eduroam Development VC Minutes 2023-03-14 1530 CET

Attendance

Attendees

  • Stefan Winter (Restena)
  • Stefan Paetow (Jisc)
  • Maxime Houlbert (Renater)
  • Tomasz Wolniewicz (PSNC)
  • Arnaud Lauriou (RENATER)
  • Louis Twomey (HEAnet)
  • Jan-Frederik Rieckers (DFN)
  • Zbigniew Ołtuszyk (PSNC)
  • Maja Górecka-Wolniewicz (PSNC)
  • Anders Nilsson (SUNET)
  • Philippe Hanset (ANYROAM)
  • Christian Rohrer (SWITCH)
  • Paul Dekkers (SURF)
  • Mike Zawacki (Internet2)
  • Guy Halse (TENET)
  • Sara Jeanes (Internet2)
  • Wenche Backman-Kamila (CSC/Funet)
  • Dubravko Penezić(SRCE)
  • Ed Wincott (Jisc)
  • Zenon Mousmoulas (GRNET)
  • Hideaki Goto (Tohoku University/NII)

Regrets

Chris Phillips (CANARIE) - colliding meeting, may want to recognize the geteduroam cert story/delta between CAT/geteduroam behaviour acknoledged on the slack channel

Agenda / Proceedings

  1. Welcome / Agenda Bashing

  2. geteduroam/CAT certificate handling differences?

geteduroam: "If the CA does not contain a CN, the import fails. " (iOS version only) -> bugfix in the making, available soon in testflight

case in point: GoDaddy CA: C = US, O = “The Go Daddy Group, Inc.”, OU = Go Daddy Class 2 Certification Authority

  1. Is anyone observing a surge of malformed EAP packets?

radius_cap from Janfred could detect these situations with a small feature update. Is in the backlog.

There are some samples in other people’s logs, like “Malformed EAP Message: EAP packet has invalid length (less than 4 bytes)”

At least one MAC address suffering from this is from Huawei. (first auth successful, subsequent ones fail)

  1. EAP-FIDO updates

    • packet flow for authentication phase

    • How to do onboarding/registration?

      • one-time token as User-Name (as initially sketched)
      • web registration, with same-scope as subsequent EAP conversation
      • TEAP with an initial username/password authentication, doing a step-up to FIDO?
      • slides coming…
    • Stefan presented the packet workflow for auth

    • X.509 cert / PKIX for server auth is a pity, but probably unavoidable

    • especially when registration is done on the web: needs TLS context for the web registration

    • next steps: try to implement, present at IETF

    • interesting lead: Simon Rozman (who implemented GEANTlink).

    • –> If IETF doesn’t raise red flags conceptually, could be an option to get a Windows implementation (maybe code to include in geteduroam)

  2. Recurring: Passpoint hardware and onboarding chit-chat

How big is OpenRoaming really? Difficult to judge. Anecdotal evidence from London / Japan / airports. “More than 7000 hotspots” as per website (which may not be much if this counts individual APs rather than locations).

Let’s ask WBA PMO if these are locations or individual APs. Stefan @JISC to ask.

  1. AOB / next VC: 28 Mar 2023 1530 CET
  • No labels