Can you provide any additional information as to why the use of eduroam is prohibited? Regarding local campus use, it was an opinion by university legal counsel— I have nothing more add. (and this is not a listserv for legal experts)
I can comment on security for UT Austin’s use of eduroam elsewhere, and that would be an appropriate conversation for this list. It is related to how our university has implemented credentials and wireless authentication that may not apply at many other institutions. 1) Wireless at UT Austin may only be accessed via 802.1x at present, and the only EAP method supported is PEAPv0/EAP-MSCHAPv2. MSCHAPv2 has vulnerabilities. As long as the RADIUS infrastructure is operated securely by the university, we do not believe this is much of an exposure. eduroam, however, is a confederation of thousands of RADIUS servers, none of which are operated by the university. We think some of those could be compromised, providing access to exploit MSCHAPv2 weaknesses. 2) The credential is same one used for “consistent sign-on” for almost all university services. Additional factors are being added to a number of services, but compromise of the single credential would still be very bad. 3) We know about alternative EAP methods, such as certificates. It is a tool we would like for other use cases and benefits. But that has not be prioritized for resources to date (please insert long-tail time and money here). 4) It has been our experience that PEAPv0/EAP-MSCHAPv2 is the path of least resistance on the most popular platforms. A different credential or alternative EAP methods for regular campus use would create too much friction when connecting (your campus may be different). Yes, we are aware of current on-boarding products — and we use some of them. At some point the security environment may change (it usually does) tipping in favor of other methods. Along the way native OS support may improve for other methods obviating need for an on-boarding step by our community (wouldn’t that be swell), or on-boarding tools may become better and less cumbersome. -William ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
