eduroam Development VC Minutes 2026-02-10

Attendance

Attendees

  • Stefan Winter (RESTENA)
  • Stefan Paetow (Jisc)
  • Derek Eiler (NSHE)
  • Tomasz Wolniewicz (PCSS)
  • Chris Rohrer (Switch)
  • Janfred Rieckers (DFN)
  • Fabian Mauchle (Switch)
  • Zbigniew Ołtuszyk (PCSS)
  • Maja Górecka-Wolniewicz (PCSS)
  • Frederic Gerber (Switch)
  • Louis Twomey (Asiera (formerly HEAnet))
  • Anders Nilsson (SUNET)
  • Guy Halse (TENET)
  • Mike Zawacki (Internet2)
  • Mary Bull (Internet2)
  • Alan DeKok (InkBridge)
  • Ed Wincott (Jisc)

Regrets

  • Janos Mohacsi (Pro-M)
  • Zenon Mousmoulas (GRNET)
  • Ed Kingscote (CANARIE)

Agenda / Proceedings

  1. Welcome / Agenda Bashing

  2. CAT

    • wired support: approx. 800 institutions have this option set
    • macOS 26: “funny” behaviour
      • macOS 15: installation with “FirstActiveEthernet” works, usage works
      • macOS 26: installation with “FirstActiveEthernet” only works if an Ethernet connection is actually active at time of install; keeps asking for credentials and cert ACKs (appears not to consult the config) if no Ethernet is active
      • macOS 26: instalaltion with “GlobalEthernet” installs and works fine
      • iOS however does not accept the “GlobalEthernet” setting at all!
      • i.e. would need two different mobileconfig formats (again)
    • wired for Linux: in development
    • Reminder: INST admin levels
      • directly appointed by FED admin: can invite further admins
      • appointed by an existing admin: can NOT invite further admins
    • this is inconvenient for some NROs; development underway to allow flattening this to “every admin can invite further admins” (can be activated as NRO-level setting)
    • we are ready to propose the MSP service running as a part of the standard CAT portal; if there is interest we could run an on-line presentation; the service would give the FED admins powers to enable/disable the service globally or for individual institutions.

  3. geteduroam

    • OpenRoaming support on Android?
      • working with PEAP
      • maybe the issue is specific to cert-based pseudo-credentials
      • probably rather because geteduroam has an RSA and EcDSA root; and Android can’t cope with that in the OpenRoaming configuration context.
    • EAP-TLS support (not pseudo-credentials, but with an actual certificate in .eap-config)
      • apparently file rejected for iOS (syntax error? or bug in geteduroam?)
      • best to raise this as an issue on the GitHub repo for the iOS app

  4. IETF

    • RadSec draft is now in IETF Last Call
    • Interim-Meeting planned for end of February (25th-27th)
    • Soon-to-be-published after TLSbis:
      • Deprecating insecure practices (Don’t do RADIUS/UDP any more)
      • history “how we got here”
      • Proxy BCP
    • Some new work, especially on fixing broken RADIUS behavior
      • Potentially Client / Server BCP documents. Content TBD.

  5. WFA / WBA

    • Report back from WGC Tokyo
    • Anders Nilsson can’t make it to WFA meeting in Kuala Lumpur 23th of February (Clash with WLPC US)

  6. AOB

    • eduroam rate limiting in FreeRADIUS implemented - troubleshooting (Mary)
      • FreeRADIUS has added a module for rate limiting, but we’re still seeing spikes and we’re not quite sure of the sources.
      • This would be interesting for others
      • What does it do? Does it work only on previously rejected requests? Mary confirms that it does that, tries to limit storms, but may lead to possibility of spamming yourself with logging.
      • IP rate limits implemented in the past, but not quite ideal because no rate limiting on GEANT traffic (but still causes issues that proxy_rate_limit module can potentially mitigate)
    • any history of anycast adoption for eduroam RADIUS? (Mary)
      • Use anycast to ‘advertise’ for resiliency, mostly so that orgs can stick to two IPs but end up with a lot higher number of servers
      • Fabian: Use normal BGP config (not ECMP), if you use true anycast. We use some addresses on our standard network
      • How does TCP like this? TCP just resets session, retries on a different server (reroutes)
      • Guy: Consider unicast with multiple announcements on normal BGP but with different preferences, works very reliably, much easier than getting anycast address.
        • If you use two announcements, and withdraw one, convergence happens very quickly because an existing BGP announcement exist.
      • Can this be documented somewhere? eduroam Wiki maybe :-)
    • TNC June + RADIUS conference, Monday afternoon. Agenda / details TBD

  7. Next call 24 Feb 2026 1530 CET

  • No labels