wired support: approx. 800 institutions have this option set
macOS 26: “funny” behaviour
macOS 15: installation with “FirstActiveEthernet” works, usage works
macOS 26: installation with “FirstActiveEthernet” only works if an Ethernet connection is actually active at time of install; keeps asking for credentials and cert ACKs (appears not to consult the config) if no Ethernet is active
macOS 26: instalaltion with “GlobalEthernet” installs and works fine
iOS however does not accept the “GlobalEthernet” setting at all!
i.e. would need two different mobileconfig formats (again)
wired for Linux: in development
Reminder: INST admin levels
directly appointed by FED admin: can invite further admins
appointed by an existing admin: can NOT invite further admins
this is inconvenient for some NROs; development underway to allow flattening this to “every admin can invite further admins” (can be activated as NRO-level setting)
we are ready to propose the MSP service running as a part of the standard CAT portal; if there is interest we could run an on-line presentation; the service would give the FED admins powers to enable/disable the service globally or for individual institutions.
geteduroam
OpenRoaming support on Android?
working with PEAP
maybe the issue is specific to cert-based pseudo-credentials
probably rather because geteduroam has an RSA and EcDSA root; and Android can’t cope with that in the OpenRoaming configuration context.
EAP-TLS support (not pseudo-credentials, but with an actual certificate in .eap-config)
apparently file rejected for iOS (syntax error? or bug in geteduroam?)
best to raise this as an issue on the GitHub repo for the iOS app
IETF
RadSec draft is now in IETF Last Call
Interim-Meeting planned for end of February (25th-27th)
Soon-to-be-published after TLSbis:
Deprecating insecure practices (Don’t do RADIUS/UDP any more)
history “how we got here”
Proxy BCP
Some new work, especially on fixing broken RADIUS behavior
Potentially Client / Server BCP documents. Content TBD.
WFA / WBA
Report back from WGC Tokyo
Anders Nilsson can’t make it to WFA meeting in Kuala Lumpur 23th of February (Clash with WLPC US)
AOB
eduroam rate limiting in FreeRADIUS implemented - troubleshooting (Mary)
FreeRADIUS has added a module for rate limiting, but we’re still seeing spikes and we’re not quite sure of the sources.
This would be interesting for others
What does it do? Does it work only on previously rejected requests? Mary confirms that it does that, tries to limit storms, but may lead to possibility of spamming yourself with logging.
IP rate limits implemented in the past, but not quite ideal because no rate limiting on GEANT traffic (but still causes issues that proxy_rate_limit module can potentially mitigate)
any history of anycast adoption for eduroam RADIUS? (Mary)
Use anycast to ‘advertise’ for resiliency, mostly so that orgs can stick to two IPs but end up with a lot higher number of servers
Fabian: Use normal BGP config (not ECMP), if you use true anycast. We use some addresses on our standard network
How does TCP like this? TCP just resets session, retries on a different server (reroutes)
Guy: Consider unicast with multiple announcements on normal BGP but with different preferences, works very reliably, much easier than getting anycast address.
If you use two announcements, and withdraw one, convergence happens very quickly because an existing BGP announcement exist.
Can this be documented somewhere? eduroam Wiki maybe :-)