eduroam Development VC Minutes 2022-10-11 1530 CEST

Attendance

Attendees

• Stefan Winter (Restena)
• Zenon Mousmoulas (GRNET)
• Halil Adem (GRNET)
• Tomasz Wolniewicz (PSNC)
• Christian Rohrer (SWITCH)
• Jan-Frederik Rieckers (DFN)
• Guy Halse (TENET)
• Kilian Krause (Uni Stuttgart, GERMANY)
• Ed Wincott (Jisc)
• Arnaud Lauriou (RENATER)
• Chris Phillips (CANARIE)
• Mohit Sharma (CANARIE)
• Ed Kingscote (CANARIE)
• Maja Gorecka-Wolniewicz (PSNC)
• Paul Dekkers (SURF)
• Philippe Hanset (ANYROAM)
• Louis Twomey (HEAnet)
• Philippe Van Hecke (BELNET)
• Zbigniew Ołtuszyk (PSNC)
• Stephanie Cooper (ANYROAM)
• Anders Nilsson (SUNET)
• Christina Klam (IAS, USA)
• Janos Mohacsi (KIFÜ)

Regrets

• Mike Zawacki (Internet2)

Agenda / Proceedings

1. Welcome / Agenda Bashing

2. Windows 11 22H2 fun

   • Windows 11 Enterprise: CredentialGuard
     • Update enables this by default
     • If you “Use AD credentials” for your eduroam credentials then this won’t work any more
     • other services also affected (RDP, VPN, …)
     • needs reconfig (and one can muse about whether the password is more secure then)
     • How common is using AD for eduroam logins? Seems to be used somewhat. Needs some Windows AD “tricks” regarding outer IDs or Win2000 style usernames.
     • There are Microsoft Best Practices documents / advisories suggesting to discontinue use of PEAP/MSCHAPv2, e.g. https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations
     • How should our own advisory look like? “Turn off Credential Guard” “Move to geteduroam pseudo-credentials” “Type your AD password into a non-AD PEAP/TTLS config”; maybe best: “use your AD to provision certificates to mchines, and switch to EAP-TLS”? Make the "Disable Cred Guard the last, least preferred option
     • The wider issue of a possible passwordless future is to be discussed at highest levels (GeGC)
     • side item: twitter thread that has deeper dive on how the H22 update does things: https://twitter.com/_xpn_/status/1579229904855760897?s=20&t=VROSVbB_Gh_j1vLiB3WEbA
     • Suggestion from Paul:
       • 1. Do TLS with AD/InTune for AD-joined machines, configure eduroam with GPO
       • 1. Install credentials as a time time step, as machine was not AD-Joined
       • 1. Use geteduroam with pseudo accounts for BYOD
       • 1. Disable CredentialGuard in the GPO, as it affects AD-joined machines with GPO anyway
   • TLS 1.3 EAP negotiations
     • FreeRADIUS 3.0.26 and 3.2.0 are tested against Win 11 and should work unconditionally
     • earlier may or may not work, and work best when setting tls_max_version = 1.2
     • versions predating the configuration option tls_max_version are a bit up in the air, but recommend to update those anyway because very old and probably have security issues
   • https://www.rfc-editor.org/info/rfc9190 (EAP-TLS 1.3 is done)
   • https://datatracker.ietf.org/doc/draft-ietf-emu-tls-eap-types/
   • https://datatracker.ietf.org/doc/html/draft-ietf-emu-tls-eap-types-09#page-16

3. IETF Update

   • https://datatracker.ietf.org/doc/bofreq-dekok-bofreq-dekok-radius-extensions-and-security-00/
   • https://datatracker.ietf.org/wg/radextra/about/
   • BoF planned for Monday 07 Nov (also EMU on that day)

https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/ ()

1. Recurring: Passpoint hardware and onboarding chit-chat

• Passpoint/OpenRoaming does not have PEAP in specification, and Wi-Fi user accounts are not typically tied to an AD account -> the Credential Guard issue doesn’t touch this community much

1. AOB / next VC: 8 Nov 2022 1530 CET (pending IETF week scheduling?)