About EAP-TLS blocking ... You do not need to revoke a cert (too painful indeed for operator and user). Chad wrote a hook for the Anyroam service that identifies the certificate’s fingerprint. So If a device misbehaves, you can just block the device via the certificate’s fingerprint. With one certificate per device, you end up with the same as a SIM card (or the good ol MAC address :)
Philippe Hanset, CEO ANYROAM LLC www.anyroam.net www.eduroam.us +1 (865) 236-0770 On Aug 6, 2020, at 11:29 AM, Turner, Ryan H <[email protected]> wrote: The other issue comes in with blocking devices. On open networks/PSK networks, this will make isolating bad devices really difficult. We have relied on MAC address blocks for over a decade. They work very well. Yes, you can get a determined individual that can get past/change their MAC address. But that is going to be a tiny fraction of cases, and MAC blocking is an effective way of blocking a bad device. We require registration for our PSK network. So the private MAC addresses will be blocked effectively there. But we haven’t required registration on eduroam (our primary), because we have identity in the certificate. We chose not to use OCSP (but we can), but if we revoke a cert, we have to also block the user from getting another certificate (2 steps, instead of one, which is why we have stayed with MAC blocking). We could require folks to register for eduroam, but that is such a nasty thing to do to the users. Grrrrr. Not an easy fix. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Enfield, Chuck Sent: Thursday, August 6, 2020 11:14 AM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... I’ll also add that identity is what makes a private network private. Yes, you can check identity at connection time then throw it away and still remain private, but that’s never been an option for us when designing services with our risk, legal and info security departments. From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Julian Y Koh Sent: Thursday, August 06, 2020 10:59 AM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... On Aug 6, 2020, at 09:51, Enfield, Chuck <[email protected]> wrote: How can we fulfill DMCA requirements when we can’t even identify a device, let alone the user? If you want to remain anonymous, use a different network. IANAL, and I don’t even play one on TV, but my admittedly old understanding of the DMCA is that it’s not necessarily mandating that you have to be able to identify every single device on your network. Indeed, some institutions’ responses to DMCA notices has been that they don’t have the necessary information to be able to take action. So IMO, assuming (which is dangerous) that I’m correct, that if MAC randomization puts an undue burden and/or large obstacles on your ability to track down a device/user and cut it off from the network, the DMCA alone shouldn’t be seen as a mandate to try to disable MAC randomization. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2020 Ridge Avenue #331 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
