out of the eduroam<->OpenRoaming proxies.
    • JISC in the process of setting up their own proxies. Known issue: some DNS providers do not support setting NAPTR records at all. Certificate issuance for OpenRoaming is the core blocker.

  6. AOB / next VC: 14 Mar 2023 1530 CET

  • No labels