Advanced notice :
We will be upgrading wiki.geant.org from the current version of Confluence Server to the current LTS version 8.5. During the maintenance window we expect that there will be an outage of 20 minutes.
Maintenance start time: 22/10/2024 16:00 UTC. Maintenance end time: 22/10/2024 18:00 UTC.
eduroam Development VC Minutes 2022-10-11 1530 CEST
Attendance
Attendees
- Stefan Winter (Restena)
- Zenon Mousmoulas (GRNET)
- Halil Adem (GRNET)
- Tomasz Wolniewicz (PSNC)
- Christian Rohrer (SWITCH)
- Jan-Frederik Rieckers (DFN)
- Guy Halse (TENET)
- Kilian Krause (Uni Stuttgart, GERMANY)
- Ed Wincott (Jisc)
- Arnaud Lauriou (RENATER)
- Chris Phillips (CANARIE)
- Mohit Sharma (CANARIE)
- Ed Kingscote (CANARIE)
- Maja Gorecka-Wolniewicz (PSNC)
- Paul Dekkers (SURF)
- Philippe Hanset (ANYROAM)
- Louis Twomey (HEAnet)
- Philippe Van Hecke (BELNET)
- Zbigniew Ołtuszyk (PSNC)
- Stephanie Cooper (ANYROAM)
- Anders Nilsson (SUNET)
- Christina Klam (IAS, USA)
- Janos Mohacsi (KIFÜ)
Regrets
- Mike Zawacki (Internet2)
Agenda / Proceedings
Welcome / Agenda Bashing
Windows 11 22H2 fun
- Windows 11 Enterprise: CredentialGuard
- Update enables this by default
- If you “Use AD credentials” for your eduroam credentials then this won’t work any more
- other services also affected (RDP, VPN, …)
- needs reconfig (and one can muse about whether the password is more secure then)
- How common is using AD for eduroam logins? Seems to be used somewhat. Needs some Windows AD “tricks” regarding outer IDs or Win2000 style usernames.
- There are Microsoft Best Practices documents / advisories suggesting to discontinue use of PEAP/MSCHAPv2, e.g. https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations
- How should our own advisory look like? “Turn off Credential Guard” “Move to geteduroam pseudo-credentials” “Type your AD password into a non-AD PEAP/TTLS config”; maybe best: “use your AD to provision certificates to mchines, and switch to EAP-TLS”? Make the "Disable Cred Guard the last, least preferred option
- The wider issue of a possible passwordless future is to be discussed at highest levels (GeGC)
- side item: twitter thread that has deeper dive on how the H22 update does things: https://twitter.com/_xpn_/status/1579229904855760897?s=20&t=VROSVbB_Gh_j1vLiB3WEbA
- Suggestion from Paul:
- Do TLS with AD/InTune for AD-joined machines, configure eduroam with GPO
- Install credentials as a time time step, as machine was not AD-Joined
- Use geteduroam with pseudo accounts for BYOD
- Disable CredentialGuard in the GPO, as it affects AD-joined machines with GPO anyway
- TLS 1.3 EAP negotiations
- FreeRADIUS 3.0.26 and 3.2.0 are tested against Win 11 and should work unconditionally
- earlier may or may not work, and work best when setting tls_max_version = 1.2
- versions predating the configuration option tls_max_version are a bit up in the air, but recommend to update those anyway because very old and probably have security issues
- Windows 11 Enterprise: CredentialGuard
IETF Update
- https://datatracker.ietf.org/doc/bofreq-dekok-bofreq-dekok-radius-extensions-and-security-00/
- https://datatracker.ietf.org/wg/radextra/about/
- BoF planned for Monday 07 Nov (also EMU on that day)
https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/ ()
- Recurring: Passpoint hardware and onboarding chit-chat
- Passpoint/OpenRoaming does not have PEAP in specification, and Wi-Fi user accounts are not typically tied to an AD account -> the Credential Guard issue doesn’t touch this community much
- AOB / next VC: 8 Nov 2022 1530 CET (pending IETF week scheduling?)