...
# | Name | Description | Status | Tools |
---|---|---|---|---|
1 | Use the right SSID | NROs MUST ensure all members only deploy the service under the 'eduroam' SSID. Non-compliant networks MUST NOT be labelled 'eduroam' or anything similar to avoid confusion for visitors. The eduroam SSID MUST NOT be shared with other network services. | MUST | |
2 | Permit 802.11 only | NROs MUST ensure members offer eduroam ONLY on 802.11-based wireless media (i.e. NOT over bluetooth etc). | MUST | |
3 | Maintain an audit trail | NROs MUST ensure that they and their members retain authentication and DHCP logs for <period defined in central policy?> to enable the cooperative resolution of identity in the event of abuse of eduroam | MUST | |
4 | Prevent credential sharing | NROs MUST ensure that all their members enforce the policy that credentials SHOULD NOT be shared between users (or devices where device authentication is used). Automated monitoring of high numbers of simultaneous logins may help with this. | MUST | |
5 | Standardise end-user access | NROs MUST ensure all members offer eduroam users access to the minimum standard ports and protocols <specified in ???>, such that the baseline services (web email and VPN) are consistently available. | MUST | |
6 | Ensure physical security | NROs must advise their members that WiFi APs and cabling SHOULD be be secured as much as possible (e.g. to restrict opportunities to introduce network taps or other tampering). All servers MUST be hosted in a secure environment. | MUST | |
7 | Manage shared secrets | RADIUS shared secrets MUST have sufficient entropy (16+ characters), and MUST NOT be reused (each RADIUS server must have a unique shared secret for each trust relationship it participates in) | MUST | |
8 | Provide physical signage | NRO advises member organisations to deploy physical signage in areas where eduroam is available (e.g. to assist visitors with medical prosthetics) | SHOULD | Evidence: copy of documentation/web page |
9 | Publish locations | NRO ensures all member venue location data is added to the eduroam database (for use in maps etc.) | SHOULD | |
10 | Offer a web presence | NRO and members SHOULD publish a site at (tld)/eduroam documenting eduroam activities and locations in their NREN. NB differs from policy, which mandates www.eduroam.tld | SHOULD | Evidence: URL/screenshots |
11 | Ensure you are contactable | NRO has arranged 365 cover of all named contact points (mail and phone redirects for leave etc) | SHOULD | |
12 | Use the CAT | NRO SHOULD maintain a CAT adminstrator/config for its own staff and also recommend CAT usage to all members. Wherever possible, CAT SHOULD be used to assist with client deployments. | SHOULD | |
13 | Provide administrator training | NRO SHOULD provide eduroam training to member organisations (either directly or through a third party) | SHOULD | |
14 | Provide end-user education | NRO and members SHOULD implement training for end users on the expected legitimate behaviours of eduroam systems. Many attacks rely on incorrect user responses to inappropriate service behaviours such as password requests, certificate mismatch warnings etc. | SHOULD | |
15 | Ensure clarity | NRO members SHOULD act to minimise any possibility of confusion between eduroam and other guest services they may offer (e.g. to prevent credentials being inappropriately presented) | SHOULD | |
16 | Select a certificate type | NRO and members SHOULD undertake a risk-based selection of private vs. public CAs for their RADIUS infrastructure. Private is usually preferrable. | SHOULD | |
17 | Select an EAP Type | NRO should advise members that they SHOULD use at least one of TLS, TTLS, EAP-FAST or PEAP (see reference 9) | SHOULD | |
18 | Use anonymous outer identities | Where supported by the EAP type and the supplicant, it is strongly recommended that anonymous outer identities SHOULD be used. (see reference 10) | SHOULD | |
19 | Enable CUI | Chargeable User Identity (CUI) SHOULD be implemented to enhance accountability of end user bahaviour by pseudonymous means. | SHOULD | |
20 | Implement certificate revocation | If an EAP type which uses client side certificates is used (e.g. EAP-TLS), a robust revocation process SHOULD be in place to cover loss, theft or compromise of devices. | SHOULD | |
21 | Implement rogue AP detection | Where available, NRO and members SHOULD monitor for rogue access points. IF possible, automated suppression of rogues SHOULD be implemented. | SHOULD | |
22 | Implement wireless IPS | Where available, NRO and members SHOULD implement Wi-Fi Intrusion Prevention Systems (IPS) to detect AP spoofing, malicious broadcasts etc. | SHOULD | |
23 | Operate to default deny | NROs SHOULD advise all members to operate a default deny policy on all firewalls and access control lists, only granting specific traffic types that are required and have been risk assessed to pass. | SHOULD | |
24 | Deprecate manual configuration | Where CAT-assisted end user device configuration is not possible, it SHOULD NOT be undertaken by the end user. Administration staff should undertake such configuration to ensure it is correctly completed. Manual configuration is not recommended. | SHOULD NOT | |
25 | Provide maps | Websites MAY includes graphical maps of accessible locations, noting additional services such as charging points | MAY | |
26 | Maximize eduroam coverage | NROs SHOULD/MAY provide an eduroam proxy RADIUS server to enable interested SPs outside the community to offer eduroam in their network. | SHOULD/MAY | (Added by WBK) |
3c. Technical requirements and recommendations (MOL)
...