An open discussion list for topics related to the geteduroam service

[Gheorghiță Butnaru <gheorghita.butnaru AT staff.tuiasi.ro>]

Thanks for your fast response.

On Mon, Mar 1, 2021 at 4:15 PM Paul Dekkers <paul.dekkers AT surf.nl> wrote:

We bring all eduroam CAT profiles into the list of institutions and profiles. If you're not listed, drop me a note. It's most likely stale cache (and our caching is a bit too aggressive now ;-) we need to work on that).

These are both the profiles that you use with your regular RADIUS accounts, as well as profiles that may use a specific "geteduroam-only" approach:

We are not listed, at least not on the android app.

So my previous answer is more or less in case you want to use "normal" CAT profiles.

If you want to create eduroam pseudo-accounts based on your federated eduGAIN SAML-authentication, that's indeed also part of geteduroam. You can use this as a service from GEANT, if your NRO agrees. (You'd get eg. tuiasi-ro.get.eduroam.org as a realm.)

You also need to create a profile for this in CAT, so you can be discovered from both CAT and geteduroam. (CAT will however redirect you from the website. It works quite well actually.)

We are part of the eduGAIN, so this should be possible. Do we need to contact our NRO and ask them to confirm? Is there anything else that they need to do? From what I know, they are short on human resources.

If we are going to do these, it means that we will be geteduroam-only?

From what I know, right now, GEANT talks in every documentation for eduroam about CAT and not about geteduroam. Wouldn't that be puzzling for users?

Also, what changes do we need to make to our infrastructure? And at what level (radius, wireless access controllers)?

If you want to host your own pseudo-accounts, that's definitely possible! There is documentation.

However, this server part is the part of the concept that is still a bit "in flux". We're likely to make changes that will require database migrations and what not. Of course we implement this ourselves in the centralized infrastructure, so that will continue to work well. We may not be able to offer a lot of support on this if you host it yourself (considered "for the experts") but it is documented, with a reference implementation for Debian. And if you follow the commits and notes and have a test-implementation, you're problably fine.

Are there any advantages for the self-hosted server? Can you point me to some documentation?

In all this puzzle, where do the client certificates fit? Right now, we are using EAP-PEAP and EAP-TTLS for our eduroam infrastructure. I am interested in the EAP-TLS if it's not too complex to implement and does not become harder for our users.

Sorry if my questions sound dumb. I could not found more documentation besides  https://www.geteduroam.app/.

Also, if it's worth mentioning, we have around 18k users.

Thanks,

Gheorghita BUTNARU,
Gheorghe Asachi Technical University of Iaşi

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature