Skip to Content.

cat-users - Re: [[cat-users]] bug with win 10 supplicant

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [[cat-users]] bug with win 10 supplicant


Chronological Thread 
    < Chronological >      < Thread >
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: Stefano Zanmarchi <zanmarchi AT gmail.com>, cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] bug with win 10 supplicant
  • Date: Fri, 5 Feb 2016 21:39:33 +0100
Hi Stefano,
   let me do a bit of self-advertising here. We have built EAPlab (https://eaplab.supplicants.net) exactly for that kind of testing. All you need is an access-point directed to the EAPlab RADIUS server and then with a click of a mouse you can change the RADIUS server behaviour, like issue a reject as if there was a password missmatch, change server certificate and a lot of other scenarios.

I have just run such rejection test that confirms your findings. I have tried a number of settings on the supplicant, like  turning fast reconnect off, played with prompting when server cert does not match, no change, indeed Windows will not prompt again. Looks like the only safe way is to run a CAT installer again.

Tomasz


W dniu 05.02.2016 o 17:38, Stefano Zanmarchi pisze:
Hello,
we are experiencing what seems to me a severe security bug with the windows 10 (for PC) supplicant.
None of you has faced this problem?
When people (we run PEAP - MSCHAP v2) change password the supplicant does not prompt users for new credentials anymore, like it did on win7 and win8, but keeps on trying with the old one (the radius logs show these attempts).
Sadly people tend to solve the problem cancelling the eduroam network profile and reconnecting to eduroam.
Windows then recreates the profile asking the user for the new credentials, that's fine, but silently accepts the certificate sent by the radius server, and this is not good at all!
Has anyone solved this or news about it?
Best,
Stefano
P.S. A very complicated workaround is typing in the CLI these two commands when the connection fails due to password change:
   netsh wlan set profileparameter name=eduroam cacheUserData=no
   netsh wlan set profileparameter name=eduroam cacheUserData=yes
Now win 10 will prompt the user for the new credentials.
 

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users 
-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne       Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika         Nicolaus Copernicus University,
pl. Rapackiego 1, Torun                pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

Archive powered by MHonArc 2.6.19.

Top of Page