eduroam Development VC Minutes 2024-07-16 1530 CEST

Attendance

Attendees

• Stefan Winter (Restena)
• Stefan Paetow (Jisc)
• Tomasz Wolniewicz (PSNC)
• Janfred Rieckers (DFN)
• Anders Nilsson (Sunet)
• Mike Zawacki (Internet2)
• Ed Kingscote (CANARIE)
• Chris Phillips (CANARIE)
• Derek Eiler (NSHE)
• Maja Górecka-Wolniewicz (PSNC)
• Louis Twomey (HEAnet)
• Fabian Mauchle (Switch)
• Zbigniew Ołtuszyk (PSNC)
• Christian Rohrer (Switch)
• Ingimar Jonsson (RHnet)
• Alan DeKok (FreeRADIUS)
• Janos Mohacsi (KIFÜ)
• Guy Halse (TENET)

Regrets

• Zenon Mousmoulas (GRNET)
• Paul Dekkers (SURF)
• Ed Wincott (Jisc)

Agenda / Proceedings

1. Welcome / Agenda Bashing

   • Offer Mike Z espresso.

2. Blast!RADIUS debrief

   • some feedback received - Aruba suggesting moving away from PEAP? Pushback. Possibly because of a “Workaround” suggestion in the Aruba advisory.: Use EAP-TLS instead… https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_hpesbnw04662.txt
   • German main IT outlet (Heise) - reported ~ 24 h late and thankfully included a sentence “luckily, eduroam is not affected”
   • 20 min Video on the attack: https://www.dfn.de/en/blastradius-newsmeldung/
   • some wireless vendors have shown interest in eduroam supporting RadSec / RADIUS/TLS. Happy to - certificate-based RADIUS/TLS is a commodity feature on many NRO RADIUS servers. Process for getting certificate from NRO too. What is (intentionally) not supported is the Wi-Fi gear generating certs and CAs on its own and expecting the NRO to accept that as a trust base.
   • RADIUS/DTLS document could contain a sentence like “RADIUS equipment should be prepared to be issued a certificate from an external CA” (which is the case both for eduroam and OpenRoaming, too)
   • https://loet.bar/products/kritische-infrastruktur-sticker

3. Upcoming CAT release 2.1.2

   • little things trickling in (e.g. updated OS logos)
   • plan to push out release by end of this week
   • actual switch on cat.eduroam.org later (after holiday period)
   • cat.eduroam.org/new is the sneak preview URL, connected to prod DB

4. Upcoming Meetings

• IETF 120 Vancouver
  • radext WG
    • RADIUS/(D)TLS to proposed standard
    • RADIUS/(D)TLS with TLS-PSK
    • RADIUS/1.1
  • emu WG
    • EAP-FIDO (EAP-NetAuthn? EAP-NAN? ;-) )

1. MS Credential Guard and NTLM - update?

   • A possible question for AOB: has Microsoft 11 patch 22H2 emerged again? This was the patch that disabled NTLM/support for passwords way back in Oct 2220N. One of our client referred us to the Microsoft page from that time, which was updated in recent weeks. It’s not clear to me whether the patch has been re-released in a form which breaks NTLM?
   • No particular new intel; but some anecdotes about need to turn off Credential Guard (affecting Windows 11 Enterprise only)
   • whereas our past response was: keep Credential Guard on; just live with the fact that your password for eduroam needs to be entered again, seperated, not sourced from the Cred Guard any more
     NTLM Deprecation Announcement (Specifically Client): https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features
   • short term way out: TTLS-PAP
   • longer term: EAP-TLS (geteduroam, Managed IdP, …)

2. AOB / Next VC

• 30 Jul 2024 1530 CEST