Minutes: SALSA NetAuth call 25-May-06

Minutes: SALSA NetAuth call
25-May-06

*Attendees*
Chris Misra, U. Massachusetts (chair)
Kevin Amorin, Harvard U.
Rich Cropp, Penn State U.
John Vollbrecht, Merit Network
Tom Zeller, Indiana U.
Steve Olshansky, Internet2
Katherine Strojny, Internet2 (scribe)

*Action Items*
New: [AI] {Group} will collaborate to draft 802.1X deployment documents via wiki.

Carry Over:
[AI] It was proposed that the {group} think about placing registration data in LDAP as a canonical storage method, so that, for example, DHCP can access the data in LDAP instead of having an internal database.
[AI] {Kevin} will solicit the list for questions to include in the FAQ and for people to edit the wiki.
[AI] {Anyone} who has slides or content related to NetAuth use cases or case studies, send them to SteveO for posting on the NetAuth website. [AI] {Kevin} will write up the challenges of going from theoretical to deployed 802.1X.
[AI] {Group} will re-evaluate the finalized documents to determine whether the term "host posture assessment" should be included.
[AI] {Kevin} volunteered to do a first draft of the NetAuth FAQ, with the goal of sending it out to the list before the end of March.
[AI] {Chris} will send a notice about upcoming meetings with Netauth discussions.
[AI] Once content is more complete and the wiki is in a permanent location, {Chris and Kevin} will get a note out to some of the lists announcing the wiki.
[AI] {Group} is invited to take a look at the NetAuth wiki and add content, toward developing a repository of useful information and understanding the solution space better. In particular, Kevin is seeking input on isolation methods and Frequently Asked Questions.
[AI] {Kevin} will email the list and see if anyone wants to join the case studies project.
[AI] The following individuals volunteered to write case studies, with a soft deadline of March 30:
- {Chris Misra}: Layer 2 & 3 isolation using NetReg and a homegrown switching system
- {John Moore}: Lockdown Networks and VLAN switching
- {Kevin Amorin}: PacketFence (ARP manipulation and VLANs)
[AI] People are sought who can draft case studies for Cisco Clean Access. If anyone knows of candidates, please contact Chris.
[AI] {Group} will delegate liaisons for TNC and NAC.
[AI] {Kevin Amorin} will send information to the list about EAP (Extensible Authentication Protocol) activity currently underway in IETF.
[AI] {Individuals} who look into the IETF Distributed Security (distsec) mailing list are requested to provide feedback to the group on whether the activities are of interest to this group. To join the list, refer to the following link: https://www.machshav.com/mailman/listinfo.cgi/distsec
[AI] {Chris} and {SteveO} will send a note to the WG via the list soliciting suggestions for the future direction of the WG.
[AI] {Chris} will put together a few slides describing intersection points between SALSA NetAuth and SALSA NetAuth-FWNA.
[AI] {Chris} will send the list of vendor questions developed by the WG during this call to the group via the list. This will move forward in collaboration with the effective practice group at EDUCAUSE.
[AI] {Chris} will arrange vendor discussions for a subsequent call.
[AI] {Chris} will post messages to the NetAuth and FWNA lists soliciting volunteers to develop an outline of issues for NetAuth in a federated environment.
[AI] {Chris} will solicit from the WG contributions about NetAuth vendor solutions currently being used.

*Discussion*
Intellectual Property Reminder: The Internet2 intellectual property policy can be found here: http://members.internet2.edu/intellectualproperty.html

Discussion focused on structure and layout of 802.1X deployment documents.

[AI] Citing the need within the community to capture the current architectural issues and deployment scenarios with 802.1X deployment, the group will collaborate to draft 802.1X deployment documents via the wiki.

The group started with the plan that 802.1X documents be structured around two themes, architecture and deployment/use cases, which could be parallel efforts. In addition, the group agreed that a third document be drafted focusing on strategies, to address questions such as: "In a Windows/Kerberos environment, what do I need to change in order to start using 802.1X?" The challenge in creating a strategies document is that, due to the current low 802.1X deployment, mature strategies have not yet emerged. Kevin Amorin volunteered to draft the strategies document for 802.1X deployment.

The layout of the architecture document was proposed to include a components section that explains 802.11, 802.1X, EAP, and RADIUS, and another section that explains how those components integrate in a campus environment. The group noted the distinction between RADIUS as a transport (with EAP doing the authentication) and RADIUS as performing authentication (RADIUS/PAP). The architecture document is envisioned as a high-level white paper of approximately three pages.

Layout of the use cases and strategies documents will be patterned after prior work. Some of questions to consider in the strategies document are the choice of client, EAP method, RADIUS structure, and authentication method.

The group's wiki will be used for collaboration as the 802.1X deployment documentation effort moves forward. The publicly accessible (anonymous) space is more practical for exchanging comments and feedback on content. The group agreed to establish a procedure where the documents are edited in a restricted access space, then snapshots are periodically placed in a publicly accessible space for comments. The wiki can be accessed as a link from the SALSA-NetAuth home page: http://security.internet2.edu/netauth/

The next conference call is scheduled for Thursday, 8-Jun-2006. Agenda and bridge will go out to the list in advance of the call.