Well, it is a matter of “who do you trust?” Using a VPN is only a good advice if you trust the VPN server. There are plenty of free VPN service providers. However, you pay them with your privacy instead of your money. After all, ALL traffic passes their servers. So simply advising users to “use any VPN because then you are save” is something I recommend to reconsider. I trust the EDU community, so I use eduroam without a VPN as it always encrypts the radio path. -Frans
From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <hf0...@uah.edu> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Friday, 14 July 2017 at 20:09 To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam AUP question But, when you say to advise them, "when you need access to trusted resources when off campus, please use the VPN" - that's the same advice we give them. There's no difference in that advice just because their home network is eduroam. We emphasize the difference just as you did - "when you are not at UAH, use VPN." The difference in network names doesn't really come up, in my experience. On Fri, Jul 14, 2017 at 1:07 PM Oliver, Jeff <jeff.oli...@uleth.ca<mailto:jeff.oli...@uleth.ca>> wrote: While that may be true, it does not address the social aspect of the implementation. Even if we were to configure the SSID in the back so that my users connect internally when they use eduroam on my campus and external users get connected to whatever network and services I configure for the externals, it leads to a support issue. Trying to support my users when they go off campus and suddenly do not have access to some service that they need without a VPN poses a problem. The very fact that not all institutions have different implementations of what they allow creates this dichotomy of how eduroam works from a layer 7/8 perspective. If I required my own users to VPN when on campus, well let’s say that it would not go well for me. Much simpler to have an on-campus (preferred network) for when they are at home and eduroam configured on their client for when they are not. And then say when you need access to trusted resources when off campus, please use the VPN. Regardless of what the network is – eduroam, starbucks, home. Cheers, Jeff --- Jeffrey L. Oliver Manager, Network and Telecommunications Information Technology Services The University of Lethbridge 4401 University Drive, Lethbridge, Alberta, T1K 3M4 Tel: 403.329.5162<tel:(403)%20329-5162> Mob: 403.315.4461<tel:(403)%20315-4461> URI: jeff.oli...@uleth.ca<mailto:jeff.oli...@uleth.ca> Web: http://www.uleth.ca/information-technology/ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Frans Panken Sent: Friday, July 14, 2017 11:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam AUP question eduroam uses WPA2-enterprise (= RADIUS). A fundamental component of RADIUS is a client's validation of the RADIUS server's identity. As a consent to the supplicant, the user must check that identity. The authentication ALWAYS occurs end-to-end, at every institution you visit. Your OS stores the server’s certificate. Your supplicant will ask you to validate another RADIUS server when the certificate does not match. That is when all bells and whistles should go off. Part of a user’s lessons of ICT, next to checking the certificate in a browser. The exception for user’s/client’s validation is Android but the eduroam community fixed that with the CAT tool. -Frans From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Oliver, Jeff" <jeff.oli...@uleth.ca<mailto:jeff.oli...@uleth.ca>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, 14 July 2017 at 19:47 To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] eduroam AUP question Seconded. Cheers, Jeff From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler Sent: Friday, July 14, 2017 11:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam AUP question I fundamentally disagree with this. I’d argue that by using eduroam as your default, users are put at risk because they no longer have a key determiner for trusting/not trusting the SSID they’ve connected to. There is no guarantee that eduroam operates the same at each campus, nor is there any guarantee that the user’s connection/data is safe when away from your home campus i.e. it’s no different that Starbucks. While you can setup eduroam at your home campus to be the same as your “MyCollege” SSID, can you attest to that when they are at another participating EDU? You simply can’t, and from the user’s perspective, they’ve now been lured into trusting eduroam no matter where they go – to me that’s a bad design. You now have to tell your users two stories i.e. When on campus trust eduroam, when off campus, best use a VPN or else. That’s simply poor user implementation since the user will likely forget the “or else” part. In keeping eduroam as a “guest” network, you tell users one story. When on campus, use the “MyCollege” SSID, and when traveling, use eduroam and a VPN client. The user now has a clear understanding of how to trust eduroam. Jeff From: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Davis, Kevin" <keda...@davidson.edu<mailto:keda...@davidson.edu>> Reply-To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, July 14, 2017 at 10:15 AM To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] eduroam AUP question With modern network architecture, it’s fairly easy and I would argue a preferred design to use “eduroam” as the SSID for everything, while on the back end segmenting your students/faculty/staff to access levels and experience identical to whatever “MyCollege” SSID you had before. No impact to them functionally; easy to implement; reduces SSIDs for you; helps users recognize and trust eduroam when they travel; and their devices roam automatically in the future. Kevin From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Elizabeth Shannon <esh...@ksu.edu<mailto:esh...@ksu.edu>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, July 14, 2017 at 12:54 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] eduroam AUP question Not that I am disagreeing with Jeff, but is the intent of the eduroam network simply as a guest network. I see many benefits of eduroam, but I would like to understand the intent of eduroam, so that our constituents have a more consistent experience as they utilize eduroam. We have guests on our campus, but we have no way of easily finding a guest and having a conversion with them if necessary. With eduroam, I can contact the host institution and they can decide if they are going to allow their user to continuing the use of eduroam. If we truly need to speak with the user, they can facilitate our interaction with the user. Perhaps, I am in the minority. Thanks. -- Elizabeth Shannon, CIPT Kansas State University Information Security and Compliance 785.532.2540<tel:(785)%20532-2540> From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Jeffrey D. Sessler" <j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, July 14, 2017 at 11:29 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] eduroam AUP question As eduroam is really a guest network, I would never make it the primary network for my users. Best to treat/deploy it is as a slightly better version of the WiFi you can get at Starbucks or McDonalds. Jeff From: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Michael Davis <da...@udel.edu<mailto:da...@udel.edu>> Reply-To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, July 14, 2017 at 8:14 AM To: "wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] eduroam AUP question Seems to me that it's much easier now to just forget eduroam, remove it from campus, and go back to our branded Wifi. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.