While that may be true, it does not address the social aspect of the implementation.
Even if we were to configure the SSID in the back so that my users connect internally when they use eduroam on my campus and external users get connected to whatever network and services I configure for the externals, it leads to a support issue. Trying to support my users when they go off campus and suddenly do not have access to some service that they need without a VPN poses a problem. The very fact that not all institutions have different implementations of what they allow creates this dichotomy of how eduroam works from a layer 7/8 perspective. If I required my own users to VPN when on campus, well let’s say that it would not go well for me. Much simpler to have an on-campus (preferred network) for when they are at home and eduroam configured on their client for when they are not. And then say when you need access to trusted resources when off campus, please use the VPN. Regardless of what the network is – eduroam, starbucks, home. Cheers, Jeff --- Jeffrey L. Oliver Manager, Network and Telecommunications Information Technology Services The University of Lethbridge 4401 University Drive, Lethbridge, Alberta, T1K 3M4 Tel: 403.329.5162 Mob: 403.315.4461 URI: [email protected]<mailto:[email protected]> Web: http://www.uleth.ca/information-technology/ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Frans Panken Sent: Friday, July 14, 2017 11:58 AM To: [email protected] Subject: Re: [WIRELESS-LAN] eduroam AUP question eduroam uses WPA2-enterprise (= RADIUS). A fundamental component of RADIUS is a client's validation of the RADIUS server's identity. As a consent to the supplicant, the user must check that identity. The authentication ALWAYS occurs end-to-end, at every institution you visit. Your OS stores the server’s certificate. Your supplicant will ask you to validate another RADIUS server when the certificate does not match. That is when all bells and whistles should go off. Part of a user’s lessons of ICT, next to checking the certificate in a browser. The exception for user’s/client’s validation is Android but the eduroam community fixed that with the CAT tool. -Frans From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> on behalf of "Oliver, Jeff" <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> Date: Friday, 14 July 2017 at 19:47 To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] eduroam AUP question Seconded. Cheers, Jeff From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Jeffrey D. Sessler Sent: Friday, July 14, 2017 11:30 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] eduroam AUP question I fundamentally disagree with this. I’d argue that by using eduroam as your default, users are put at risk because they no longer have a key determiner for trusting/not trusting the SSID they’ve connected to. There is no guarantee that eduroam operates the same at each campus, nor is there any guarantee that the user’s connection/data is safe when away from your home campus i.e. it’s no different that Starbucks. While you can setup eduroam at your home campus to be the same as your “MyCollege” SSID, can you attest to that when they are at another participating EDU? You simply can’t, and from the user’s perspective, they’ve now been lured into trusting eduroam no matter where they go – to me that’s a bad design. You now have to tell your users two stories i.e. When on campus trust eduroam, when off campus, best use a VPN or else. That’s simply poor user implementation since the user will likely forget the “or else” part. In keeping eduroam as a “guest” network, you tell users one story. When on campus, use the “MyCollege” SSID, and when traveling, use eduroam and a VPN client. The user now has a clear understanding of how to trust eduroam. Jeff From: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> on behalf of "Davis, Kevin" <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Friday, July 14, 2017 at 10:15 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] eduroam AUP question With modern network architecture, it’s fairly easy and I would argue a preferred design to use “eduroam” as the SSID for everything, while on the back end segmenting your students/faculty/staff to access levels and experience identical to whatever “MyCollege” SSID you had before. No impact to them functionally; easy to implement; reduces SSIDs for you; helps users recognize and trust eduroam when they travel; and their devices roam automatically in the future. Kevin From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Elizabeth Shannon <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> Date: Friday, July 14, 2017 at 12:54 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] eduroam AUP question Not that I am disagreeing with Jeff, but is the intent of the eduroam network simply as a guest network. I see many benefits of eduroam, but I would like to understand the intent of eduroam, so that our constituents have a more consistent experience as they utilize eduroam. We have guests on our campus, but we have no way of easily finding a guest and having a conversion with them if necessary. With eduroam, I can contact the host institution and they can decide if they are going to allow their user to continuing the use of eduroam. If we truly need to speak with the user, they can facilitate our interaction with the user. Perhaps, I am in the minority. Thanks. -- Elizabeth Shannon, CIPT Kansas State University Information Security and Compliance 785.532.2540 From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> on behalf of "Jeffrey D. Sessler" <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> Date: Friday, July 14, 2017 at 11:29 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] eduroam AUP question As eduroam is really a guest network, I would never make it the primary network for my users. Best to treat/deploy it is as a slightly better version of the WiFi you can get at Starbucks or McDonalds. Jeff From: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> on behalf of Michael Davis <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Friday, July 14, 2017 at 8:14 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] eduroam AUP question Seems to me that it's much easier now to just forget eduroam, remove it from campus, and go back to our branded Wifi. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
