I thought about ways to respond to this, but figure simple is better… Most of those concerns are either easily mitigated with user education, or are issues we haven’t experienced. Since we’ve had eduroam as primary for 2 years with hundreds of thousands of devices onboarded and a lot of traveling from our international student base, I would figure I would have seen most issues. The biggest issue that we get, and it is rare, is “I was at X university, and I couldn’t connect”. Most of the time it is the other university’s fault, and I have to explain that after looking in our logs.
You are putting a lot of weight into ‘theoretical’ concerns, when it is almost a guarantee that if a student or faculty member travels to another university, they will have to connect to the ‘Guest’ open SSID, of which they will have no protection at all. We have seen it from neighboring institutions, which despite running eduroam, have an extremely low adoption rate because people just won’t bother to onboard if it isn’t necessary. Ryan Turner Manager of Network Operations ITS Communication Technologies The University of North Carolina at Chapel Hill [email protected]<mailto:[email protected]> +1 919 445 0113 Office +1 919 274 7926 Mobile From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Jeffrey D. Sessler Sent: Friday, April 28, 2017 1:18 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) No matter what direction I come at it, “eduroam” is fundamentally a guest network with very little intrinsic value, but with many downsides. As such, I would be reluctant to make it our default SSID, and I caution those that use it as such to explore its shortcomings. Why do I say this? * Organization - A university can’t assume and/or guarantee that “eduroam” is administered at another campus in the same way that it is at home. There is no guarantee of privacy, be it the data collected during authentication/authorization, or information being sent/received by the client while traversing the other organization’s network. There is no guarantee user data won’t be sold, studied, or otherwise used as the organization terminating the client’s connection sees fit. eduroam is a name only. * User – Assumption that “eduroam” away from their home campus is the same as “eduroam” at another organization. Assumption that there is the same level of data security, privacy, or other safeguards/guarantees as provided at home. Assumption that the same resources are available. Assumption “eduroam’ out in the world is superior than connecting to an open network. Certainly, some of the data privacy pieces could be mitigated by using a home-campus VPN while traveling, but now you are creating rules that the end-user must remember. These rules become confusing when you are in an area with multiple organizations all broadcasting “eduroam”, where to simplify the user experience i.e. they can get to the same resources, the default becomes using VPN all the time. Once you force the use of a VPN, then is “eduroam” any different than using an open/suest network? I would prefer to see “eduroam” in the same light as say, using Facebook to login to other applications i.e. The university advertises that the guest wireless SSID supports the “eduroam” authentication service. The visiting person connects to your branded guest SSID using their home college credentials – understanding that they are bound to your AUP or other local decisions on the use of their data. There is no confusion about who owns, administers, or otherwise controls the network the client is connected to and no assumptions about resource availability. Jeff From: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> on behalf of Marcelo Maraboli <[email protected]<mailto:[email protected]>> Organization: UC Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, April 20, 2017 at 2:16 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [WIRELESS-LAN] Eduroam adoption (and migration process) Hello everyone. We are finally adopting EduROAM in our University and we currently have one SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x upgrade for us as well. Would you be so kind to respond a couple of questions?: If you adopted EduROAM as your primary SSID: - Did you leave an SSID for legacy devices ? (What AUTH mechanism for this SSID?) - How did you "force-move" your users to EdoROAM from your old SSID ? If you added EduROAM as just another SSID: - why not adopt EduROAM as your primary SSID ? (Branding or no interest? ) - Is your primary SSID also 802.1x o MAC-based ? - if 802.1x, why have 2 SSIDs with 802.1x ? thank you all, -- Marcelo Maraboli Rosselott Subdirector de Redes y Seguridad Dirección de Informática Pontificia Universidad Católica de Chile http://informatica.uc.cl/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Finformatica.uc.cl%2F&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C6db3dedc40fc4272eff708d48e5a9d36%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=Bye9NvJXGOCisabFwEXEigW43GU8l3OpEnnh1bwvKfA%3D&reserved=0> -- Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul Santiago, Chile Teléfono: (56) 22354 1341 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C6db3dedc40fc4272eff708d48e5a9d36%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=y6xIOfULkI5t%2FPUeT2YZhwf5V69illCP4irNh3YYdos%3D&reserved=0>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss&data=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C6db3dedc40fc4272eff708d48e5a9d36%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=y6xIOfULkI5t%2FPUeT2YZhwf5V69illCP4irNh3YYdos%3D&reserved=0>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
