The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

I think there are two issues here.

1. There may sites which require their own local users use a proxy. If 
such sites exist then they should set up a separate local VLAN for their 
users. Then a specific configuration option for these users would be 
required. This setting would have to be done for eduroam SSID, but it 
would be quite sufficient to have it on the IdP level.

2. There may be sites that require proxies for guests. This is 
essentially not  allowed by the policy with a SHOULD NOT. I am not too 
happy about setting up eduroam clients just in case one of the networks 
introduces a problem. WPAD is potentially a security problem. I do not 
feel well changing the default connection parameters of all clients in 
the world to less secure. I would rather live with problems at some sites.

So my vote on this would be - per IdP setting - fine with me as this 
would most likely be directed for the local VLAN only, and besides if an 
IdP admin wants to change the setting of his users, then I am fine with 
this.

Tomasz




W dniu 2013-11-18 10:00, Stefan Winter pisze:
> Hello,
>
> our Apple "mobileconfig" eduroam configurators currently do net set a flag
>
> "ProxyType = Auto" [1]
>
> which would make devices check automatically if the local hotspot needs
> you to go through a proxy. It would use the "WPAD" discovery process. [2]
>
> In eduroam, we don't like web proxies. Still, their use is in principle
> allowed under certain conditions as per policy. And if they *are* in
> use, enabling WPAD will make the browsing experience much easier /
> possible at all when roaming to a hotspot which requires it.
>
> When talking about the main eduroam SSID, any setting we put in there
> will either be set for *all* hotspots (IDP's own home hotspot *and*
> roaming ones) or none. Also, even IdPs which despise proxies have no way
> of knowing whether their own users will eventually roam to a hotspot
> which requires this setting.
>
> All this speaks against making WPAD proxy discovery a per-IdP option; it
> either should be there or not, eduroam-wide (so, no option bloat for you
> :-) ).
>
> We're currently considering to add this auto-discovery property to our
> Apple installers for version 1.1 of CAT. Having the setting on "Auto"
> should not have any detrimental effects on hotspots which don't
> implement it.
>
> So it seems like this is pretty much always a good thing. One possible
> exception being that there could be sites which do have a WPAD proxy,
> but make its use optional. In these cases, setting Auto would make us
> decide about a setting for the end use which he doesn't actually like.
> The same thing would be true for every user on the site though, being
> CAT-provisioned or not - because they would need to take manual action
> to move Operating Systems off of the default (e.g. Microsoft operating
> systems tend to have this on "Auto" by default).
>
> If you have an opinion on whether we should or should not set this flag
> in Apple mobileconfig in the future, please reply to this mail and let
> us know.
>
> Greetings,
>
> Stefan Winter
>
> [1]
> https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
> (Wi-Fi Payload, last entry)
>
> [2] https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

--
Tomasz Wolniewicz
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576