SALSA-NetAuth - FWNA conference call
June 15, 2006
*Attendees*
Kevin Miller, Duke U. (co-chair)
Philippe Hanset, U. Tennessee
(co-chair)
Mike Coffee, U. Tennessee
Klaas Wierenga, SURFnet
Mark Ashida, Microsoft
Dennis Ward, U. Michigan
Andy Rosenzweig,
Merit
John Vollbrecht, Merit
Richard Conto, Merit
Rich Cropp,
Penn State U.
Mark Linton, Penn State U.
Kevin Lanning, UNC,
Chapel Hill
Charles Yun, Internet2
Renee Frost, Internet2
Steve
Olshansky, Internet2
Jessica Bibbee, Internet2 (scribe)
New
*Action Items*
[AI] Please contact {Mark} if you have ideas
or scenarios to propose, <mashidaATmicrosoft.com>. [
AI] {Kevin} will
talk to {Mark} about continuing discussion on 802.1x implementation.
[AI] {Klaas and John} will prepare slides, and {John} will approach
the NEA Group with a proposal for a presentation on 802.1x at
the next IETF meeting.
[AI] {John} and {Chris} will work on a
basic architecture page for a document on next steps w/802.1x,
and {Group} will provide feedback. (18-May-06)
[AI] Please contact
{Mark} if you have ideas or scenarios to propose, <mashidaATmicrosoft.com>.
Carry-over *Action Items*
[AI] Philippe will approach Denmark
to set up test connections. (15-Jun-06)
[AI] {Kevin} will send
an informal note to {Chris Misra} regarding the progression
to Phase II for the FWNA group. (15-Jun-06)
[AI] {Kevin} will
connect the local RADIUS administration folks at Duke to the
FWNA-Ops list. (23-Feb-06)
Future *Agenda Topics*
+ Group will
continue discussion on certificate management. (15-Jun-06)
+ Group will discuss attributes and experimentation around
a contact # attribute. (20-Apr-06)
+ Group will think of local
site requirements for security, logging, and access to utilization
of information in the context of Eduroam, where non-local users
are involved. (3-Nov-05)
*Discussion*
The Group welcomed {Mark},
who is employed with Microsoft as the General Manager of the
Enterprise Network Group. He is interested in use cases focusing
on roaming and network isolation. [AI] Please contact {Mark}
if you have ideas or scenarios to propose, <mashidaATmicrosoft.com>.
{Kevin} shared the FWNA Group's interest in leveraging AuthN credentials for roaming access, and how an experiment is underway using a RADIUS proxy. The FWNA working group is now looking towards a larger scale and how to better embed policy and access, and how the access looks like.
{Klaas} asked how Network Access Protection would work in a roaming scenario – is there a model to describe this? He gave a quick overview of Eduroam, which is using a RADIUS hierarchy to connect nearly 500 schools in 30 countries in Europe and Asia-Pacific. Essentially, a user's credentials are routed from the visited institution and matched with their home institution.
{Mark} suggested there are two items of interest: 1) who are they, and 2) how to AuthN? Beyond Identity Management, there are issues of keeping infected [visiting] laptops into from entering your home network. There needs to be a way of trusting the health state of each laptop, based on a level of policy that matches access with the confidence level.
Discussion then explored just how the user should be authenticated – at the visited or home institution? Who remains accountable for enforcing the level of security? Can standards be set in place, or would this have to remain dependent on each institution. There seem to be three levels of user access, based on their authentication: 1) none, 2) guest, or 3) full access.
{John} has been working on certificate management topics such as how to create a cert, self-assign, TTLS, where you put it, how to load into client, etc. Some items may cross over into PKI, and should be addressed to that WG. Additional certificate management topics will be shared on the mailing list.
The next SALSA-NetAuth - FWNA WG call will be held on Thursday, July 13 at 11am EDT.