SALSA-NetAuth - FWNA conference call
May 4, 2006

*Attendees*
Kevin Miller, Duke U. (co-chair)
Philippe Hanset, U. Tennessee (co-chair)
Klaas Wierenga, SURFnet
Mike Coffey, U. Tennessee
Rich Cropp, Penn State U.
Mark Linton, Penn State U.
John Vollbrecht, Merit
Lynn Little, Internet2
Steve Olshansky, Internet2
Jessica Bibbee, Internet2 (scribe)

Carry-over *Action Items*
[AI] {Kevin} will connect the local RADIUS administration folks at Duke to the FWNA-Ops list. (23-Feb-06)

Future *Agenda Topics*
[AI] Group will discuss attributes and experimentation around a contact # attribute. (20-Apr-06)
[AI] {Group} will think of local site requirements for security, logging, and access to utilization of information in the context of Eduroam, where non-local users are involved. (3-Nov-05)

*Discussion*
Interest in FWNA at the Spring Internet2 Member Meeting was high, with attendees from over 20 organizations in attendance at the 802.1x meeting. {Kevin} emailed his observations to the list (cf. 4-May), highlighting that:
- while the idea of FWNA is solid, accessibility of technology needs to be bettered,
- better tools for policy are needed, - device-based network authentication needs further discussion,
- 802.1x supplicants have several areas to improve, and
- EAP-Message needs to provide more useful error messages.

{Philippe} shared his impression of the FWNA session. Folks are still facing issues with 802.1x, e.g., it is still possible to bypass switches, reinforcing security concerns at the hardware level. This work may move beyond FWNA, and might benefit from approaching IETF or vendors who are implementing 802.1x.

{Mike} demonstrated the logging of the experiment, via <http://FWNA.ns.utk.edu/logs.cgi>. There are still a few bugs that need working through, e.g., if you relocate or need to reboot, you are no longer able to get back on. Conversely, there is no good way to force a disconnect, in the event of a denied connection. To further safeguard these connections, Shibboleth might be an option.

{Klaas} sent a link to the eduroam-in-a-box solution <http://sourceforge.net/projects/eduroam>, which Rok Papez of the Slovenian NREN created (cf. email 4-May).

{John} discussed two possible tracks for FWNA to take (cf. email 3-May). Track I involves the experimental – setting up the infrastructure, getting others to join, getting technologies in-line. Track II addresses the policy needed to map back to that infrastructure. The FWNA WG is now focusing on the experimental side, though the policy work will certainly demand attention in the future. Opening this discussion to a broader audience would add valuable insight into federation work.

The next SALSA-NetAuth FWNA WG conference call will be on Thursday, May 18, 2006 at 11am ET.