The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello all,

during the last TF-Mobility and Network Middleware meeting, we had a
discussion about what to do with "ex" holders of an eduroam account;
their configured devices will keep trying to authenticate with the
expired credential - and thus generate a stress load on the
authentication servers which need to set up a TLS tunnel, check the
credentials, return a reject. Over and over again.

One way of ensuring this doesn't happen is the use of EAP-TLS; the
authentication attempts will (hopefully, if the supplicant is clever)
stop when the expiration date of the client certificate is reached.

For password-based EAP types, this is more tricky. The credential itself
does not carry the expiry meta-information.

But our installers can! (*)

At least for Apple's devices (iOS, Mac OS X) I was told last week that I
overlooked an "Expiry" XML tag in the spec (d'oh ...)  - with that it is
possible to state "X days after installing, or on the date of Y ,
automatically delete the installed profile".

At least for those devices, we could enhance CAT with

a1) a configuration option for the admin "Duration" = X days OR
a2) a configuration option for the admin "Timeout" = $DATE
b) installers on everything Mac which indeed self-destruct after X days
or when $DATE is reached.

I wonder if this is something you'd appreciate us doing. It is sure
tempting, but keep these things in mind please:

* such an expiry is most certainly going to annoy the user: if you
program expiry for say a student, but he pays tuition for another year,
he will actively need to re-install eduroam after the initial timeout

* it doesn't help you if the user gets kicked before the expiry date

* if $DATE is what's wanted, you need to remind yourself of setting a
new $DATE every semester (or whatever term cycle you have). If the X
days is wanted, be aware that this would be from install time and does
not match your semester turns, if any.

So unless you can make good predictions on the expiry of your
provisioned user accounts, the value of this option is limited (but
above 0).

Please let me know what you think of this...

Greetings,

Stefan Winter

(*) subject to conditions in implementations ;-)

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature