cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Marcin Balcerzyk <mbalcerzyk AT us.es>, 'Jose Manuel Macias Luna' <jmanuel.macias AT rediris.es>
- Cc: 'Daniel Daza Muñoz' <daniel AT us.es>, 'Alan Buxey' <A.L.M.Buxey AT lboro.ac.uk>, cat-users AT lists.geant.org, "'Gustavo A. Rodriguez'" <gusrodri AT us.es>, 'Carmen Lopez (Nené)' <carmen AT us.es>
- Subject: Re: [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and10
- Date: Thu, 1 Dec 2016 15:38:22 +0100
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Marcin,
wehn you blindly "accept a certificate", then this is a security
problem: you send to password to arbitrary third parties.
Please do not do that. Either the phone allows /proper/ configuration,
with pinning of CA certificate and server name, or better not use it.
Stefan Winter
Am 01.12.2016 um 15:21 schrieb Marcin Balcerzyk:
> Dear All.
>
>
>
> Recently Windows 10 Mobile got an update in WiFi section. I missed the
> actual moment possibly a month ago, but now I can connect to Eduroam in
> University of Seville with my Lumia 640 XL. Do not use WiFi (Legacy),
> but the new one WiFi in settings. I use version 1607 and a built for
> Insiders: 10.0.14965.1000. I connect as simple as from Windows 10 PC.
> You put only the ID with @us.es and a password accepting a certificate.
> I did not try to log in from other universities yet.
>
>
>
> I attach the screen of settings from my phone. Please diffuse the
> message among Windows 10 Mobile users. I cannot log in to
> foros.eduroam.es, I am not allowed with my UVUS account, although
> previously I could.
>
>
>
> Kind regards
>
>
>
> Marcin Balcerzyk, Ph.D.
> Unidad Ciclotron,
> Centro Nacional de Aceleradores,
> Universidad de Sevilla-CSIC-Junta de Andalucia,
> Parque Tecnólogico Cartuja 93,
> c/Thomas Alva Edison Nº 7,
> 41092 Sevilla (Spain),
> Tel.: (+34) 954 460 553 ext. 236,
> Fax: (+34) 954 460 145,
> mobile:(+34) 697 322 126
> Skype: balcerzm
>
>
>
> *From:*Marcin Balcerzyk
> [mailto:mbalcerzyk AT us.es]
> *Sent:* martes, 26 de enero de 2016 11:24
> *To:* Jose Manuel Macias Luna
> <jmanuel.macias AT rediris.es>;
> 'Stefan
> Winter'
> <stefan.winter AT restena.lu>
> *Cc:* 'Daniel Daza Muñoz'
> <daniel AT us.es>;
> 'Alan Buxey'
> <A.L.M.Buxey AT lboro.ac.uk>;
>
> cat-users AT lists.geant.org;
> 'Gustavo A.
> Rodriguez'
> <gusrodri AT us.es>;
> 'Carmen Lopez (Nené)'
> <carmen AT us.es>
> *Subject:* RE: [[cat-users]] Installation of Eduroam for Windows Phone
> 8.1 and10
>
>
>
> Hi
>
>
>
> First of All thank you for allinput. I hope that one day my WP10 will
> get connected to Eduroam and lots of people who have this system will
> finally get to Eduroam.
>
>
>
> You can manually configure WiFi in Windows 10 PC. Eduroam of US.ES just
> asked me for the password and ID with Windows 8.1 PC, so it seems it
> negotiated the configuration. WP10 has limited parameters to configure.
> Cat.eduroam.org has a profile for unknown systems, but WP10 doesn’t know
> what to do with this XML file.
>
>
>
> I used US.ES CSIC.ES and UCM.ES credentials and none worked.
>
>
>
> Regards
>
> Marcin Balcerzyk
>
>
>
>
> *From: *Jose Manuel Macias Luna
> <mailto:jmanuel.macias AT rediris.es>
> *Sent: *lunes, 25 de enero de 2016 13:35
> *To: *Marcin Balcerzyk
> <mailto:mbalcerzyk AT us.es>;
> 'Stefan Winter'
> <mailto:stefan.winter AT restena.lu>
> *Cc: *'Daniel Daza Muñoz'
> <mailto:daniel AT us.es>;
> 'Alan Buxey'
> <mailto:A.L.M.Buxey AT lboro.ac.uk>;
>
> cat-users AT lists.geant.org
> <mailto:cat-users AT lists.geant.org>;
> 'Gustavo A. Rodriguez'
> <mailto:gusrodri AT us.es>;
> 'Carmen Lopez (Nené)'
> <mailto:carmen AT us.es>
> *Subject: *Re: [[cat-users]] Installation of Eduroam for Windows Phone
> 8.1 and10
>
>
>
>
>
> Hi Marcin,
>
>
>
> it is not clear for me if you are using US credentials or not. US
>
> implements EAP-TTLS+PAP only (unless Daniel or Gustavo –they are
>
> administrators there– say a different thing).
>
>
>
> For what I know, in Windows Phone, only PEAP+MSCHAPv2 and TTLS+MSCHAPv2
>
> are available, but the second is different of TTLS+PAP, and requires the
>
> home institution of the user having the password stored in certain
>
> format (I think in that line is the response by Gustavo).
>
>
>
> On the other hand, apart from manually configuring the device in those
>
> cases where that possibility exists (that's what UA did, I guess), in
>
> order for eduroam CAT to support that platform, it's also necessary that
>
> the vendor implements some way of configuring/provisioning the network
>
> in an unattended way. That is available for certain Windows Desktop
>
> versions, but –again, I'm not sure if that's the case– not for Windows
>
> Phone... maybe Stefan/Tomasz could confirm this.
>
>
>
> But maybe I'm wrong in some of the assertions in this message... :)
>
>
>
> Jose.
>
>
>
>
>
> El 25/01/16 a las 10:29, Marcin Balcerzyk escribió:
>
>> Dear Stefan
>
>>
>
>> I attach the original of the explanation of why I cannot authenticate
>
>> to Eduroam via University of Seville. It is in Spanish, and I include
>
>> the corrected automatic translation:
>
>>
>
>> " Although WP 10 says that it supports EAP-TTLS-PAP to authenticate,
>
>> i.e. when the user enters their credentials so that access point
>
>> starts the authentication process, WP10 send them in a format that is
>
>> not understood by the server that has to make the verification,
>
>> radius server, so it does not work, this has nothing to do with the
>
>> certificate, therefore the problem is that your device sends a format
>
>> that, in theory, should be EAP-TTLS-PAP but in reality it is not, we
>
>> have other devices that send the data correctly and that there are no
>
>> problems. What is the possible solution? Apparently it is enough to
>
>> add PEAP as the authentication protocol, but this solution neither is
>
>> immediate nor easy, because it implies among other things the LDAP
>
>> directory store keys in a different format to which it does it now,
>
>> what we do not know if it is possible; We will investigate it and try
>
>> if it is possible to implement it"
>
>>
>
>> " Estimado Sr., soy Gustavo Rodríguez, responsable del Área de
>
>> Comunicaciones en la que está integrado Daniel Daza con el que ha
>
>> estado en contacto por los problemas de conexión que tiene para
>
>> acceder a eduroam desde el dispositivo que menciona en su correo, voy
>
>> a intentar resumirle de manera breve las razones de esa imposibilidad
>
>> desde nuestra institución. Aunque WP 10 dice que soporta EAP-TTLS-PAP
>
>> para autenticarse, es decir cuando el usuario introduce sus
>
>> credenciales para que el punto de acceso inicie el proceso de
>
>> autenticación, las envía en un formato que no entiende el servidor
>
>> que ha de hacer la verificación, servidor radius, por lo tanto no
>
>> funciona, esto no tiene nada que ver con el certificado, por lo tanto
>
>> el problema radica en que su dispositivo envía un formato que en
>
>> teoría debería de ser EAP-TTLS-PAP pero que en realidad no lo es,
>
>> tenemos otros dispositivos que lo envían correctamente y con los que
>
>> no hay problemas. ¿Cuál es la posible solución? Aparentemente
>
>> bastaría con añadir PEAP como protocolo de autenticación, pero esta
>
>> solución ni es inmediata ni es fácil, porque implica entre otras
>
>> cosas que el directorio, LDAP, almacene las claves en un formato
>
>> distinto al que ahora tiene, lo que no sabemos si es posible; vamos a
>
>> investigarlo e intentar si fuera posible su puesta en marcha.
>
>>
>
>> Atentamente.
>
>>
>
>> Gustavo A. Rodríguez. Dtor. Técnico Área de omunicaciones. Servicio
>
>> de Informática y Comunicaciones. Universidad de Sevilla."
>
>>
>
>>
>
>> Stefan, I hope the explanation is now much more clear. I am not sure
>
>> if cat.eduroam.org can implement WP10 solution for just several
>
>> institutions, but I assure you that Univesity of Alicante in Spain
>
>> did it somehow:
>
>> http://si.ua.es/en/wifi/eduroam/peap/eduroam-installation-for-windows-phone-8.html.
>
>>
>
>>
>
>> Waiting for your reply.
>
>>
>
>> Kind regards
>
>>
>
>> Marcin Balcerzyk, Ph.D. Unidad Ciclotron, Centro Nacional de
>
>> Aceleradores, Universidad de Sevilla-CSIC-Junta de Andalucia, Parque
>
>> Tecnólogico Cartuja 93, c/Thomas Alva Edison Nº 7, 41092 Sevilla
>
>> (Spain), Tel.: (+34) 954 460 553 ext. 226, Fax: (+34) 954 460
>
>> 145, mobile:(+34) 697 322 126 Skype: balcerzm
>
>>
>
>>
>
>>
>
>> -----Original Message----- From: Stefan Winter
>
>> [mailto:stefan.winter AT restena.lu]
>> Sent: 22 January 2016 12:52 To:
>
>> Marcin Balcerzyk
>> <mbalcerzyk AT us.es
>>
>> <mailto:mbalcerzyk AT us.es>>;
>> 'Alan Buxey'
>
>> <A.L.M.Buxey AT lboro.ac.uk
>>
>> <mailto:A.L.M.Buxey AT lboro.ac.uk>>;
> cat-users AT lists.geant.org
>
> <mailto:cat-users AT lists.geant.org>Cc:
> 'Daniel Daza
>
>> Muñoz'
>> <daniel AT us.es
>>
>> <mailto:daniel AT us.es>>
>> Subject: Re: [[cat-users]]
> Installation of
>
>> Eduroam for Windows Phone 8.1 and 10
>
>>
>
>> Hello,
>
>>
>
>>> It did not work. This is my local university (University of
>
>>> Seville). I ask IT an person and they said that the way EAP
>
>>> certificate is stored in the directory is incompatible with Windows
>
>>> Phone 10 setting and they do not want to do anything about it (I
>
>>> think that I understood it well).
>
>>
>
>> Well... If they tell you they don't want to make this work for you,
>
>> then I'm not sure how we can be of much help?
>
>>
>
>> I see that their server cert does not contain a Extension CA:FALSE
>
>> (which some OSes seem to like). That would certainly be easy to fix,
>
>> but only they can do that. IF that is the actual issue.
>
>>
>
>>> I tried also logging in with credentials of CSIC.ES and UCM.ES,
>
>>> where I have accounts, hoping for the authentication slight
>
>>> differences, but non worked. The description of the eduroam
>
>>> settings are here
>
>>>
>
>>>
>
>>>
>
>>> UCM.ES: https://www.ucm.es/ssii/eduroam
>
>>
>
>> At least this one has a certificate which is very well-behaved and
>
>> does not raise any warnings. If Windows Phone doesn't like that
>
>> certificate, then all shame is on Windows 10 IMHO.
>
>>
>
>> Your earlier comment on the us.es IT staff seems to indicate that
>
>> they actually know what exactly Windows Phone dislikes about the
>
>> certificate. That's great - I don't :-) If you can get the admins to
>
>> tell us what the issue is, we may be able to add checks for that
>
>> condition in our tools...
>
>>
>
>>> CSIC.ES does not have a clear description of their authentication
>
>>> method.
>
>>
>
>> I have browsed through some documentation on their website and they
>
>> have TTLS-PAP as one supported method; they are using the TCS service
>
>> for their server certificates (just like ucm.es)
>
>>
>
>>> I have found on Spanish Eduroam forum a link to Microsoft that
>
>>> states that EAP-TTLS (PAP) is supported on WP8.1 but it seems it is
>
>>> not: https://msdn.microsoft.com/en-us/library/dn643706.aspx.
>
>>
>
>> I don't understand. That article lists TTLS-PAP just fine? But then
>
>> again, why are you now talking about WP 8.1 now? Earlier you say that
>
>> you have WP 10?
>
>>
>
>>> Any suggestion?
>
>>
>
>> More and clearer information would be nice.
>
>>
>
>> Greetings,
>
>>
>
>> Stefan Winter
>
>>
>
>>>
>
>>>
>
>>>
>
>>> Kind regards
>
>>>
>
>>>
>
>>>
>
>>> Marcin Balcerzyk, Ph.D.
>
>>>
>
>>> Unidad Ciclotron,
>
>>>
>
>>> Centro Nacional de Aceleradores,
>
>>>
>
>>> Universidad de Sevilla-CSIC-Junta de Andalucia,
>
>>>
>
>>> Parque Tecnólogico Cartuja 93,
>
>>>
>
>>> c/Thomas Alva Edison Nº 7,
>
>>>
>
>>> 41092 Sevilla (Spain),
>
>>>
>
>>> Tel.: (+34) 954 460 553 ext. 226,
>
>>>
>
>>> Fax: (+34) 954 460 145,
>
>>>
>
>>> mobile:(+34) 697 322 126
>
>>>
>
>>> Skype: balcerzm
>
>>>
>
>>>
>
>>>
>
>>> *From:*Alan Buxey
>>> [mailto:A.L.M.Buxey AT lboro.ac.uk]
>>> *Sent:* sábado,
>
>>> 12 de diciembre de 2015 18:06 *To:* Marcin Balcerzyk
>
>>> <mbalcerzyk AT us.es
>>>
>>> <mailto:mbalcerzyk AT us.es>>;
>>>
>>> cat-users AT lists.geant.org
> <mailto:cat-users AT lists.geant.org>
> *Subject:* Re:
>
>>> [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and 10
>
>>>
>
>>>
>
>>>
>
>>> Just install the CA as per your organisation's requirements and
>
>>> then use your username/password as per requirements. It'll work,
>
>>> securely, with no need for CAT App (which is a long long way away)
>
>>>
>
>>> alan
>
>>>
>
>>> To unsubscribe, send this message:
>
>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-usersOr
>>> use
>
>>> the following link:
>
>>> https://lists.geant.org/sympa/sigrequest/cat-users
>
>>
>
>>
>
>> -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau
>
>> Téléinformatique de l'Education Nationale et de la Recherche 2,
>
>> avenue de l'Université L-4365 Esch-sur-Alzette
>
>>
>
>> Tel: +352 424409 1 Fax: +352 422473
>
>>
>
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>
>> recipient's key is known to me
>
>>
>
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
>>
>
>> To unsubscribe, send this message:
>
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-usersOr
>> use
>
>> the following link:
>
>> https://lists.geant.org/sympa/sigrequest/cat-users
>
>>
>
>
>
>
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- RE: [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and10, Marcin Balcerzyk, 12/01/2016
- Re: [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and10, Stefan Winter, 12/01/2016
Archive powered by MHonArc 2.6.19.