eduroam Development VC Minutes 2026-03-10

Attendance

Attendees

  • Stefan Winter (RESTENA)
  • Stefan Paetow, esq (Jisc)
  • Guy Halse (TENET)
  • Ed Kingscote (CANARIE)
  • Fabian Mauchle (Switch)
  • Janfred Rieckers (DFN)
  • Zbigniew Ołtuszyk (PSNC)
  • Frederic Gerber (Switch)
  • Tomasz Wolniewicz (PSNC)
  • Maja Gorecka-Wolniewicz (PSNC)
  • Mohit Sharma (CANARIE)
  • Herr (Anders) Nilsson (SUNET)
  • Alan DeKok (InkBridge)
  • Chris Rohrer (Switch)
  • Mary Bull (Internet2)
  • Louis Twomey (Asiera - formerly HEAnet)
  • Paul Dekkers (SURF)
  • Janos Mohacsi (Pro-M)
  • Ingimar Jonsson (RHnet)
  • Ed Wincott (Jisc)

Regrets

  • Zenon Mousmoulas (GRNET)

Agenda / Proceedings

  1. Welcome / Agenda Bashing

  2. CAT

    • work on extending admin API
    • possibility to put all admins on same privilege level (at choice of NRO operator)
    • now recording last-login-timestamp
    • please log into cat.eduroam.org (changes to monitor.eduroam.org proxy coming up; logging in now associates old and new IDs) -> this should be announced to cat-users mailing list

  3. geteduroam

    • new developers for Windows client
    • new Android Beta solving the Deep Sleep problem in newer API levels
    • surge in auth attempts with expired certs (probably because deep-sleeping Apps don’t warn user about expiry?)
    • Side discussion: should users with expired certs be pushed into a provisioning network instead?
      • this may work on the home network (Idp == SP => no roaming)
      • when users are roaming, this won’t work
      • geteduroam being an “always roaming” IdP-only: no prov network
      • OS/supplicant vendors should improve their implementation to NOT hammer IdPs with expired certs. If it was rejected once, stop trying (or do exponential backoff).
    • new versions of geteduroam server-side software? None; the rewrite in Go did not happen. One can self-host rather easily.
    • Note: on Android, geteduroam forces TTLS for OpenRoaming (and other RCOIs) despite PEAP support and preference in IdP-supplied settings. Android appears to enforce the assumption that the five EAP methods in the Passpoint spec are definitive (and the only ones allowed on Passpoint) - but might want to anticipate a change since Wi-Fi Alliance has confirmed any EAP methods are allowed. Geteduroam should at least try PEAP first, if configured and only fall back to TTLS. This affects particularly NPS as home IdP for OpenRoaming. There is a GitHub issue about this. https://github.com/geteduroam/android-app/issues/161
    • Android is a BEEPING BEEP of BEEP regarding its Passpoint/OpenRoaming support. Unfortunately individuals’ reports of imperfections via various channels may not have reached the team in charge (but no-one knows because Google’s a big black hole these days).
      • only one root CA (multiple root CAs in WPA-Enterprise)
      • trying PEAP led to hard unrecoverable crashes at the time the ‘force EAP-TTLS’ change was made, we might need to run a test version.

  4. IETF

  • charter in process of being updated
  • read and comment on the rechartering if possible
  1. WFA / WBA
  • some progress in the WBA on a “RADIUS Compliance” program.
    • Currently making some progress on what the group wants to achieve.
    • There’s a project already vibe-coded but this is putting cart before the horse because the group wants to proceed carefully.
  1. AOB
  • providing a window to eduroam logs on central RADIUS - does anyone do it? (Mary)
    • some do (UK, Managed SP, …)
    • one use case is to help IdP/SP visibility because their own RADIUS implementation is bad at logging (NPS, ISE mentioned in particular)
    • can help identifying problems or the absence thereof
    • Managed SP has this feature in an unreleased version:
  • ditto for hosted idp / get.eduroam.org
  • monitor.eduroam.org SimpleSAMLphp version
    • seems to be a 1.19.x still?
    • security fixes backported
    • deployment will change soon (see above, re-login to maintain sync)
  1. Next call 24 Mar 2026 1530 CET
  • No labels