allow IdP to force HTTP/HTTPS proxy settings #96
Comments
|
Thank you for considering this feature request in CAT. ANYROAM is one of the federation operator who requested this feature. K-12 (pupils age 5 to 18) school districts around the US are considering joining eduroam, and some school districts are required by law to provide content filtering, even for their teachers!!! . These districts would like to offer eduroam to all as their main Wireless system and have their pupils roam around the district while welcoming guests from around the world, but they have to comply with strict content filtering rules. They could create a statewide Wireless Roaming system instead of joining eduroam, but this defeats the whole idea of "roam" in "eduroam". Buying a Mobile Device Management for each K-12 student is unaffordable and having parents signing a release does not satisfy the legal requirement for districts with strong filtering requirements. In most cases, a forced Proxy installed on pupils devices through configuration profiles is considered a sufficient effort to protect pupils while using eduroam. Crafty users might defeat this technology, but at that point the responsibility lies on their lap. As a protection, I would suggest to add a paragraph under the Proxy feature in CAT warning administrators about the limits of that solution. (sentence like: This Proxy feature can be configured to force devices to use a Proxy run by your institution. Be aware that Proxies can be defeated and devices can be reconfigured. Géant does not guarantee the effectiveness of this filtering method). |
… actually use the submitted info in actual installers)
|
For completeness' sake, there's also in principle an option e) install VPN app and send traffic to home IdP via the tunnel. |
|
Many of these schools already operate a proxy, rarely a VPN. The Proxy option is more affordable. And also as Stefan mentioned, the proxy option is more easily enforceable via OSes. |
|
When I implemented this admin-side, I boldly assumed that there can be two proxies, HTTP and HTTPS. Turns out that the Apple and Windows documentation bits I find on the internet only refer to one proxy server, and one port. |
|
|
|
As you can see, this is now implemented for the Apple installers (iOS > 6 and mac OS X and macOS). Using the "http" settings, not "https". |
|
Stefan, here is running IROP project to extend eduroam to some high schools. It is not limited to eduroam, it provides resources for enhancing IT infrastructure in a complex way. One of requests is ability to filter traffic on HTTP & HTTPS. In eduroam view this is only acceptable for local users of respective institution. Visitors should receive "open" Internet. So, if pupil leaves school and visit university or any other school it receives open Internet as any other visitor. Exactly same Internet it will receive in McDonald's. I like this because of it simplicity. Jan |
|
When you configure a proxy setting, the browser sends all requests (HTTP and HTTPS) to the proxy. The proxy makes the request to the Web server and sends the results back to the browser. The most secure way to set this up is to use a proxy that supports HTTPS, and configure the proxy setting with an HTTPS URL. This will encrypt all traffic between the browser and the proxy, even for HTTP sites that aren't encrypted from the proxy to the Web site. (Note that if you use HTTP for the proxy setting, all traffic is unencrypted between the browser and proxy, even for HTTPS sites) To let your users access the proxy from Eduroam or other locations, you will need to open up access to the proxy in a secure fashion. Simplest way is to make it world-accessible and require authentication to restrict who can use it. |
|
Another option for filtering, if a proxy isn't the right solution: A lot of our schools use a filtering agent on mobile devices that connects to a filtering appliance in the cloud or at their school. There is also stand-alone filtering software that doesn't need to connect to an appliance. In any case, the agent or filtering software automatically handles filtering no matter how the device is connected. |
|
Okay, here's still one thing I don't know how to handle: when you write "a proxy that supports HTTPS" how do I signal that fact in the mobileconfig file? There are only two config items, ProxyServer and ProxyServerPort, but no "use HTTPS" flag or anything. Is there some magic based on ports going on? Or is it possible to prefix the ProxyServer item with https:// ? The examples I've seen so far only have a hostname or IP address, no protocol prefix. And the documentation obviously doesn't go into this amount of detail as well :-( |
|
Can you identify the user on the proxy? Do you pass username to proxy? |
|
The implementation right now merely provisions a hostname and port for the proxy (and it is only implemented for macOS / iOS). On your concrete question, we as eduroam CAT do not identify the user, and since we don't ask, we can't tell. However the proxy itself may want to identify the user, with its own means. |
|
Hi Stefan,
Thank you for clarification.
What is the recommended/supported eduroam CAT way to apply different
filtering for different set of users (e.g.: pupils in primary
education, pupils in secondary education, college students, teachers,
other staffs etc.).?
Best Regards,
Janos Mohacsi
…On Fri, 11 Jan 2019, Stefan Winter wrote:
The implementation right now merely provisions a hostname and port for the proxy (and it is only implemented for macOS /
iOS).
It is up to the proxy to authenticate the individual user if it so wants. A practical test I did ended up with a "HTTP
Basic" style popup where I had to enter a username and password to the proxy.
On your concrete question, we as eduroam CAT do not identify the user, and since we don't ask, we can't tell.
However the proxy itself may want to identify the user, with its own means.
?
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the
thread.[AYWfGdpbI9mRbKHtBnjSacCqjIq8_448ks5vCKKlgaJpZM4R1J3P.gif]
|
|
How one operates their proxy is not exactly CAT's business. I could imagine either to have one proxy but login credentials for it which trigger separate filtering rules, or to set up multiple proxies and multiple CAT profiles for the different user groups, each pointing to one of those proxies. |
I'm opening this issue from a feature request we received both via email and during eduroam meetings, adding some background to explain the dangerousness/evilness of it :-)
As eduroam users roam around the planet, they get access to the local Service Provider's network. That network has its own characteristics; we suggest that the network should be just "open internet".
In some jurisdictions, this poses problems to some user groups. Particularly in countries where eduroam is also a service offered to school pupils, there is sometimes a regulatory requirement to not allow unfiltered access to the internet for underage pupils.
The solution is to send the user traffic through a web proxy and filter undesired content. The problem though is that a majority of Service Provider does not deploy content filtering proxies. However, as soon as a pupil has an eduroam account, all SPs world-wide are available for use.
A straightforward, if slightly naive, argument that is sometimes brought up is: "but that same pupil has a cell phone and gets unfiltered access anyway." That may be true or not, but it's also irrelevant: where a regulatory requirement exists, it needs to be satisfied. The cell phone provider has to do the same as the Wi-Fi provider. Maybe the cell provider does not, but then that's their own legal problem. As a Wi-Fi provider, the safe legal option is to keep the own infrastructure clean, irrespective of other channels.
So, if required to satisfy the filtering requirement, four options are available
a) exclude pupils from eduroam altogether
b) force every SP to implement a content filter proxy, and put such users into a filtered VLAN [requires signalling IdP -> SP "this is a person requiring filtering"]
c) allow SPs to signal to IdP that pupil is about to log into an unfiltered internet access, so that IdP can fail authentication [usability issues, requires signalling SP -> IdP "I do not filter"]
d) configure pupil's device so that a pinned proxy server is used, regardless of Service Provider
b) and c) are not likely to work as they require upgrades to the authentication fabric at all leaves of the infrastructure.
a) is always an option, but is an effective DoS to a large population of potential users
CAT 2.0 is going to implement d). It is not possible to do this perfectly: the following caveats apply
As an IdP, you should think long and hard if you /really/ need this. Possibly a form signed by parents, waiving liability for you, could also do the trick? Solving this issue in a non-technical way is definitely the wiser option.
Only for cases where an IdP really thinks the only way to solve this problem is a forced HTTP/HTTPS proxy configuration, we are implementing this feature - this becomes a "Media" configuration option. We'll keep this issue updated to report which devices get the support and which are problematic.
The text was updated successfully, but these errors were encountered: