There is chatter on the eduroam development email list from time to time about Passpoint / HS2.0, but I've not seen anyone mention having a full blown production implementation (I'd love to be wrong about this).
The archies are available at https://lists.eduroam.org/sympa/info/development , the most recent activity on this topic was in 2017-03. -Luke On Wed, Apr 26, 2017 at 12:41 PM, Cappalli, Tim (Aruba Security) < t...@hpe.com> wrote: > Just curious. Is anyone using Passpoint / HS2 with eduroam? > > > > tim > > > > *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Sweetser, Frank E" < > f...@wpi.edu> > *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Wednesday, April 26, 2017 at 11:19 AM > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV. > EDUCAUSE.EDU> > > *Subject: *Re: [WIRELESS-LAN] Eduroam adoption (and migration process) > > > > We rolled out eduroam a couple of years ago, and like most others appear > to, we have it give identical service to our own users. That said, we're > planning on keeping both our branded network and eduroam, as there are two > cases where we want to broadcast our branded SSID, but not eduroam: > > > > - Aruba RAPs, installed in user's homes. We don't want to inadvertently > offer eduroam hotspot services off a user's home internet connection. > > - High density environments where we're co-mingled with other entities > offering eduroam. This could easily lead to bad roaming performance, as > clients end up accidentally migrating to a different network without > realizing it. > > > > Frank Sweetser > Director of Network Operations > Worcester Polytechnic Institute > "For every problem, there is a solution that is simple, elegant, and > wrong." - HL Mencken > > > ------------------------------ > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Walter Reynolds < > wa...@umich.edu> > *Sent:* Tuesday, April 25, 2017 3:33 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] Eduroam adoption (and migration process) > > > > We have been doing the attribute method for a while and have not really > had any problems. We use Freeradius with an LDAP check for the attributes. > > > > > ------------------------ > > Walter Reynolds > > Principal Systems Security Development Engineer > Information and Technology Services > University of Michigan > (734) 615-9438 > > > > On Tue, Apr 25, 2017 at 2:57 PM, Hunter Fuller <hf0...@uah.edu> wrote: > > Just like Brian mentioned, we sort users based on their attributes. If you > are staff, and you connect to eduroam, you end up on the staff network. > > > > Those who didn't go that route, but instead kept the other ESSID for > separation, what did you find were the shortcomings were with the > attribute-based method? (Are we about to regret doing this, is really what > I'm asking.) > > > > On Tue, Apr 25, 2017 at 1:10 PM Stephen Belcher < > steve.belc...@mail.wvu.edu> wrote: > > That is the same situation with WVU. We maintain WVU.Encrypted for > faculty, staff and students. We treat those users as “on campus”. > > We treat WVU.Guest and Eduroam as “off campus". > > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fligor, Debbie > Sent: Monday, April 24, 2017 4:38 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) > > I can’t speak for the campuses you named, but we have not switched to > eduroam as our main SSID, and we have no current plans to. I’m sure someone > is happy about the branding somewhere, but it’s also for technical reasons. > Eduroam, like our guest wireless, is routed outside our campus border > firewall. When you are on our campus's IllinoisNet SSID you are on the > campus side of the border firewall and have more access to campus resources > than you do when you are on the eduroam SSID or our IllinoisNet_Guest > SSID. Our campus network design has very little internal firewalling - the > majority of the protection for offices, labs, classrooms, wireless, and > anything other than University-wide Admin applications is the border > firewall. So putting guests on the outside, and faculty, staff and students > on the inside is important. > > Additionally the firewall for the eduroam network is set up to allow the > minimum ports required by the eduroam agreement, so that when our faculty, > staff and students test that something works on eduroam before they travel, > they are reasonably well guaranteed it will work on any eduroam net > anywhere. With our change from Meru/Radiator to Aruban/Clearpass last > summer, it’s likely that it would be much simpler to drop eduroam users > that are local onto a “different” version of eduroam that was on the campus > side of the border firewall, but then the user experience on eduroam here > would not be the same experience as if they were at a different site > providing eduroam. Both in what ports were allowed in/out of the eduroam > network and much more importantly how connections to campus resources > function for networks off-campus. We want users to have a consistent > experience with how eduroam works for their use cases, regardless of > whether they are on our campus or somewhere else. > > > To answer the other questions, we currently have 3 non-eduroam SSIDs > > our main SSID that is inside the campus board firewalls is 802.1x we have > an open guest SSID that uses the Clearpass guest captive portal system we > have a devices SSID that is MAC auth but I believe this one is being phased > out in favor of using features in ClearPass to do something similar. This > is mostly for gaming consoles and the things that really can’t do 802.1x. > > > It’s been quite a few years since I ran the wireless network on our > campus, but I believe I’ve got the current technical details correct, Chuck > can correct me if I got anything wrong. > > > -- > -debbie > Debbie Fligor, n9dn Lead Network Engineer @ Univ. of Il at > Urbana-Champaign > email: fli...@illinois.edu > > > > > On Apr 24, 2017, at 14:18, Marcelo Maraboli <marcelo.marab...@uc.cl> > wrote: > > > > I would like to thank all who responded. > > > > Everybody who responded is making EduRoam their main SSID > > deprecating their old SSID (MAC or .1x). > > > > I still wonder why Universities like MIT,Harvard,Stanford and Berkeley > > only use Eduroam as a secondary SSID and still keep their main SSID. > > The only thing I can think of is branding. > > > > > > > > thanks. > > > > > > On 4/20/17 6:16 PM, Marcelo Maraboli wrote: > >> Hello everyone. > >> > >> We are finally adopting EduROAM in our University and we currently have > one > >> SSID with MAC-based authentication, so moving to EduROAM is also a > 802.1x upgrade > >> for us as well. > >> > >> Would you be so kind to respond a couple of questions?: > >> > >> > >> If you adopted EduROAM as your primary SSID: > >> - Did you leave an SSID for legacy devices ? (What AUTH mechanism for > this SSID?) > >> - How did you "force-move" your users to EdoROAM from your old SSID ? > >> > >> If you added EduROAM as just another SSID: > >> - why not adopt EduROAM as your primary SSID ? (Branding or no > interest? ) > >> - Is your primary SSID also 802.1x o MAC-based ? > >> - if 802.1x, why have 2 SSIDs with 802.1x ? > >> > >> > > > > > > > > > > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > > -- =-=-=-=-=-=-=-=-=-=-=-= Luke Jenkins Network Engineer Weber State University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
