Philippe, I’m not arguing the “convenience factor” or OTA encryption, which eduroam certainly provides, just that users (and universities advocating for it) shouldn’t blindly trust it any more, or less, than any other guest network.
You touch on my concern with this statement, “Most Schools tend to give more privileges/bandwidth to eduroam because it is a community of trust.” eduroam should in no way be considered “…a community of trust” as there is little behind it to guarantee as such. In promoting it across EDUs, and making it the primary SSID, universities are certainly making it appear as if it is to those using it, but it’s an illusion. No matter how it’s painted, at the end of the day it’s still an unregulated, multi-ISP, guest network. I’m not arguing against broadcasting eduroam (which my campus does), or its convenience for guests, just don’t hold it up as something it’s not. Jeff From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Philippe Hanset <phan...@anyroam.net> Reply-To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Friday, April 28, 2017 at 11:14 AM To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process) Jeff, Why do I say this? • Organization - A university can’t assume and/or guarantee that “eduroam” is administered at another campus in the same way that it is at home. There is no guarantee of privacy, be it the data collected during authentication/authorization, or information being sent/received by the client while traversing the other organization’s network. There is no guarantee user data won’t be sold, studied, or otherwise used as the organization terminating the client’s connection sees fit. eduroam is a name only. • User – Assumption that “eduroam” away from their home campus is the same as “eduroam” at another organization. Assumption that there is the same level of data security, privacy, or other safeguards/guarantees as provided at home. Assumption that the same resources are available. Assumption “eduroam’ out in the world is superior than connecting to an open network. Connecting to eduroam is superior to connecting to an open network for at least 4 reasons: (other may add to the pile) 1-No wasted time “hunting” for an SSID that who knows what it is in a list that is larger every day (especially for Urban Campuses) 2 -If the network is accepting your RADIUS infrastructure certificate, you know that you are on a trusted network part of a community (I will send another email to respond to the MiTM attack on PEAP and EAP-TTLS…use the CAT tool to mitigate that, or EAP-TLS if you can afford it) 3-Encryption over the air as part of WPA2-enterprise for guests as a great side effect 4-The local school knows that if needed, the user can be found (infected machine, abuse, DMCA, etc…) I agree that all eduroam networks are not equal, but neither are Open Networks. It is in the end a guest experience. I actually have the same with my cellular network… sometimes it is LTE or 4G, sometimes 3G with very little capacity, even though it always references the same carrier and I pay the same! It is our job as Network Operators to inform our users that there is no guarantee of service Most Schools tend to give more privileges/bandwidth to eduroam because it is a community of trust. So, in most cases you will experience a better experience that classic Open Guest Networks. Certainly, some of the data privacy pieces could be mitigated by using a home-campus VPN while traveling, but now you are creating rules that the end-user must remember. These rules become confusing when you are in an area with multiple organizations all broadcasting “eduroam”, where to simplify the user experience i.e. they can get to the same resources, the default becomes using VPN all the time. Once you force the use of a VPN, then is “eduroam” any different than using an open/suest networ I would prefer to see “eduroam” in the same light as say, using Facebook to login to other applications i.e. The university advertises that the guest wireless SSID supports the “eduroam” authentication service. The visiting person connects to your branded guest SSID using their home college credentials – understanding that they are bound to your AUP or other local decisions on the use of their data. There is no confusion about who owns, administers, or otherwise controls the network the client is connected to and no assumptions about resource availability. So for every campus that you visit you have to suffer: Hunting for the SSID Trust that SSID Read the AUP Share your Social Identity (talk about big data here) And as a network Operator you have to hope that the Social Identity is somewhat real! Schools don’t have time to look at big data for their traveling users or their guests, and the only info is username@domain or if you want anonymous@domain. You actually have the choice to anonymize yourself, it is not against any rule. The same goes for NROs (National Roaming Operators for eduroam), we have all signed an agreement that we cannot use user data other than troubleshooting and monitoring unless required by law enforcement. I doubt that Facebook or any other Social Provider can guarantee that…they make money out of your data! Again, if you fear to be tracked on eduroam, definitely anonymize your outer-identity. It is accepted, and many do it (it can even be done automatically in the CAT tool). In case of abuse or infection, a user can be found by contacting the campus of origin (so you let the IDP decide how to deal with Privacy for their users!). Finally, there is a reason why the big carriers did a push for Hotspot2.0/Passpoint. Protocols like 802.1X/WPA2-enterprise are great for security and authentication (both of the infrastructure and users), and the guest Wi-Fi industry is moving toward those standards. We all have done it with eduroam way ahead of the carriers. The privacy issue with large carriers might be an issue, but we suffer the same with our Cellphones already. Privacy and Net Neutrality is at stake every day. Hope this helps, Philippe Philippe Hanset, CEO www.anyroam.net<http://www.anyroam.net> www.eduroam.us +1 (865) 236-0770 GPG key id: 0xF2636F9C Jeff From: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of Marcelo Maraboli <marcelo.marab...@uc.cl<mailto:marcelo.marab...@uc.cl>> Organization: UC Reply-To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>> Date: Thursday, April 20, 2017 at 2:16 PM To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>> Subject: [WIRELESS-LAN] Eduroam adoption (and migration process) Hello everyone. We are finally adopting EduROAM in our University and we currently have one SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x upgrade for us as well. Would you be so kind to respond a couple of questions?: If you adopted EduROAM as your primary SSID: - Did you leave an SSID for legacy devices ? (What AUTH mechanism for this SSID?) - How did you "force-move" your users to EdoROAM from your old SSID ? If you added EduROAM as just another SSID: - why not adopt EduROAM as your primary SSID ? (Branding or no interest? ) - Is your primary SSID also 802.1x o MAC-based ? - if 802.1x, why have 2 SSIDs with 802.1x ? thank you all, -- Marcelo Maraboli Rosselott Subdirector de Redes y Seguridad Dirección de Informática Pontificia Universidad Católica de Chile http://informatica.uc.cl/ -- Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul Santiago, Chile Teléfono: (56) 22354 1341 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
