But, when you say to advise them, "when you need access to trusted resources when off campus, please use the VPN" - that's the same advice we give them. There's no difference in that advice just because their home network is eduroam.
We emphasize the difference just as you did - "when you are not at UAH, use VPN." The difference in network names doesn't really come up, in my experience. On Fri, Jul 14, 2017 at 1:07 PM Oliver, Jeff <jeff.oli...@uleth.ca> wrote: > While that may be true, it does not address the social aspect of the > implementation. > > > > Even if we were to configure the SSID in the back so that my users connect > internally when they use eduroam on my campus and external users get > connected to whatever network and services I configure for the externals, > it leads to a support issue. Trying to support my users when they go off > campus and suddenly do not have access to some service that they need > without a VPN poses a problem. The very fact that not all institutions have > different implementations of what they allow creates this dichotomy of how > eduroam works from a layer 7/8 perspective. If I required my own users to > VPN when on campus, well let’s say that it would not go well for me. > > > > Much simpler to have an on-campus (preferred network) for when they are at > home and eduroam configured on their client for when they are not. And then > say when you need access to trusted resources when off campus, please use > the VPN. Regardless of what the network is – eduroam, starbucks, home. > > > > > > Cheers, > > Jeff > > > > --- > > > > Jeffrey L. Oliver > > Manager, Network and Telecommunications > > Information Technology Services > > The University of Lethbridge > > 4401 University Drive, Lethbridge, Alberta, T1K 3M4 > > > > Tel: 403.329.5162 <(403)%20329-5162> > > Mob: 403.315.4461 <(403)%20315-4461> > > > > URI: jeff.oli...@uleth.ca > > Web: http://www.uleth.ca/information-technology/ > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Frans Panken > *Sent:* Friday, July 14, 2017 11:58 AM > > > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] eduroam AUP question > > > > > > eduroam uses WPA2-enterprise (= RADIUS). A fundamental component of RADIUS > is a client's validation of the RADIUS server's identity. As a consent to > the supplicant, the user must check that identity. The authentication > ALWAYS occurs end-to-end, at every institution you visit. Your OS stores > the server’s certificate. Your supplicant will ask you to validate another > RADIUS server when the certificate does not match. That is when all bells > and whistles should go off. Part of a user’s lessons of ICT, next to > checking the certificate in a browser. > > The exception for user’s/client’s validation is Android but the eduroam > community fixed that with the CAT tool. > > -Frans > > > > > > *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Oliver, Jeff" < > jeff.oli...@uleth.ca> > *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, 14 July 2017 at 19:47 > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] eduroam AUP question > > > > Seconded. > > > > > > Cheers, > > Jeff > > > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Jeffrey D. Sessler > *Sent:* Friday, July 14, 2017 11:30 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] eduroam AUP question > > > > I fundamentally disagree with this. > > > > I’d argue that by using eduroam as your default, users are put at risk > because they no longer have a key determiner for trusting/not trusting the > SSID they’ve connected to. There is no guarantee that eduroam operates the > same at each campus, nor is there any guarantee that the user’s > connection/data is safe when away from your home campus i.e. it’s no > different that Starbucks. > > > > While you can setup eduroam at your home campus to be the same as your > “MyCollege” SSID, can you attest to that when they are at another > participating EDU? You simply can’t, and from the user’s perspective, > they’ve now been lured into trusting eduroam no matter where they go – to > me that’s a bad design. You now have to tell your users two stories i.e. > When on campus trust eduroam, when off campus, best use a VPN or else. > That’s simply poor user implementation since the user will likely forget > the “or else” part. > > > > In keeping eduroam as a “guest” network, you tell users one story. When on > campus, use the “MyCollege” SSID, and when traveling, use eduroam and a VPN > client. The user now has a clear understanding of how to trust eduroam. > > > > Jeff > > > > *From: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Davis, Kevin" < > keda...@davidson.edu> > *Reply-To: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, July 14, 2017 at 10:15 AM > *To: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] eduroam AUP question > > > > With modern network architecture, it’s fairly easy and I would argue a > preferred design to use “eduroam” as the SSID for everything, while on the > back end segmenting your students/faculty/staff to access levels and > experience identical to whatever “MyCollege” SSID you had before. > > > > No impact to them functionally; easy to implement; reduces SSIDs for you; > helps users recognize and trust eduroam when they travel; and their devices > roam automatically in the future. > > > > Kevin > > > > > > > > *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Elizabeth Shannon < > esh...@ksu.edu> > *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, July 14, 2017 at 12:54 PM > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] eduroam AUP question > > > > Not that I am disagreeing with Jeff, but is the intent of the eduroam > network simply as a guest network. I see many benefits of eduroam, but I > would like to understand the intent of eduroam, so that our constituents > have a more consistent experience as they utilize eduroam. We have guests > on our campus, but we have no way of easily finding a guest and having a > conversion with them if necessary. With eduroam, I can contact the host > institution and they can decide if they are going to allow their user to > continuing the use of eduroam. If we truly need to speak with the user, > they can facilitate our interaction with the user. Perhaps, I am in the > minority. Thanks. > > > > -- > > Elizabeth Shannon, CIPT > > Kansas State University > > Information Security and Compliance > > 785.532.2540 <(785)%20532-2540> > > > > > > *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Jeffrey D. Sessler" < > j...@scrippscollege.edu> > *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, July 14, 2017 at 11:29 AM > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] eduroam AUP question > > > > As eduroam is really a guest network, I would never make it the primary > network for my users. Best to treat/deploy it is as a slightly better > version of the WiFi you can get at Starbucks or McDonalds. > > > > Jeff > > > > *From: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Davis < > da...@udel.edu> > *Reply-To: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, July 14, 2017 at 8:14 AM > *To: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] eduroam AUP question > > > > Seems to me that it's much easier now to just forget eduroam, remove it > from campus, and go back to our > branded Wifi. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
