An open discussion list for topics related to the geteduroam service

[Paul Dekkers <paul.dekkers AT surf.nl>]

Hi,

On 01/03/2021 16:15, Gheorghiță Butnaru wrote:

CAK0iHg8b53vbb5Y+irHF-saVG_4VDz_gMVWfaw8+oZRYw-12FA AT mail.gmail.com">

Thanks for your fast response.

On Mon, Mar 1, 2021 at 4:15 PM Paul Dekkers <paul.dekkers AT surf.nl> wrote:

We bring all eduroam CAT profiles into the list of institutions and profiles. If you're not listed, drop me a note. It's most likely stale cache (and our caching is a bit too aggressive now ;-) we need to work on that).

These are both the profiles that you use with your regular RADIUS accounts, as well as profiles that may use a specific "geteduroam-only" approach:

We are not listed, at least not on the android app.

    Both apps use the same CDN. If you tell me your IdP (name, or IdP
    number in CAT), I'll clear the cache for you.

CAK0iHg8b53vbb5Y+irHF-saVG_4VDz_gMVWfaw8+oZRYw-12FA AT mail.gmail.com">

So my previous answer is more or less in case you want to use "normal" CAT profiles.

If you want to create eduroam pseudo-accounts based on your federated eduGAIN SAML-authentication, that's indeed also part of geteduroam. You can use this as a service from GEANT, if your NRO agrees. (You'd get eg. tuiasi-ro.get.eduroam.org as a realm.)

You also need to create a profile for this in CAT, so you can be discovered from both CAT and geteduroam. (CAT will however redirect you from the website. It works quite well actually.)

We are part of the eduGAIN, so this should be possible. Do we need to contact our NRO and ask them to confirm? Is there anything else that they need to do? From what I know, they are short on human resources.

I more or less like their blessing (also because they need to assist you potentially in eduGAIN if you were not in there) they don't need to do anything. It's a bit like hosted IdP and CAT services, they're also not used without NRO consent ;-) But also, in the future they may need to indicate/help onboarding of institutions, like they do with CAT.

For onboarding we need to know the eduGAIN entityID of the IdP, basically.

CAK0iHg8b53vbb5Y+irHF-saVG_4VDz_gMVWfaw8+oZRYw-12FA AT mail.gmail.com">

If we are going to do these, it means that we will be geteduroam-only?

    No, you can create a second profile if you wish. We have some that
    create two profiles like "E-mail and password" and "geteduroam", or
    label the geteduroam one "experimental".

CAK0iHg8b53vbb5Y+irHF-saVG_4VDz_gMVWfaw8+oZRYw-12FA AT mail.gmail.com">

From what I know, right now, GEANT talks in every documentation for eduroam about CAT and not about geteduroam. Wouldn't that be puzzling for users?

Also, what changes do we need to make to our infrastructure? And at what level (radius, wireless access controllers)?

    One thing you need to take into account is if you make additional
    authorization decisions, like VLAN assignments.

CAK0iHg8b53vbb5Y+irHF-saVG_4VDz_gMVWfaw8+oZRYw-12FA AT mail.gmail.com">

If you want to host your own pseudo-accounts, that's definitely possible! There is documentation.

However, this server part is the part of the concept that is still a bit "in flux". We're likely to make changes that will require database migrations and what not. Of course we implement this ourselves in the centralized infrastructure, so that will continue to work well. We may not be able to offer a lot of support on this if you host it yourself (considered "for the experts") but it is documented, with a reference implementation for Debian. And if you follow the commits and notes and have a test-implementation, you're problably fine.

Are there any advantages for the self-hosted server? Can you point me to some documentation?

One advantage may be that authentication stays on campus?

For the pseudo-account server code, you'd be looking at https://github.com/geteduroam/letswifi-ca

CAK0iHg8b53vbb5Y+irHF-saVG_4VDz_gMVWfaw8+oZRYw-12FA AT mail.gmail.com">

In all this puzzle, where do the client certificates fit? Right now, we are using EAP-PEAP and EAP-TTLS for our eduroam infrastructure. I am interested in the EAP-TLS if it's not too complex to implement and does not become harder for our users.

The apps will create EAP-TLS profiles on your devices, after the SAML federated login. The users won't really notice it's not PEAP or TTLS I guess. There's no credential to steal though.

Profiles are typically valid for a year. The iOS app and future Android apps will warn you 5 days before expiration - but the current Android doesn't do that.

There is a Windows client, and for macOS we create .mobileconfig profiles pending a macOS client. I heard the Windows client doesn't always detect network adapters for some; you need to check. There is no solution yet for Chromebooks, and nothing for Linux - but that's not because Linux isn't possible, it just needs some love from a developer.

Regards,
Paul

CAK0iHg8b53vbb5Y+irHF-saVG_4VDz_gMVWfaw8+oZRYw-12FA AT mail.gmail.com">

Sorry if my questions sound dumb. I could not found more documentation besides  https://www.geteduroam.app/.

Also, if it's worth mentioning, we have around 18k users.

Thanks,

Gheorghita BUTNARU,
Gheorghe Asachi Technical University of Iaşi