SALSA-NetAuth - FWNA Working Group conference call
November 30, 2006

*Attendees*
Kevin Miller, Duke U. (co-chair)
Philippe Hanset, U. Tennessee (co-chair)
Chris Misra, U. Massachusetts
Louis Searchwell, UKERNA
Richard Conto, Merit|
Tom Zeller, Indiana
Rich Cropp, Penn State U.
Mark Linton, Penn State U.
Steve Carmody, Brown U.
Renee Frost, Internet2
Steve Olshansky, Internet2
Jessica Bibbee, Internet2 (scribe)

New *Action Items*
[AI] {Kevin and Chris} will prepare an agenda for the Working Group meeting at the Internet2 Member Meeting.

Carry-over *Action Items*
[AI] {Chris} will forward a link regarding developments in the NEA working group.
[AI] The Group will review {John's} document and follow-up on the FWNA mailing list.

*Agenda*

1. Internet2 Member Meeting
   - Sessions
     * RADIUS & SAML: Network Authentication & Attribute Exchange
       Dec 5, 3PM
     * NetAuth & FWNA Working Group
       Dec 6, 7:30AM
     * Implementing 802.1x
       Dec 6, 10:30AM
   - Agenda bashing for WG meeting
2. NetAuth
   - your item here?
3. FWNA Next Gen
   - Document review
   - Next steps?

*Discussion*
{Renee} was not present to report any updates on the Intellectual Property Framework discussion. <http://members.internet2.edu/intellectualproperty.html>

Next week is the Fall Internet2 Member Meeting in Chicago, IL – December 4-7.
<http://events.internet2.edu/2006/fall-mm/index.html>

The three sessions of note include:
* 5-Dec, 3PM - RADIUS & SAML: Network Authentication & Attribute Exchange
* 6-Dec, 7:30AM - NetAuth & FWNA Working Group
* 6-Dec, 10:30AM - Implementing 802.1x

{Philippe} has posted the RADIUS configuration of servers on the wiki: <https://wiki.internet2.edu/confluence/display/FWNAWG/eduroam1.ns.utk.edu%2C+national+server%27s+config >.

{Kevin} seeded the mailing list with a request for questions or issues related to 802.1x, for discussion at the Member Meeting session. Several people responded with interest in many topics; see appended list [0].

{Kevin} made a request to the Group for additional items to include in the SALSA-NetAuth FWNA Working Group meeting on Wednesday morning. [AI] {Kevin and Chris} will prepare an agenda for the Working Group meeting at the Internet2 Member Meeting.

{Steve C.} posted the latest revision of the draft proposal for RADIUS-SAML integration: <http://stc.cis.brown.edu/~stc/Projects/Projects-using-Shib/eduRoam/Radius-SAML-Profile-v2.html>. Changes to the previous version are listed in a change log at the end of the document. Additional questions about the document should be sent to Steve Carmody: <Steven_Carmody AT brown.edu>.

The group discussed the definition of 'opaque' in context of the document, as there seemed to be some confusion on how the opaque name identifier satisfied privacy requirements, while also providing enough information to be useful. Is privacy critical or to be avoided? Some said it was to be avoided, as it would be only fair that his campus know who it is that has joined the network. They also discussed the pros/cons of using a telephone number as an additional identifier. Ultimately, the user experience should be seamless, and there are still several items to figure out. As the document has progressed, there are several aspects that are in need of being detailed, though perhaps via a companion document with a larger scope. The Group will continue to think of next steps to take that will create momentum for moving forward.

The next SALSA-NetAuth - FWNA WG call will be held on Thursday, December 14 at 11am EST.

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

[0] Discussion of 802.1x topics for the Member Meeting (cf. Kevin's email on 28-Nov):

- Why use 1x ? (advantages?)  (it is a dual advantage: you authenticate users  and users can authenticate the infrastructure, plus you get  encryption)
- What will happened with Vista and 802.1x?
- How do you deal with password changes (e.g.,: 6 months renewal policy) (creating catch22. Password expires, no access to network, etc...)
- What about Voice over WiFi and 802.1x (delays, hassles)
- How to deal with User Interface variability and EAP configs (IBM laptops  have their own interface, Dell uses WZC)
- What methods to use to convince users to move to 802.1x (especially when you plan to have non-802.1x available as well)
- Methods of migration from non-1x to 1x (coexistence VS replacement)
- How various implementations deal with one SSID providing multiple style of encryption (e.g.,: many vendors will let you configure WPA and WPA2 for the same SSID, not many clients deal well with it)
- RADIUS experiences and availability (some RADIUS will support EAP-PEAP and TTLS under the same REALM)
- How to avoid Man in the Middle (private certificate VS public certificate, CName etc...)
- 802.1x supplicant use in Vista vs. XP - I think you will find that there will be more support for the Vista supplicant in XP and less need for third party clients such as IBM's. I guess this makes life more complicated in the interim.
- Support of EAP methods using EAP Host in Vista
- Backport of EAP Host to XP
- Support of 802.1x wired in XP
- Include Eduroam in your supplicant configuration for campus.
- Behavior to Broadcast VS non-Broadcast SSID (many infrastructure use multiple SSID as a convenient way to implement 802.1x)
- Behavior in case of one SSID having various encryptions (e.g.,: WEP and WPA on the same SSID). So far XP has not been liking this kind of implementation.
- How to handle automatic configuration of Windows 2K/XP/Vista without having a twenty-something step manual so everybody needs the helpdesk anyway.
- How about a refresher on the capitalization of 802.1X?
- See what the 802.1 working group has to say: <http://www.ieee802.org/1/>
- See what Glenn Fleishman and Matthew Gast have to say: <http://wifinetnews.com/archives/002989.html>
- What methods to "disconnect" a 802.1x session (e.g.,: remove entry in AAA server doesn't disconnect an active session)