eduroam Development VC Minutes 2026-04-21

Attendance

Attendees

• Stefan Winter (RESTENA)
• Anders Nilsson
• Guy Halse (TENET)
• Stefan Paetow (Jisc)
• Fabian Mauchle (Switch)
• Tomasz Wolniewicz (PCSS)
• Maja Górecka-Wolniewicz (PCSS)
• Janfred Rieckers (DFN)
• Alan DeKok (InkBridge)
• Frederic Gerber (Switch)
• Mohit Sharma (CANARIE)
• Chris Rohrer (Switch)
• Ed Kingscote (CANARIE)
• Louis Twomey (Asiera)
• Janos Mohacsi (Pro-M)
• Paul Dekkers (SURF)
• Ed Wincott (Jisc)

Regrets

Agenda / Proceedings

1. Welcome / Agenda Bashing

2. CAT / Managed SP

   • wired 802.1X support for Linux installers easy and in the works (requires NetworkManager; other variants don’t get wired support)
   • Managed SP issues
     • old orgs: disabled RADIUS deployment re-enabling leads to error
     • RADIUS server reachability over IPv6 issues?
     • Status-Server responses don’t have Message-Authenticator (prod is indeed old FreeRADIUS; new is in testing)
   • Managed SP “Pilot” will move into main CAT
     • https://cat-test.eduroam.org/services Set Enable hosted services for your federation to play with MSP
     • IdP-only orgs will still not be able to use the feature, even if fed-level has it On
     • old SP deployments will remain working for “a while” (timescale TBDefined)

3. Anon Outer IDs / expired roots: warning admins

   • next CAT version will display summary to NRO admin (around TNC26)

4. geteduroam

   • get.eduroam.org and OpenRoaming?
   • NAPTR records for eduroam realms are by default DISabled, so no OpenRoaming
   • reason is that radsecproxy “non-blocking” is typically not set, and first-auth connections systematically fail
   • you will need to ask Paul to get it enabled
   • (pseudo-accounts on Android will not do OpenRoaming regardless)

5. IETF

   • Future work on TEAP and hopefully TEAPv2. Will the eduroam community be the drivers of future EAP methods?
   • We kind of were the driving force of getting EAP-TTLS into Windows so…
   • Or should we be more active in pushing EAP-TLS 1.3 anon ID testing being brought into WFA WPA3 certification?

6. WFA / WBA

• Radiator etc. are pushing RadSec through WFA (Radiator support for RadSec TLS/PSK?)

1. AOB
   NTLM EOL/NPS?

   • not clear, but possible, that NTLMv2 will be discontinued or optionally-enabled in the next version of Windows Server
     • Similar to CredentialGuard?!
   • https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526
   • Open question on whether Microsoft will fix NPS to ensure it still works.
   • geteduroam is a way out (auth with SAML/ADFS and then pseudo-credentials)
   • other alternatives?

2. Next call 05 May 2026 1530 CEST