TF-OpenSpace – Session 1, room 7. 16 October 2013.
Lead by: Anders Nilsson & Tom Barton
Attendees: Anders Lördal, Brook, Chad, Paul, José-Manuel, Hideaki, Tom (Barton & Myren), Tomi.
Notes: Brook Schofield
Problem: NRENs an Onboarding providers: Problems & opportunities.
In the balance of Connectivity vs Security => Connectivity always wins.
Users will type their passwords into anything to get connectivity.
We need to rebalance that and ensure only "safe" options are presented to the user.
EAP-TLS is loved by security purists. Certificate deployment is problematic.
Username/Password is better for users. Perceived as easier. They want the experience to "just work".
The problem with Android
There are insufficient Android devices that perform certificate validation (for EAP-PEAP/TTLS).
Solved on v4.4 - but where is that? http://developer.android.com/about/dashboards/index.html
EAP-pwd solves this on Android and with versions since 4.0 (approx 70% of the market)
NIKHEF Helper application (https://play.google.com/store/apps/details?id=org.nikhef.eduroam) is in the Google Play store and generates EAP-TLS in exchange for federated credentials.
EAP-TLS => Per device profile is a good idea and easy to revoke access for individual devices rather than hard password reset which interrupts everything.
InCert
- Native Store (multiple)
- Check validity on Login
- EAP-TLS
- Local Device Setup
- VPN and other services
- Windows, MacOS & iOS (TODO next is Android)
NRENs as onboarding providers
Three (3) components exist:
- Certificate Issuing (Confusa)
- Provisioning (Configuration Assistant Tool, CloudPath, InCert)
- IdP (DEAS)
Could be deployed as a Centralised services OR Confined Environment.
ActiveDirectory -> Cloud RADIUS service is harder than deployying RADIUS locally.
EAP-TLS - Why? Home Orgs w/o IdPs (Google Apps) are still an opportunity.
[ACTION] InCert + NIKHEF to investigate collaboration on the Android platform.