I am ready to assign our good fortune to luck. I was wondering where we had been using up all our good luck, and this must be it.
Back on topic, our general network AUP, referenced in our handbook, notes that one must accept the eduroam AUP in order to use that service. On Fri, Jul 14, 2017 at 1:12 PM Oliver, Jeff <jeff.oli...@uleth.ca> wrote: > You must have smarter PhD’s 😊 > > > > Cheers, > > Jeff > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Hunter Fuller > *Sent:* Friday, July 14, 2017 12:10 PM > > > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] eduroam AUP question > > > > But, when you say to advise them, "when you need access to trusted > resources when off campus, please use the VPN" - that's the same advice we > give them. There's no difference in that advice just because their home > network is eduroam. > > > > We emphasize the difference just as you did - "when you are not at UAH, > use VPN." The difference in network names doesn't really come up, in my > experience. > > > > On Fri, Jul 14, 2017 at 1:07 PM Oliver, Jeff <jeff.oli...@uleth.ca> wrote: > > While that may be true, it does not address the social aspect of the > implementation. > > > > Even if we were to configure the SSID in the back so that my users connect > internally when they use eduroam on my campus and external users get > connected to whatever network and services I configure for the externals, > it leads to a support issue. Trying to support my users when they go off > campus and suddenly do not have access to some service that they need > without a VPN poses a problem. The very fact that not all institutions have > different implementations of what they allow creates this dichotomy of how > eduroam works from a layer 7/8 perspective. If I required my own users to > VPN when on campus, well let’s say that it would not go well for me. > > > > Much simpler to have an on-campus (preferred network) for when they are at > home and eduroam configured on their client for when they are not. And then > say when you need access to trusted resources when off campus, please use > the VPN. Regardless of what the network is – eduroam, starbucks, home. > > > > > > Cheers, > > Jeff > > > > --- > > > > Jeffrey L. Oliver > > Manager, Network and Telecommunications > > Information Technology Services > > The University of Lethbridge > > 4401 University Drive, Lethbridge, Alberta, T1K 3M4 > > > > Tel: 403.329.5162 <(403)%20329-5162> > > Mob: 403.315.4461 <(403)%20315-4461> > > > > URI: jeff.oli...@uleth.ca > > Web: http://www.uleth.ca/information-technology/ > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Frans Panken > *Sent:* Friday, July 14, 2017 11:58 AM > > > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] eduroam AUP question > > > > > > eduroam uses WPA2-enterprise (= RADIUS). A fundamental component of RADIUS > is a client's validation of the RADIUS server's identity. As a consent to > the supplicant, the user must check that identity. The authentication > ALWAYS occurs end-to-end, at every institution you visit. Your OS stores > the server’s certificate. Your supplicant will ask you to validate another > RADIUS server when the certificate does not match. That is when all bells > and whistles should go off. Part of a user’s lessons of ICT, next to > checking the certificate in a browser. > > The exception for user’s/client’s validation is Android but the eduroam > community fixed that with the CAT tool. > > -Frans > > > > > > *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Oliver, Jeff" < > jeff.oli...@uleth.ca> > *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, 14 July 2017 at 19:47 > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] eduroam AUP question > > > > Seconded. > > > > > > Cheers, > > Jeff > > > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Jeffrey D. Sessler > *Sent:* Friday, July 14, 2017 11:30 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] eduroam AUP question > > > > I fundamentally disagree with this. > > > > I’d argue that by using eduroam as your default, users are put at risk > because they no longer have a key determiner for trusting/not trusting the > SSID they’ve connected to. There is no guarantee that eduroam operates the > same at each campus, nor is there any guarantee that the user’s > connection/data is safe when away from your home campus i.e. it’s no > different that Starbucks. > > > > While you can setup eduroam at your home campus to be the same as your > “MyCollege” SSID, can you attest to that when they are at another > participating EDU? You simply can’t, and from the user’s perspective, > they’ve now been lured into trusting eduroam no matter where they go – to > me that’s a bad design. You now have to tell your users two stories i.e. > When on campus trust eduroam, when off campus, best use a VPN or else. > That’s simply poor user implementation since the user will likely forget > the “or else” part. > > > > In keeping eduroam as a “guest” network, you tell users one story. When on > campus, use the “MyCollege” SSID, and when traveling, use eduroam and a VPN > client. The user now has a clear understanding of how to trust eduroam. > > > > Jeff > > > > *From: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Davis, Kevin" < > keda...@davidson.edu> > *Reply-To: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, July 14, 2017 at 10:15 AM > *To: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] eduroam AUP question > > > > With modern network architecture, it’s fairly easy and I would argue a > preferred design to use “eduroam” as the SSID for everything, while on the > back end segmenting your students/faculty/staff to access levels and > experience identical to whatever “MyCollege” SSID you had before. > > > > No impact to them functionally; easy to implement; reduces SSIDs for you; > helps users recognize and trust eduroam when they travel; and their devices > roam automatically in the future. > > > > Kevin > > > > > > > > *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Elizabeth Shannon < > esh...@ksu.edu> > *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, July 14, 2017 at 12:54 PM > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] eduroam AUP question > > > > Not that I am disagreeing with Jeff, but is the intent of the eduroam > network simply as a guest network. I see many benefits of eduroam, but I > would like to understand the intent of eduroam, so that our constituents > have a more consistent experience as they utilize eduroam. We have guests > on our campus, but we have no way of easily finding a guest and having a > conversion with them if necessary. With eduroam, I can contact the host > institution and they can decide if they are going to allow their user to > continuing the use of eduroam. If we truly need to speak with the user, > they can facilitate our interaction with the user. Perhaps, I am in the > minority. Thanks. > > > > -- > > Elizabeth Shannon, CIPT > > Kansas State University > > Information Security and Compliance > > 785.532.2540 <(785)%20532-2540> > > > > > > *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Jeffrey D. Sessler" < > j...@scrippscollege.edu> > *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, July 14, 2017 at 11:29 AM > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] eduroam AUP question > > > > As eduroam is really a guest network, I would never make it the primary > network for my users. Best to treat/deploy it is as a slightly better > version of the WiFi you can get at Starbucks or McDonalds. > > > > Jeff > > > > *From: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Davis < > da...@udel.edu> > *Reply-To: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, July 14, 2017 at 8:14 AM > *To: *"wireless-lan@listserv.educause.edu" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] eduroam AUP question > > > > Seems to me that it's much easier now to just forget eduroam, remove it > from campus, and go back to our > branded Wifi. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > -- > > > > -- > > Hunter Fuller > > Network Engineer > > VBH Annex B-5 > > +1 256 824 5331 <(256)%20824-5331> > > > > Office of Information Technology > > The University of Alabama in Huntsville > > Systems and Infrastructure > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
