Summary of proposed changes in eduroam AU National Policy

The following are the main changes proposed for the eduroam AU Policy

Consistency with eduroam Compliance Statement

The current eduroam AU policy pre-dates the eduroam Compliance Statement (eCS). The proposed revised eduroam AU policy will adopt the terminology of the eCS, and make reference the eCS in terms of basic administrative and technical requirements for institutions.

Eligibility Clarification

eduroam AU institutional eligibility requirements will be described clearly, in particular eligibility restrictions for Identity Provider participation.

Service Provider participation is open to any institution that has an identified and reasonably compelling business case for making the “eduroam” network available.

Identity Provider participation is currently open only to AARNet customers. In line with other national eduroam jurisdictions (e.g. Internet2 in the US, JISC in the UK), AARNet will consider expanding eligibility to non-AARNet customers, however there is expected to be a cost-recovery based subscription fee applicable to non-AARNet-customer Identity Provider participants.

Participation Roles

The current previous policy only recognizes IdP+SP participants and SP-only participants, due to the ‘give-and-take’ nature of eduroam (those institutions with users able to access eduroam networks at visited institutions should reciprocate i.e. provide eduroam network connectivity on their campus).

AARNet will expand roles to include IdP-only in exceptional cases, where accessing an “eduroam” network on the IdP site would deliver negligible value to the global R&E user community.

Support AARNet eduroam Operational Objectives

Maintaining Up-to-date Deployment Data for Global Sharing

AARNet will require institutions to commit to keeping their eduroam deployment data up-to-date in the eduroam AU AdminTool, in order that AARNet can meet its obligation of providing up-to-date data to the Global Database. Accurate information sharing is an important contributor to global trust in the eduroam service.

Use of eduroam Configuration Assistant Tool

AARNet will emphasize the importance of enabling access of institutional end-users to their device configuration scripts. Use of CAT scripts provides a consistent, security best-practices device configuration, hence assists troubleshooting and promotes secure use of eduroam.

Institutions that provide their own automated device configuration should ensure that the security policies implemented in the CAT scripts are implemented by the institutional scripts.

Troubleshooting

AARNet will emphasize the important role of the eduroam AU Test & Monitoring Server, and require institutions configure trust for that server in each of their eduroam RADIUS servers.

Provision of institutional test accounts is on a voluntary basis under the current eduroam AU policy. The revised policy will mandate provision of test accounts to enable cross-the-board troubleshooting.

AARNet plans to develop eduroam AU troubleshooting tools which will make use of test accounts provided by institutions for each of their supported realms.