The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Marcin,

wehn you blindly "accept a certificate", then this is a security
problem: you send to password to arbitrary third parties.

Please do not do that. Either the phone allows /proper/ configuration,
with pinning of CA certificate and server name, or better not use it.

Stefan Winter

Am 01.12.2016 um 15:21 schrieb Marcin Balcerzyk:
> Dear All.
> 
>  
> 
> Recently Windows 10 Mobile got an update in WiFi section. I missed the
> actual moment possibly a month ago, but now I can connect to Eduroam in
> University of Seville with my Lumia 640 XL. Do not use WiFi (Legacy),
> but the new one WiFi in settings. I use version 1607 and a built for
> Insiders: 10.0.14965.1000. I connect as simple as from Windows 10 PC.
> You put only the ID with @us.es and a password accepting a certificate.
> I did not try to log in from other universities yet.
> 
>  
> 
> I attach the screen of settings from my phone. Please diffuse the
> message among Windows 10 Mobile users. I cannot log in to
> foros.eduroam.es, I am not allowed with my UVUS account, although
> previously I could.
> 
>  
> 
> Kind regards
> 
>  
> 
> Marcin Balcerzyk, Ph.D.
> Unidad Ciclotron,
> Centro Nacional de Aceleradores,
> Universidad de Sevilla-CSIC-Junta de Andalucia,
> Parque Tecnólogico Cartuja 93,
> c/Thomas Alva Edison Nº 7,
> 41092 Sevilla (Spain),
> Tel.: (+34) 954 460 553 ext. 236,
> Fax: (+34) 954 460 145,
> mobile:(+34) 697 322 126
> Skype: balcerzm
> 
>  
> 
> *From:*Marcin Balcerzyk 
> [mailto:mbalcerzyk AT us.es]
> *Sent:* martes, 26 de enero de 2016 11:24
> *To:* Jose Manuel Macias Luna 
> <jmanuel.macias AT rediris.es>;
>  'Stefan
> Winter' 
> <stefan.winter AT restena.lu>
> *Cc:* 'Daniel Daza Muñoz' 
> <daniel AT us.es>;
>  'Alan Buxey'
> <A.L.M.Buxey AT lboro.ac.uk>;
>  
> cat-users AT lists.geant.org;
>  'Gustavo A.
> Rodriguez' 
> <gusrodri AT us.es>;
>  'Carmen Lopez (Nené)' 
> <carmen AT us.es>
> *Subject:* RE: [[cat-users]] Installation of Eduroam for Windows Phone
> 8.1 and10
> 
>  
> 
> Hi
> 
>  
> 
> First of All thank you for allinput. I hope that one day my WP10 will
> get connected to Eduroam and lots of people who have this system will
> finally get to Eduroam.
> 
>  
> 
> You can manually configure WiFi in Windows 10 PC. Eduroam of US.ES just
> asked me for the password and ID with Windows 8.1 PC, so it seems it
> negotiated the configuration. WP10 has limited parameters to configure.
> Cat.eduroam.org has a profile for unknown systems, but WP10 doesn’t know
> what to do with this XML file.
> 
>  
> 
> I used US.ES CSIC.ES and UCM.ES credentials and none worked.
> 
>  
> 
> Regards
> 
> Marcin Balcerzyk
> 
>  
> 
> 
> *From: *Jose Manuel Macias Luna 
> <mailto:jmanuel.macias AT rediris.es>
> *Sent: *lunes, 25 de enero de 2016 13:35
> *To: *Marcin Balcerzyk 
> <mailto:mbalcerzyk AT us.es>;
>  'Stefan Winter'
> <mailto:stefan.winter AT restena.lu>
> *Cc: *'Daniel Daza Muñoz' 
> <mailto:daniel AT us.es>;
>  'Alan Buxey'
> <mailto:A.L.M.Buxey AT lboro.ac.uk>;
>  
> cat-users AT lists.geant.org
> <mailto:cat-users AT lists.geant.org>;
>  'Gustavo A. Rodriguez'
> <mailto:gusrodri AT us.es>;
>  'Carmen Lopez (Nené)' 
> <mailto:carmen AT us.es>
> *Subject: *Re: [[cat-users]] Installation of Eduroam for Windows Phone
> 8.1 and10
> 
>  
> 
>  
> 
> Hi Marcin,
> 
>  
> 
>   it is not clear for me if you are using US credentials or not. US
> 
> implements EAP-TTLS+PAP only (unless Daniel or Gustavo –they are
> 
> administrators there– say a different thing).
> 
>  
> 
> For what I know, in Windows Phone, only PEAP+MSCHAPv2 and TTLS+MSCHAPv2
> 
> are available, but the second is different of TTLS+PAP, and requires the
> 
> home institution of the user having the password stored in certain
> 
> format (I think in that line is the response by Gustavo).
> 
>  
> 
> On the other hand, apart from manually configuring the device in those
> 
> cases where that possibility exists (that's what UA did, I guess), in
> 
> order for eduroam CAT to support that platform, it's also necessary that
> 
> the vendor implements some way of configuring/provisioning the network
> 
> in an unattended way. That is available for certain Windows Desktop
> 
> versions, but –again, I'm not sure if that's the case– not for Windows
> 
> Phone... maybe Stefan/Tomasz could confirm this.
> 
>  
> 
> But maybe I'm wrong in some of the assertions in this message... :)
> 
>  
> 
> Jose.
> 
>  
> 
>  
> 
> El 25/01/16 a las 10:29, Marcin Balcerzyk escribió:
> 
>> Dear Stefan
> 
>> 
> 
>> I attach the original of the explanation of why I cannot authenticate
> 
>> to Eduroam via University of Seville. It is in Spanish, and I include
> 
>> the corrected automatic translation:
> 
>> 
> 
>> " Although WP 10 says that it supports EAP-TTLS-PAP to authenticate,
> 
>> i.e. when the user enters their credentials so that access point
> 
>> starts the authentication process, WP10 send them in a format that is
> 
>> not understood by the server that has to make the verification,
> 
>> radius server, so it does not work, this has nothing to do with the
> 
>> certificate, therefore the problem is that your device sends a format
> 
>> that, in theory, should be EAP-TTLS-PAP but in reality it is not, we
> 
>> have other devices that send the data correctly and that there are no
> 
>> problems. What is the possible solution? Apparently it is enough to
> 
>> add PEAP as the authentication protocol, but this solution neither is
> 
>> immediate nor easy, because it implies among other things the LDAP
> 
>> directory store keys in a different format to which it does it now,
> 
>> what we do not know if it is possible; We will investigate it and try
> 
>> if it is possible to implement it"
> 
>> 
> 
>> " Estimado Sr., soy Gustavo Rodríguez, responsable del Área de
> 
>> Comunicaciones en la que está integrado Daniel Daza con el que ha
> 
>> estado en contacto por los problemas de conexión que tiene para
> 
>> acceder a eduroam desde el dispositivo que menciona en su correo, voy
> 
>> a intentar resumirle de manera breve las razones de esa imposibilidad
> 
>> desde nuestra institución. Aunque WP 10 dice que soporta EAP-TTLS-PAP
> 
>> para autenticarse, es decir cuando el usuario introduce sus
> 
>> credenciales para que el punto de acceso inicie el proceso de
> 
>> autenticación, las envía en un formato que no entiende el servidor
> 
>> que ha de hacer la verificación, servidor radius, por lo tanto no
> 
>> funciona, esto no tiene nada que ver con el certificado, por lo tanto
> 
>> el problema radica en que su dispositivo envía un formato que en
> 
>> teoría debería de ser EAP-TTLS-PAP pero que en realidad no lo es,
> 
>> tenemos otros dispositivos que lo envían correctamente y con los que
> 
>> no hay problemas. ¿Cuál es la posible solución? Aparentemente
> 
>> bastaría con añadir PEAP como protocolo de autenticación, pero esta
> 
>> solución ni es inmediata ni es fácil, porque implica entre otras
> 
>> cosas que el directorio, LDAP, almacene las claves en un formato
> 
>> distinto al que ahora tiene, lo que no sabemos si es posible; vamos a
> 
>> investigarlo e intentar si fuera posible su puesta en marcha.
> 
>> 
> 
>> Atentamente.
> 
>> 
> 
>> Gustavo A. Rodríguez. Dtor. Técnico Área de omunicaciones. Servicio
> 
>> de Informática y Comunicaciones. Universidad de Sevilla."
> 
>> 
> 
>> 
> 
>> Stefan, I hope the explanation is now much more clear. I am not sure
> 
>> if cat.eduroam.org can implement WP10 solution for just several
> 
>> institutions, but I assure you that Univesity of Alicante in Spain
> 
>> did it somehow:
> 
>> http://si.ua.es/en/wifi/eduroam/peap/eduroam-installation-for-windows-phone-8.html.
> 
>> 
> 
>> 
> 
>> Waiting for your reply.
> 
>> 
> 
>> Kind regards
> 
>> 
> 
>> Marcin Balcerzyk, Ph.D. Unidad Ciclotron, Centro Nacional de
> 
>> Aceleradores, Universidad de Sevilla-CSIC-Junta de Andalucia, Parque
> 
>> Tecnólogico Cartuja 93, c/Thomas Alva Edison Nº 7, 41092 Sevilla
> 
>> (Spain), Tel.:  (+34)  954 460 553 ext. 226, Fax:  (+34)   954 460
> 
>> 145, mobile:(+34) 697 322 126 Skype: balcerzm
> 
>> 
> 
>> 
> 
>> 
> 
>> -----Original Message----- From: Stefan Winter
> 
>> [mailto:stefan.winter AT restena.lu]
>>  Sent: 22 January 2016 12:52 To:
> 
>> Marcin Balcerzyk 
>> <mbalcerzyk AT us.es
>>  
>> <mailto:mbalcerzyk AT us.es>>;
>>  'Alan Buxey'
> 
>> <A.L.M.Buxey AT lboro.ac.uk
>>  
>> <mailto:A.L.M.Buxey AT lboro.ac.uk>>;
> cat-users AT lists.geant.org
>  
> <mailto:cat-users AT lists.geant.org>Cc:
>  'Daniel Daza
> 
>> Muñoz' 
>> <daniel AT us.es
>>  
>> <mailto:daniel AT us.es>>
>>  Subject: Re: [[cat-users]]
> Installation of
> 
>> Eduroam for Windows Phone 8.1 and 10
> 
>> 
> 
>> Hello,
> 
>> 
> 
>>> It did not work. This is my local university (University of
> 
>>> Seville). I ask IT an person and they said that the way EAP
> 
>>> certificate is stored in the directory is incompatible with Windows
> 
>>> Phone 10 setting and they do not want to do anything about it (I
> 
>>> think that I understood it well).
> 
>> 
> 
>> Well... If they tell you they don't want to make this work for you,
> 
>> then I'm not sure how we can be of much help?
> 
>> 
> 
>> I see that their server cert does not contain a Extension CA:FALSE
> 
>> (which some OSes seem to like). That would certainly be easy to fix,
> 
>> but only they can do that. IF that is the actual issue.
> 
>> 
> 
>>> I tried also logging in with credentials of CSIC.ES and UCM.ES,
> 
>>> where I have accounts, hoping for  the authentication slight
> 
>>> differences, but non worked. The description of the eduroam
> 
>>> settings are here
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> UCM.ES: https://www.ucm.es/ssii/eduroam
> 
>> 
> 
>> At least this one has a certificate which is very well-behaved and
> 
>> does not raise any warnings. If Windows Phone doesn't like that
> 
>> certificate, then all shame is on Windows 10 IMHO.
> 
>> 
> 
>> Your earlier comment on the us.es IT staff seems to indicate that
> 
>> they actually know what exactly Windows Phone dislikes about the
> 
>> certificate. That's great - I don't :-) If you can get the admins to
> 
>> tell us what the issue is, we may be able to add checks for that
> 
>> condition in our tools...
> 
>> 
> 
>>> CSIC.ES does not have a clear description of their authentication
> 
>>> method.
> 
>> 
> 
>> I have browsed through some documentation on their website and they
> 
>> have TTLS-PAP as one supported method; they are using the TCS service
> 
>> for their server certificates (just like ucm.es)
> 
>> 
> 
>>> I have found on Spanish Eduroam forum a link to Microsoft that
> 
>>> states that EAP-TTLS (PAP) is supported on WP8.1 but it seems it is
> 
>>> not: https://msdn.microsoft.com/en-us/library/dn643706.aspx.
> 
>> 
> 
>> I don't understand. That article lists TTLS-PAP just fine? But then
> 
>> again, why are you now talking about WP 8.1 now? Earlier you say that
> 
>> you have WP 10?
> 
>> 
> 
>>> Any suggestion?
> 
>> 
> 
>> More and clearer information would be nice.
> 
>> 
> 
>> Greetings,
> 
>> 
> 
>> Stefan Winter
> 
>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> Kind regards
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> Marcin Balcerzyk, Ph.D.
> 
>>> 
> 
>>> Unidad Ciclotron,
> 
>>> 
> 
>>> Centro Nacional de Aceleradores,
> 
>>> 
> 
>>> Universidad de Sevilla-CSIC-Junta de Andalucia,
> 
>>> 
> 
>>> Parque Tecnólogico Cartuja 93,
> 
>>> 
> 
>>> c/Thomas Alva Edison Nº 7,
> 
>>> 
> 
>>> 41092 Sevilla (Spain),
> 
>>> 
> 
>>> Tel.:  (+34)  954 460 553 ext. 226,
> 
>>> 
> 
>>> Fax:  (+34)   954 460 145,
> 
>>> 
> 
>>> mobile:(+34) 697 322 126
> 
>>> 
> 
>>> Skype: balcerzm
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> *From:*Alan Buxey 
>>> [mailto:A.L.M.Buxey AT lboro.ac.uk]
>>>  *Sent:* sábado,
> 
>>> 12 de diciembre de 2015 18:06 *To:* Marcin Balcerzyk
> 
>>> <mbalcerzyk AT us.es
>>>  
>>> <mailto:mbalcerzyk AT us.es>>;
>>>  
>>> cat-users AT lists.geant.org
> <mailto:cat-users AT lists.geant.org>
>  *Subject:* Re:
> 
>>> [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and 10
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> Just install the CA as per your organisation's requirements and
> 
>>> then use your username/password as per requirements. It'll work,
> 
>>> securely, with no need for CAT App (which is a long long way away)
> 
>>> 
> 
>>> alan
> 
>>> 
> 
>>> To unsubscribe, send this message: 
> 
>>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-usersOr
>>>  use
> 
>>> the following link: 
> 
>>> https://lists.geant.org/sympa/sigrequest/cat-users
> 
>> 
> 
>> 
> 
>> -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau
> 
>> Téléinformatique de l'Education Nationale et de la Recherche 2,
> 
>> avenue de l'Université L-4365 Esch-sur-Alzette
> 
>> 
> 
>> Tel: +352 424409 1 Fax: +352 422473
> 
>> 
> 
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> 
>> recipient's key is known to me
> 
>> 
> 
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 
>> 
> 
>> To unsubscribe, send this message:
> 
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-usersOr
>>  use
> 
>> the following link:
> 
>> https://lists.geant.org/sympa/sigrequest/cat-users
> 
>> 
> 
>  
> 
>  
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature