hi,
And I am being questioned by several authorities about security, what would be the best security? For this reason I decided to consult our experts here in the list.
depends on what the institution is capable and willing to do. the best would be a local root CA with EAP-TLS, so there are no passwords being used - a MitM attack would just fail - they wouldnt have relevant server cert or root. if the site can work on good documentation/communication and ensure users are using provisioning client, then EAP-TTLS or EAP-PEAP with a local root CA (once again, to ensure that anyone attacking couldnt have a valid cert - as anyone can get a cert thats signed by public CA that a device just trusts). another option is to couple the deployment of eduroam with ANOTHER source of authentication - ie have a seperate/different password for eduroam so that even if the client was compromised or lost/stolen, those credentials dont give access to email/computing resources etc. - several sites in the UK do this method education is the main thing though - ensure users configure their device correctly, dont just click on 'okay/accept' whenever such a thing arises. it will never be perfect as these are end users...the same who do respond to phishing emails or use the same password on many 3rd party systems so when those get p0wned the user account gets abused globally :( if you search the mailing list archives you'll see this question and attack vector mentioned a couple of times a year alan