The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Nicolás Velázquez <nicolas.velazquez AT uam.es>]

Hello all,

As the wifi manager of our university, I've read about this problem around 
2014 to answer anything to our WP users, and I saw a post in a blog where a 
Microsoft technician talked about the implementation of EAP-TTLS+PAP in WP8.1.

I've been trying to find this article now and I can't. I'm in a hurry for 
some other questions today and tomorrow.
But I've found a post saying the same that the 2014 technician.

http://answers.microsoft.com/en-us/mobiledevices/forum/mdlumia-mdtips/eap-ttls-pap-authentication-supported-in-wp8/1cd0c26c-e2d7-4fc7-bf51-8bcf1c724407?auth=1

In summary, WP8.1 has EAP-TTLS+PAP but it has no user interface to select it.
It must be selected ONLY using a MDM software. It is something unfeasible for 
an university.
After that, we marked WP8.1 as "no connect device" for us.

But, if a MDM soft can select TTLS/PAP, then maybe Eduroam cat could also 
work to activate it. 
Or maybe WP8.1 is too old now.

I don't know anything about W10M and TTLS/PAP.

Regards,

Nicolas

Nicolás Velázquez Campoy
Unidad Técnica de Comunicaciones / Tecnologías de la Información
Universidad Autónoma de Madrid • Ciudad Universitaria de Cantoblanco
Edificio B Escuela Politécnica Superior, despacho TI-205 • c/ Francisco Tomás 
y Valiente nº 11. 28049 Madrid
Teléfono: 91 497 33 21 • Fax: 91 497 27 94
nicolas.velazquez AT uam.es


-----Mensaje original-----
De: Jose Manuel Macias Luna 
[mailto:jmanuel.macias AT rediris.es]
 
Enviado el: lunes, 25 de enero de 2016 13:35
Para: Marcin Balcerzyk; 'Stefan Winter'
CC: 'Daniel Daza Muñoz'; 'Alan Buxey'; 
cat-users AT lists.geant.org;
 'Gustavo A. Rodriguez'; 'Carmen Lopez (Nené)'
Asunto: Re: [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and 10


Hi Marcin,

  it is not clear for me if you are using US credentials or not. US 
implements EAP-TTLS+PAP only (unless Daniel or Gustavo –they are 
administrators there– say a different thing).

For what I know, in Windows Phone, only PEAP+MSCHAPv2 and TTLS+MSCHAPv2 are 
available, but the second is different of TTLS+PAP, and requires the home 
institution of the user having the password stored in certain format (I think 
in that line is the response by Gustavo).

On the other hand, apart from manually configuring the device in those cases 
where that possibility exists (that's what UA did, I guess), in order for 
eduroam CAT to support that platform, it's also necessary that the vendor 
implements some way of configuring/provisioning the network in an unattended 
way. That is available for certain Windows Desktop versions, but –again, I'm 
not sure if that's the case– not for Windows Phone... maybe Stefan/Tomasz 
could confirm this.

But maybe I'm wrong in some of the assertions in this message... :)

Jose.


El 25/01/16 a las 10:29, Marcin Balcerzyk escribió:
> Dear Stefan
> 
> I attach the original of the explanation of why I cannot authenticate 
> to Eduroam via University of Seville. It is in Spanish, and I include 
> the corrected automatic translation:
> 
> " Although WP 10 says that it supports EAP-TTLS-PAP to authenticate, 
> i.e. when the user enters their credentials so that access point 
> starts the authentication process, WP10 send them in a format that is 
> not understood by the server that has to make the verification, radius 
> server, so it does not work, this has nothing to do with the 
> certificate, therefore the problem is that your device sends a format 
> that, in theory, should be EAP-TTLS-PAP but in reality it is not, we 
> have other devices that send the data correctly and that there are no 
> problems. What is the possible solution? Apparently it is enough to 
> add PEAP as the authentication protocol, but this solution neither is 
> immediate nor easy, because it implies among other things the LDAP 
> directory store keys in a different format to which it does it now, 
> what we do not know if it is possible; We will investigate it and try 
> if it is possible to implement it"
> 
> " Estimado Sr., soy Gustavo Rodríguez, responsable del Área de 
> Comunicaciones en la que está integrado Daniel Daza con el que ha 
> estado en contacto por los problemas de conexión que tiene para 
> acceder a eduroam desde el dispositivo que menciona en su correo, voy 
> a intentar resumirle de manera breve las razones de esa imposibilidad 
> desde nuestra institución. Aunque WP 10 dice que soporta EAP-TTLS-PAP 
> para autenticarse, es decir cuando el usuario introduce sus 
> credenciales para que el punto de acceso inicie el proceso de 
> autenticación, las envía en un formato que no entiende el servidor que 
> ha de hacer la verificación, servidor radius, por lo tanto no 
> funciona, esto no tiene nada que ver con el certificado, por lo tanto 
> el problema radica en que su dispositivo envía un formato que en 
> teoría debería de ser EAP-TTLS-PAP pero que en realidad no lo es, 
> tenemos otros dispositivos que lo envían correctamente y con los que 
> no hay problemas. ¿Cuál es la posible solución? Aparentemente bastaría 
> con añadir PEAP como protocolo de autenticación, pero esta solución ni 
> es inmediata ni es fácil, porque implica entre otras cosas que el 
> directorio, LDAP, almacene las claves en un formato distinto al que 
> ahora tiene, lo que no sabemos si es posible; vamos a investigarlo e 
> intentar si fuera posible su puesta en marcha.
> 
> Atentamente.
> 
> Gustavo A. Rodríguez. Dtor. Técnico Área de omunicaciones. Servicio de 
> Informática y Comunicaciones. Universidad de Sevilla."
> 
> 
> Stefan, I hope the explanation is now much more clear. I am not sure 
> if cat.eduroam.org can implement WP10 solution for just several 
> institutions, but I assure you that Univesity of Alicante in Spain did 
> it somehow:
> http://si.ua.es/en/wifi/eduroam/peap/eduroam-installation-for-windows-phone-8.html.
> 
> 
> Waiting for your reply.
> 
> Kind regards
> 
> Marcin Balcerzyk, Ph.D. Unidad Ciclotron, Centro Nacional de 
> Aceleradores, Universidad de Sevilla-CSIC-Junta de Andalucia, Parque 
> Tecnólogico Cartuja 93, c/Thomas Alva Edison Nº 7, 41092 Sevilla
> (Spain), Tel.:  (+34)  954 460 553 ext. 226, Fax:  (+34)   954 460
> 145, mobile:(+34) 697 322 126 Skype: balcerzm
> 
> 
> 
> -----Original Message----- From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
>  Sent: 22 January 2016 12:52 To:
> Marcin Balcerzyk 
> <mbalcerzyk AT us.es>;
>  'Alan Buxey'
> <A.L.M.Buxey AT lboro.ac.uk>;
>  
> cat-users AT lists.geant.org
>  Cc: 'Daniel Daza 
> Muñoz' 
> <daniel AT us.es>
>  Subject: Re: [[cat-users]] Installation of 
> Eduroam for Windows Phone 8.1 and 10
> 
> Hello,
> 
>> It did not work. This is my local university (University of Seville). 
>> I ask IT an person and they said that the way EAP certificate is 
>> stored in the directory is incompatible with Windows Phone 10 setting 
>> and they do not want to do anything about it (I think that I 
>> understood it well).
> 
> Well... If they tell you they don't want to make this work for you, 
> then I'm not sure how we can be of much help?
> 
> I see that their server cert does not contain a Extension CA:FALSE 
> (which some OSes seem to like). That would certainly be easy to fix, 
> but only they can do that. IF that is the actual issue.
> 
>> I tried also logging in with credentials of CSIC.ES and UCM.ES, where 
>> I have accounts, hoping for  the authentication slight differences, 
>> but non worked. The description of the eduroam settings are here
>> 
>> 
>> 
>> UCM.ES: https://www.ucm.es/ssii/eduroam
> 
> At least this one has a certificate which is very well-behaved and 
> does not raise any warnings. If Windows Phone doesn't like that 
> certificate, then all shame is on Windows 10 IMHO.
> 
> Your earlier comment on the us.es IT staff seems to indicate that they 
> actually know what exactly Windows Phone dislikes about the 
> certificate. That's great - I don't :-) If you can get the admins to 
> tell us what the issue is, we may be able to add checks for that 
> condition in our tools...
> 
>> CSIC.ES does not have a clear description of their authentication 
>> method.
> 
> I have browsed through some documentation on their website and they 
> have TTLS-PAP as one supported method; they are using the TCS service 
> for their server certificates (just like ucm.es)
> 
>> I have found on Spanish Eduroam forum a link to Microsoft that states 
>> that EAP-TTLS (PAP) is supported on WP8.1 but it seems it is
>> not: https://msdn.microsoft.com/en-us/library/dn643706.aspx.
> 
> I don't understand. That article lists TTLS-PAP just fine? But then 
> again, why are you now talking about WP 8.1 now? Earlier you say that 
> you have WP 10?
> 
>> Any suggestion?
> 
> More and clearer information would be nice.
> 
> Greetings,
> 
> Stefan Winter
> 
>> 
>> 
>> 
>> Kind regards
>> 
>> 
>> 
>> Marcin Balcerzyk, Ph.D.
>> 
>> Unidad Ciclotron,
>> 
>> Centro Nacional de Aceleradores,
>> 
>> Universidad de Sevilla-CSIC-Junta de Andalucia,
>> 
>> Parque Tecnólogico Cartuja 93,
>> 
>> c/Thomas Alva Edison Nº 7,
>> 
>> 41092 Sevilla (Spain),
>> 
>> Tel.:  (+34)  954 460 553 ext. 226,
>> 
>> Fax:  (+34)   954 460 145,
>> 
>> mobile:(+34) 697 322 126
>> 
>> Skype: balcerzm
>> 
>> 
>> 
>> *From:*Alan Buxey 
>> [mailto:A.L.M.Buxey AT lboro.ac.uk]
>>  *Sent:* sábado,
>> 12 de diciembre de 2015 18:06 *To:* Marcin Balcerzyk 
>> <mbalcerzyk AT us.es>;
>>  
>> cat-users AT lists.geant.org
>>  *Subject:* Re:
>> [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and 10
>> 
>> 
>> 
>> Just install the CA as per your organisation's requirements and then 
>> use your username/password as per requirements. It'll work, securely, 
>> with no need for CAT App (which is a long long way away)
>> 
>> alan
>> 
>> To unsubscribe, send this message: 
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>>  Or use 
>> the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
> 
> 
> -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau 
> Téléinformatique de l'Education Nationale et de la Recherche 2, avenue 
> de l'Université L-4365 Esch-sur-Alzette
> 
> Tel: +352 424409 1 Fax: +352 422473
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the 
> recipient's key is known to me
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>  Or use 
> the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
> 

To unsubscribe, send this message: 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users