The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[David Andrus <david_andrus AT byu.edu>]

One of my biggest arguments for using the installer is that it helps fix a lot of issues with Windows. I’ve had quite a few users that were unable to connect to eduroam on Windows 7/8/10 for no discernable reason. It’s become our first troubleshooting step after ensuring that users are entering their credentials correctly. It’s been a very valuable time-saving tool for us in troubleshooting. One of the things it also does is install the security certificate thereby avoiding the warning messages from the O/S regarding certificate installation that come up during a manual connection.

 

With Apple devices I see less benefit. You still have to accept the certificate and enter admin credentials to connect. I find the benefit for Android questionable at best. On one hand manual connections with Android require users to manually select their EAP type, Phase 2 authentication, and a CA certificate (if not preinstalled you have to select “Do not validate” which gets a message in red text warning you that your connection won’t be private) as well as an additional entry for Anonymous identity. I’ve never understood why Android does this while every other desktop and mobile O/S just asks for username/password.

 

The thing with the Android installer, though, is that it requires the user to first install a third party app from the app store before the network profile can be installed. It’s slightly more user friendly, in my opinion, but comes with its own set of annoyances.

--

David Andrus

Network Product Manager

Brigham Young University

O: 801-422-0969

C: 385-312-7414

From: Philippe Hanset

Sent: Thursday, September 6, 7:41 PM

Subject: Re: [[cat-users]] CAT profile installer vs manual config

To: db AT alaska.edu

Cc: cat-users AT lists.geant.org

David,

If you have  tried CAT and if the networking group tried it too,

you will have noticed that there is only  an initial challenge for login/password and no need to choose the eduroam SSID, it is done automatically by the profile.

If you choose the anonymous option in CAT configuration (as an admin) your users will not need to enter a domain, they can enter their regular username. Another advantage of CAT: the profile is locked and does a good job preventing man in the middle attack.

Choosing the anymous AT alaska.edu

is also a great privacy protection method!

Let us know if this helps,

Philippe 

Philippe Hanset, CEO

ANYROAM LLC

www.anyroam.net

www.eduroam.us

+1 (865) 236-0770

On Sep 6, 2018, at 8:21 PM, IAM David Bantz <dabantz AT alaska.edu> wrote:

My institution (U Alaska) is transitioning RADIUS implementations, more comprehensive 802.1X and hoping to deprecate current home-grown eduroam profile installers using EAP-TLS.

CAT seemed a great fit but networking team is questioning the need or value of any profile installer, and proposes relying on built-in 802.1X supplicant support in common OS's (macOS, iOS, Windows, Android) for EAP-PEAP authentication. Please validate, challenge, or elaborate on this as a viable strategy.

As I understand their position, if a user initally chooses the eduroam SSID, they will be presented with a challenge for network authentication which is passed via RADIUS to either local AD (for alaska.edu identities) or on to the RADIUS federation for any other realm). The only wrinkle they forsee is the need for users to enter the domain-qualified identity username AT alaska.edu rather than the unqualified username they enter for most authentication.

Thank you,

David Bantz

UA IAM

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users

Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users

Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

Mark as Spam