eduroam Development VC Minutes 2025-12-16

Attendance

Attendees

• Stefan Winter (RESTENA)
• Stefan Paetow (Jisc)
• Janfred Rieckers (DFN)
• Tomasz Wolniewicz (PCSS)
• Frederic Gerber (Switch)
• Anders Nilsson (SUNET)
• Fabian Mauchle (Switch)
• Mohit Sharma(CANARIE)
• Ed Kingscote (CANARIE)
• Maja Górecka-Wolniewicz (PCSS)
• Derek Eiler (NSHE)
• Janos Mohacsi (Pro-M)

Regrets

Agenda / Proceedings

1. Welcome / Agenda Bashing

2. CAT

   • no release pending; development work ongoing
   • suggest to try out self-registration (authorization attributed based on data from eduroam DB)
   • additional code path - based on an entitlement attribute delivered in the SAML assertion (used by DFN currently)

3. geteduroam

   • not discussed today

4. IETF

   • radius DTLS/TLS: will be released as “RadSec”. Editorial work ongoing.
   • need feedback for the drafts.

5. WFA / WBA

   • WFA WPA3 and EAP-TLS 1.3 (A new hope)

   • TLS 1.3 can bring truly anonymous client identities outside the tunnel

     • if so, geteduroam could stop generating “pseudo” identifiers and use real usernames instead
     • which improves privacy even further than pseudonyms - anon is not trackable across SPs

   • US currently has discussion on security, EAP-TLS vs PEAP et al. TLSv1.2 does client cert in clear text during TLS handshake, TLSv1.3 is meant to have encrypted certs.

     • TLSv1.3 in the first two handshake messages exchanges some crypto material, so certs will be encrypted using that material.

   • Newcastle rolls out an OpenRoaming network, and a local university has enabled OpenRoaming

   • 2026: WBA opens a RADIUS compliance working group

6. AOB1: off-campus deployments

   • Mary B: about airport deployments, train station deployments - what were the best ways to convince the site to set up eduroam, were there any particular technical obstacles
     • Most of the time ends up being money issue where the venue wants money. Also often the case that they’ve run out of SSID’s to provide (usually max 8 SSIDs).
     • From technical perspective most issues are related to MTU and failing EAP-TLS authentication. Source of that is usually venue’s firewall.
     • Often argument is that orgs get better (more invasive) metrics from unsecured networks.
     • Having to run RADIUS server is also common objection - solution is to run a ‘managed SP’.
     • Mary B offers https://docs.google.com/document/d/19GIaSR-3zwqIlKBlRPdSoCzWUx9Um1ssXIcpEHtsxRU/edit?usp=sharing as document to propsective airports/transit points
       • please comment on it/provide feedback

7. AOB2: spectrum

   • https://resources.geant.org/wp-content/uploads/2025/12/GEANT-Position-Statement-on-Wi-Fi.pdf

8. Next call 13 Jan 2026 1530 CET