*Attendees*
Kevin Miller, Duke U. (co-chair)
Chris Misra, U. Mass
Steve Carmody, Brown U.
Richard Conto, Merit
Mark Linton, Penn State U.
Steve Olshansky, Internet2
[Jessica Bibbee, Internet2 (scribe)]
 
New *Action Items*
[AI] {Kevin} will review his notes from Member Meeting and send changes to {Jessica}.
[AI] {Kevin} will follow up with {Tom} on aggregating use cases around guest access.
[AI] The Group will review {Steve C.’s} RADIUS-SAML document and give feedback on next steps once they move closer to agreement on an approach.
[AI] {Kevin} will lead discussion at Joint Techs to gather consensus around the RADIUS-SAML integration topic.
[AI] {Kevin} will address the EDUCAUSE-WLAN list to get feedback on the RADIUS-SAML document by the end of February.
[AI] {Steve C.} will review the draft RADIUS-SAML document and update with conversations with {Bob Morgan and Scott Cantor} and forward to the list for feedback from an operational persistent.
[AI] {SteveO} will work with {Chris and Kevin} on a draft survey for replacing with content around guest access, and will connect interested individuals.

Carry-over *Action Items*
[AI] {Mark, Philippe, and Tom Z.} will help to aggregate use cases around guest access.
[AI] {John} will contribute questions towards identifying and compiling trust issues for a document(s).
[AI] {Chris} will forward a link regarding developments in the NEA working group.
[AI] The Group will review {John's} document and follow-up on the FWNA mailing list.
 
*Agenda*
1. Internet2 Member Meeting Recap
   - Sessions
     * RADIUS & SAML: Network Authentication & Attribute Exchange
     * NetAuth & FWNA Working Group
     * Implementing 802.1x
   - WG Meeting
2. FWNA Next Gen
   - RADIUS-SAML Draft Document review
   - Next steps? 

*Discussion*
{Kevin} reviewed several topics that were discussed at the Fall 2006 Internet2 Member Meeting in Chicago, December 6-9. {Philippe Hanset and Diego Lopez} presented at a RADIUS & SAML session on Network Authentication & Attribute Exchange. {Steve C.} mentioned a third proposal by {Josh Howlett} with UKERNA, which is doing similar work, though suggests modifications to RADIUS around peer location. {Kevin and Steve C.} agreed that it is better to get traction on SAML integration before talking about or implementing changes on RADIUS.

The NetAuth & FWNA Working Group BoF had a good turnout, with conversation focused around guest access and trust issues. [AI] Kevin will review his notes from Member Meeting and send changes to Jessica.

{Kevin and Rich Cropp} presented at the Implementing 802.1x session, where the presentation was aimed at an audience less technical than typical working group calls. There was much interest around using 802.1x, though most simply had plans and had not actually implemented it yet. Discussion did not reach the point of sharing problems encountered. However, most seemed to think that 802.1x is at a stage where a ‘mortal’ can implement it, though issues do rise when the help desk and customer support are added. {Kevin} suggested that the next year looks promising in terms of 802.1x adoption, with many large sites surfacing on the EDUCAUSE-WLAN mailing list.
<http://events.internet2.edu/2006/fall-mm/sessionDetails.cfm?session=2856&event=258>

{Mark} noticed that several thought CALEA compliance was directly related to the use of 802.1x. This suggested that some may move ahead with 802.1x as they move towards compliancy with CALEA. {Kevin} mentioned that a desire to maintain private network status is causing folks to review their internal practice and systems. {Mark} said Penn State required that they comply with such a thing as CALEA, even before CALEA came to, addressing both technical and procedural aspects. He said some might move towards 802.1x for the sake of being CALEA compliant, but there may also be campuses (i.e., with private networks) that need to know who is part of their network, so it may be that 802.1x is a good fit in those cases as well.

{Kevin} highlighted some points of a conversation with {Tom Rixom}, one of the original developers of SecureW2. {Tom} is now expecting many changes for SecureW2 and looking at a list of features. He is interested in feedback on which features are most important. {Kevin} recapped several items from his April conversation with {Tom}, appended below [0].

{Steve C.} asked where Vista stood with respect to 802.1x. {Kevin} said that in terms of working with 802.1x, the functionality is no different than out-of-the-box. {Mudit Goel} is the Development manager of EAP and related components at Microsoft; please refer to the notes in his 24-Jan email [1].

{Steve C.} is looking for feedback on the next steps for the RADIUS-SAML document. He would like to converge with others interested to see what is operationally acceptable, as the main differences may lie here. [AI] {Steve C.} will review the draft RADIUS-SAML document and update with conversations with {Bob Morgan and Scott Cantor} and forward to the list for feedback from an operational persistent. [AI] The Group will review {Steve C.’s} RADIUS-SAML document and give feedback on next steps once they move closer to agreement on an approach.

In order to move forward with the RADIUS-SAML integration work, it is important to gather the feedback other interested people. [AI] {Kevin} will lead discussion at Joint Techs to gather consensus around the RADIUS-SAML integration topic. [AI] Kevin will address the EDUCAUSE-WLAN list to get feedback on the RADIUS-SAML document by the end of February. The Group ought to then have a buffer zone to prepare a close to final document and build consensus at the April Spring Internet2 Member Meeting in Washington, D.C.

{Mark} forwarded a document from U. Michigan in mid-December that had a good, relatively direct assessment of guest access arena and current options. He is interested in polling a larger audience, possibly including the EDUCAUSE-WLAN list, the Internet2 Member Meetings, Net-guru, and even the FWNA Working Group, to see what folks are doing with respect to guest access. {Chris} mentioned creating a generalized survey and making that available to all. An important step is to clearly identify what will result from the feedback of the survey; {Chris} suggested pushing that feedback is shaped into a document to summarize what is being done today and why. What are the driving factors leading to a desire for change in how they handle guest access, i.e., which mechanisms are being used, why is an institution unhappy about the use of that mechanism? [AI] Kevin will follow up with Tom on aggregating use cases around guest access. {SteveO} will work with {Chris and Kevin} on a draft survey for replacing with content around guest access, and will connect interested individuals.

The next SALSA-NetAuth - FWNA WG call will be held on Thursday, January 25, 2007 at 11am EST.

“””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””

[0] (c.f. Kevin’s email on 11-Jan, originally 4-May)

Consensus Items

1. Federated network access is a good idea. There is much work to be done, however, as other mechanisms for guest access are currently easier to deploy.

2. There need to be better tools and capabilities for policy enforcement, application of business rules in authorization decisions, and collection of more host data before network access is granted.

3. The realm of device-based network authentication should be further investigated, especially as it relates to embedded devices such as wireless phones, sensors, and the like.

4. The 802.1x supplicants, and in particular SecureW2, need to be improved in key areas:
    * Ease of installation
    * Auto-discovery of local settings
    * Mechanisms for local auto updates and pushes of new config policies
    * Password policies (password retention and caching)
    * Security (certificate / DN-based trust)
    * Improved interface to inform the user of wireless status
(secure/insecure), especially when 802.1x fails and another authn is used

5. The EAP-Notification needs to be more effectively used in clients to provide useful messages to users when problems occur.

“””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””

[1] (c.f. Mudit Goel’s email on 24-Jan)

In Windows Vista, we have introduced a new Networking Component and Extensible Platform called EAPHost, that provides EAP infrastructure for the authentication of any EAP based supplicant including 802.1x. This component has two sets of APIs:

1. Supplicant side APIs: Here any supplicant can plug into EAPHost and
use any EAP method installed on the machine for authentication.
2. Method side APIs: Here anyone can provide an EAP Method that can
be used by any supplicant written to the above APIs.

 In addition to that we are going to provide an EAP Certification Mechanism to be launched around the LH Server/Vista SP1 timeframe that will allow third parties to write a supplicant or a method that uses the above APIs, get it certified by Microsoft that it works as expected with the above APIs, and have them shipped to anyone through WindowsUpdate.

We also provide an 802.1x supplicant in the box that can leverage any EAP methods written to the EAPHost APIs. We also have some EAP methods including PEAPv0, EAPTLS and EAP-MSCHAPv2 in the box that any supplicant written to the EAPHost APIs can use.