SALSA-NetAuth - FWNA conference call March 23, 2006
*Attendees*
Kevin Miller, Duke U. (co-chair)
Philippe Hanset, U. Tennessee
(co-chair)
Mike Coffey, U. Tennessee
Rich Cropp, Penn State
U.
Mark Linton, Penn State U.
Dennis Ward, U. Michigan
Chris
Misra, U. Massachusetts
Andy Rosenzweig, Merit
Renee Frost,
Internet2
Steve Olshansky, Internet2
Jessica Bibbee, Internet2
(scribe)
New *Action Items*
[AI] {Dennis and Rich} will work
with {Mike} on the Radius setup testing their local test system
to infrastructure.
[AI] {Andy} will email the FWNA-Ops list
to set up a call between {Philippe, Mike, and Bill.}
[AI] {Chris}
will email the regional SIG presentation to the list.
[AI]
{Andy} will forward materials from the grant submission towards
documentation purposes.
[AI] {Philippe} will contribute thoughts
on federated guest wireless access issues.
[AI] {Philippe}
will send 802.1x information and names that {Kevin} can contact.
Carry-over *Action Items*
[AI] {Mike} will work up a script
to provide a useful log output for the Group to view in real
time. (9-Mar-06)
[AI] {Chris} will send out an agenda to confirm
I2MM session times relevant to the FWNA WG. (9-Mar-06)
[AI]
{Kevin} will email the list in hopes of recruiting individuals
to present their experience using 802.1x, etc. (9-Mar-06)
[AI]
{Kevin} will draft a write-up for {Andy}, detailing the past
and future work of the FWNA WG. (9-Mar-06)
[AI] {Kevin} will
forward an email to the list regarding the EAP SAML proposal.
(9-Mar-06)
[AI] {Chris} will send out an agenda to confirm
I2MM session times relevant to the FWNA WG. (23-Feb-06)
[AI]
{Kevin} will forward an email to the list regarding the EAP
SAML proposal. (23-Feb-06)
[AI] {Kevin} will connect the local
RADIUS administration folks at Duke to the FWNA-Ops list. (23-Feb-06)
[AI] {John and Philippe} will set up a time to discuss the
authenticating of the Merit server. (23-Feb-06)
[AI] {Kevin
and Philippe} will document the decisions made during the campus
connection process, including test accounts. (5-Dec-05)
[AI]
{Group} will think of local site requirements for security,
logging, and access to utilization of information in the context
of Eduroam, where non-local users are involved. (3-Nov-05)
*Discussion*
The Spring Internet2 Member Meeting <http://events.internet2.edu/2006/spring-mm/> will
be the next chance for the FWNA Working Group to get together
and discuss 802.1x experiences. How to implement 802.1x across
different campuses? What are the prevailing challenges? Any
scenarios or discussion will help to outline use cases for
the BoF.
{Andy} provided an update on the proposed grant work to explore policy and technical issues, discussed on the previous WG call. It was decided that the requirements for submitting the proposal were too great; this opportunity will be revisited at the next funding round, and other funding opportunities will be pursued. [AI] {Andy} will forward materials from the grant submission towards documentation purposes.
{Philippe and Mike} are interested in testing connections with anyone who has a RADIUS server alongside 802.1x – a minimum of 5 different sites is desired. {Dennis} reported a pilot project at U. Michigan working towards a production service, which will be an ideal site to work with Merit. [AI] {Dennis and Rich} will work with {Mike} on the Radius setup testing their local test system to infrastructure. [AI] {Kevin} will connect the local RADIUS administration folks at Duke to the FWNA-Ops list. (23-Feb-06). [AI] {Andy} will email the FWNA-Ops list to set up a call between {Philippe, Mike, and Bill.}
The Group focused the discussion on how to handle wireless LAN guest access. It was agreed that all efforts should be made to help the community as a whole, via documentation of the set-up process, a possible configuration website that would offer various routes for campuses, etc. This information could be linked near the registration site for those looking for support.
Many campuses have an existing visitor network, and may not see the outright benefit of joining a federation such as Eduroam. What are some potential benefits of RADIUS AuthN hierarchy that would raise interest in joining a federation to improve guest access? A federation would provide fewer limitations and greater access to visitors through a full-service AuthN solution. Another benefit is that a federation provides a consistent access method. Eduroam may be of greater interest once you incorporate 802.1x.
Campuses are still working to define a "guest", and are therefore struggling with guest access. What level of security ought they require at a minimum? Eventually, there will be enough pressure to follow a path of encryption for data packets and management frames. A single credential offers a temporary solution, while there is a desire to expand guest access such that a system would enable full authority over a realmed credential. Even if a solution is found for most types of guests (visiting scientist, remote devices, etc.), there may always exist an outlier at each campus. How will campuses deal with these exceptions?
There are common issues facing any campus deploying a homegrown set-up, and this is where the experiment should focus on providing a common solution. There is value in providing an environment that generates regional solutions, which may ripple outwards to national deployment. [AI] {Philippe} will send 802.1x information and names that {Kevin} can contact. [AI] {Chris} will email the regional SIG presentation to the list.
{Philippe} raised another issue with the current hierarchy model – there is a lack of flexibility in terms of protecting the local campus as well as the user. The model could be improved to provide more control at the campus level, giving more incentive for joining a federation. There is a need for distributed AuthZ, which provides incentive for this model and further drives future efforts. Documentation should capture the differences between the European model and what the WG is advocating for an AuthN/AuthZ model. [AI] {Philippe} will contribute thoughts on federated guest wireless access issues.
The next SALSA-NetAuth FWNA WG conference call will be on Thursday, April 6, 2006 at 11am ET.