Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

#NameDescriptionStatusTools
1Use the right SSID

NROs MUST ensure all members only deploy the service under the 'eduroam' SSID. Non-compliant networks MUST NOT be labelled 'eduroam' or anything similar to avoid confusion for visitors. The eduroam SSID MUST NOT be shared with other network services.

MUSTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
2Ensure clarityNRO members SHOULD act to minimise any possibility of confusion between eduroam and other guest services they may offer (e.g. to prevent credentials being inappropriately presented)SHOULDCheck info on web pages and other information sources (OT manual)
3Permit 802.11 onlyNROs MUST ensure members offer eduroam ONLY on 802.11-based wireless media (i.e. NOT over bluetooth etc).MUSTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
34Maintain an audit trailNROs MUST ensure that they and their members retain authentication and DHCP logs for <period defined in central policy?> to enable the cooperative resolution of identity in the event of abuse of eduroamMUSTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
45Prevent credential sharingNROs MUST ensure that all their members enforce the policy that credentials SHOULD NOT be shared between users (or devices where device authentication is used). Automated monitoring of high numbers of simultaneous logins may help with this.MUSTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self) Automated monitoring (OT automatic or NRO automatic)
56Standardise end-user accessNROs MUST ensure all members offer eduroam users access to the minimum standard ports and protocols, which are specified in the eduroam policy, such that the baseline services (web email and VPN) are consistently available.MUSTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
67Ensure physical securityNROs must advise their members that WiFi APs and cabling SHOULD be be secured as much as possible (e.g. to restrict opportunities to introduce network taps or other tampering). All servers MUST be hosted in a secure environment.MUSTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
78Manage shared secretsRADIUS shared secrets MUST have sufficient entropy (16+ characters), and MUST NOT be reused (each RADIUS server must have a unique shared secret for each trust relationship it participates in)MUSTCheck server configuration (NRO self)
89Provide physical signageNRO advises member organisations to deploy physical signage in areas where eduroam is available (e.g. to assist visitors with medical prosthetics) (What does this mean in practice?(WBK))SHOULDEvidence: copy of documentation/web page
910Ensure you are contactableNRO has arranged 365 cover of all named contact points (mail and phone redirects for leave etc)SHOULDRandomly check quality of info in the eduroam database (OT automatic)
1011

Use the CAT

NRO SHOULD maintain a CAT adminstrator/config for its own staff and also recommend CAT usage to all members. Wherever possible, CAT SHOULD be used to assist with client deployments.SHOULDCheck CAT (OT automatic), NRO verifies that CAT has been strongly recommended to eduroam IdPs/SPs (NRO self)
1112Deprecate manual configurationWhere CAT-assisted end user device configuration is not possible, it SHOULD NOT be undertaken by the end user. Administration staff should undertake such configuration to ensure it is correctly completed. Manual configuration is not recommended.SHOULD NOTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
12Provide administrator trainingNRO SHOULD provide eduroam training to member organisations (either directly or through a third party)SHOULDCheck NRO course/training schedules (NRO self)
13Provide end-user 13Provide end-user educationNRO and members SHOULD implement training for end users on the expected legitimate behaviours of eduroam systems. Many attacks rely on incorrect user responses to inappropriate service behaviours such as password requests, certificate mismatch warnings etc.SHOULDNRO verifies that this has been communicated to eduroam IdPs/SPs and that NRO has offered to help with training implementation (NRO self)
14Ensure clarityProvide administrator trainingNRO members SHOULD act to minimise any possibility of confusion between eduroam and other guest services they may offer (e.g. to prevent credentials being inappropriately presentedprovide eduroam training to member organisations (either directly or through a third party)SHOULDCheck info on web pages and other information sources (OT manualNRO course/training schedules (NRO self)
15Select a certificate typeNRO and members SHOULD undertake a risk-based selection of private vs. public CAs for their RADIUS infrastructure. Private is usually preferrable.SHOULDNRO verifies that this has been communicated to eduroam IdPs/SPs and that NROs have offered help and advice (NRO self)
16Select an EAP TypeNRO should advise members that they SHOULD use at least one of TLS, TTLS, EAP-FAST or PEAP (see reference 9)SHOULDNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
17Implement certificate revocationIf an EAP type which uses client side certificates is used (e.g. EAP-TLS), a robust revocation process SHOULD be in place to cover loss, theft or compromise of devices.SHOULDNRO verifies that this has been communicated to eduroam IdPs/SPs  (NRO self). NRO checks authentication flows through the FLTRs, identifies the organisations utilizing client certs and shows evidence that a robust revocation process is in place (NRO self)
18Use anonymous outer identitiesWhere supported by the EAP type and the supplicant, it is strongly recommended that anonymous outer identities SHOULD be used. (see reference 10)SHOULDNRO verifies that this has been communicated to eduroam IdPs/SPs and checks FTLR logs (NRO self)
19Enable CUIChargeable User Identity (CUI) SHOULD be implemented to enhance accountability of end user behaviour by pseudonymous means.SHOULDNRO verifies that this has been communicated to eduroam IdPs/SPs and checks FTLR logs (NRO self)
20Implement rogue AP detectionWhere available, NRO and members SHOULD monitor for rogue access points. IF possible, automated suppression of rogues SHOULD be implemented.SHOULDNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
21Implement wireless IPSWhere available, NRO and members SHOULD implement Wi-Fi Intrusion Prevention Systems (IPS) to detect AP spoofing, malicious broadcasts etc.SHOULDNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
22Operate to default denyNROs SHOULD advise all members to operate a default deny policy on all firewalls and access control lists, only granting specific traffic types that are required and have been risk assessed to pass.SHOULDNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
23Provide mapsWebsites MAY includes graphical maps of accessible locations, noting additional services such as charging pointsMAYCheck information on web site (OT manual)
24Maximize eduroam coverageNROs SHOULD/MAY provide an eduroam proxy RADIUS server to enable interested SPs outside the community to offer eduroam in their network.SHOULD/MAYNRO verifies (NRO self) (Added by WBK)
25Enable collaborationNROs SHOULD/MAY enable collaboration between the eduroam-enabled institutions by the use of conferences, email lists and/or Slack channelsSHOULD/MAYNRO verifies (NRO self) Conference material are available at https://wiki.geant.org/x/5KbTC  (Added by WBK)
26audit eduroam IdPs/SPsNROs SHOULD regularly audit eduroam IdPs/SPs on the criteria mentioned aboveSHOULDShow documentation of audit (OT manual) (Added by WBK)

...