Our local radius logs show eduroam users as the [email protected]<mailto:[email protected]>, confirmation it was approved by the source institution, which wireless controller they authenticated through and the MAC address of the device they are using, so we can identify them. If someone is contravening our policies, we will deal with them the same way we would with a local F/S/S (warnings, cut them off, etc). Granted, [email protected]<mailto:[email protected]> is not necessarily their email id, so we may not be able to inform them that we have taken action. If they are on campus for a month doing collaborative research, they'll likely call our helpdesk soon enough. Of course, this has not been an issue for the five years we have been on Eduroam. Visitors, researchers and collaborators are here to get work done and they are productive from the time they turn on their device.
If it is something illegal and we were asked/required to cooperate with law enforcement, we would give them [email protected]<mailto:[email protected]>. They'll not be long getting access to personal information that they need (info that I do not need to know/store anyway). Don't worry about other countries and cooperation agreements between law enforcement. It works faster than you think - in both directions. (Probably faster than inter-state and inter-province). I cannot speak to your CALEA regulations, but other US institutions are using eduroam. They may add comment here. I do not see an issue with different university's policies as to who they allocate ID's and passwords to. We do not mind if one of your alumni uses our wireless for an hour while at a campus sporting event, for example. Beyond the normal faculty, staff and students, if a retired Prof from your university gets on our wireless network while attending a meeting, or visiting one their grandchildren attending here, go for it. We will not notice. If you know who they are and they are registered in your systems, then we trust you and will accept them too. They are accessing a bit of free wireless, not our ERP. Eduroam is great is for hosting national conferences, regional and national student competitions, etc - no special arrangements required (except for non-eduroam institutions :(). When I attend a meeting or a university IT conference at an eduroam member, I am accepted and on the network as soon as I hit the parking lot. No calls from our president when he attending meetings somewhere else either! As for passwords, my computer is set up to encrypt my password according to my university's standards. When I visit an Eduroam institution, their radius server simply passes on my request as is through the radius network to our radius server for authorization. If I am at an institution that uses a weak password solution, I do not need to weaken my login process. I am far from a radius expert so I may have missed your concern. I am sure there are better Eduroam authorities on this list who can provide better input. Eduroam is about inter-institution cooperation and it has been nothing but a great experience for us as we travel and for our institution's visiting colleagues. Peter E. [email protected]<mailto:[email protected]> University of New Brunswick, Canada From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Green, William C Sent: February-26-13 2:50 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Eduroam and AUP acceptance? I think the driver's license is an interesting analogy, and it causes me to think differently about the issues eduroam raises in a different light. However, as with most analogies it breaks down quickly (states do have standards coordinated with federal entities on IDs [blustering aside], coordinated training and standards [e.g. car vs truck], integrated license plate databases, user identities on the drivers license when pulled over, etc). I am interested in the service, and like the idea of enabling researchers better network access. But I'm still troubled by a number of issues which I think could be solvable, but solving them doesn't seem to be in the spirit of the European effort. Just a few: My understanding is eduroam doesn't allow the host university to know the identity of the user of the local network resource. The host can request it of the remote university, but the remote may or may not respond. It adds complexity to security investigations and law enforcement actions. Local law enforcement can't compel another country's university to release credentials. What might US CALEA implications be in these cases? I realize different laws/rules apply in different localities/entities regarding network use and identity and interpretation by each entities legal counsel. My understanding is also that eduroam doesn't have standards for who is granted credentials across institutions participating. At one school it may be faculty/students/staff, while at others that may include alumni/visitors/hobos. Related, I don't believe attributes are revealed in cases where the local institution wished to grant different status to, say faculty versus student. How do different access policies and charges (for those of us that charge) map? There may be exposures to user/password credentials utilized. For institution that use a consistent/single sign-on credential for their network access also, this is once again problematic. [lost the argument about the dangers of using SSO for network access -- even back in the web portal days prior to 802.1x] It is the same for everyone. I think it is fair to say that every institution requires faculty, staff, and students to accept an AUP before assigning a user ID and password (typically once a year). Simply apply your AUP rules to the eduroam "visitors". Do not consider Eduroam users as outsiders/guests of your institution; they are authorized colleagues from neighbouring institutions. They know the rules and more importantly, they are easily traceable. I can drive in your state with my driver's licence. It is accepted and I am authorized, but I should learn your specific state rules to ensure I am not ticketed. Same idea. Peter -William ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
