Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] CAT profile installer vs manual config

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] CAT profile installer vs manual config


Chronological Thread 
  • From: Felix Windt <Felix.Windt AT dartmouth.edu>
  • To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] CAT profile installer vs manual config
  • Date: Fri, 7 Sep 2018 12:30:49 +0000
  • Accept-language: en-US
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=dartmouth.edu
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=Felix.Windt AT dartmouth.edu;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Depending on how you do certificates for your authentication servers, there can be additional advantages using a configuration tool. When you use the built in supplicant for initial authentication, by default users will trust the very certificate that your authentication server presented them with. If you roll that certificate (either because it is about to expire, or because the private key has been exposed), the supplicant will fail to authenticate.

 

The CAT tool (and other similar tools) can be used to instead configure the supplicant to trust any certificates with a specific subject name signed by specific CA root certificates. That allows you to roll certificates whenever you like without clients being affected. Doing so manually is quite a lot more effort on Windows than the vast majority of users is comfortable with. If it's possible at all on OS X, there is no GUI driven way I'm aware of.

 

That matters a great deal if you're signing your server certificates with a commercial CA and have to rotate your certificates every 2 to 3 years. Arguably it's best practice to generate your own long-lived root certificate for signing your authentication servers, but even then it can be nice to be able to swap out your authentication server certificates without user impact - for example, when you'd like to step up key length. Who knows what's appopriate in 4 years.

 

Also, and this expresses my personal views, if you're on EAP-TLS now, I wouldn't step back to EAP-PEAP against AD. Just as a random example, the amount of users that lock their account out by rotating their AD passwords and forgetting about WiFi on their cell phone or some old Kindle lying in a drawer somewhere is not insignificant. Also, if you do certs per user and per device, it's great to be able to revoke a device specific certificate when, say, a laptop has been stolen without affecting everything else the user owns.

 

thx,

felix

 

From: David Andrus <david_andrus AT byu.edu>
Reply-To: David Andrus <david_andrus AT byu.edu>
Date: Thursday, September 6, 2018 at 10:13 PM
Cc: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] CAT profile installer vs manual config

 

One of my biggest arguments for using the installer is that it helps fix a lot of issues with Windows. I’ve had quite a few users that were unable to connect to eduroam on Windows 7/8/10 for no discernable reason. It’s become our first troubleshooting step after ensuring that users are entering their credentials correctly. It’s been a very valuable time-saving tool for us in troubleshooting. One of the things it also does is install the security certificate thereby avoiding the warning messages from the O/S regarding certificate installation that come up during a manual connection.

 

 

 

With Apple devices I see less benefit. You still have to accept the certificate and enter admin credentials to connect. I find the benefit for Android questionable at best. On one hand manual connections with Android require users to manually select their EAP type, Phase 2 authentication, and a CA certificate (if not preinstalled you have to select “Do not validate” which gets a message in red text warning you that your connection won’t be private) as well as an additional entry for Anonymous identity. I’ve never understood why Android does this while every other desktop and mobile O/S just asks for username/password.

 

 

 

The thing with the Android installer, though, is that it requires the user to first install a third party app from the app store before the network profile can be installed. It’s slightly more user friendly, in my opinion, but comes with its own set of annoyances.

 

--

David Andrus

Network Product Manager

Brigham Young University

O: 801-422-0969

C: 385-312-7414



From: Philippe Hanset

Sent: Thursday, September 6, 7:41 PM

Subject: Re: [[cat-users]] CAT profile installer vs manual config

To: db AT alaska.edu

Cc: cat-users AT lists.geant.org

David,

If you have  tried CAT and if the networking group tried it too,

you will have noticed that there is only  an initial challenge for login/password and no need to choose the eduroam SSID, it is done automatically by the profile.

If you choose the anonymous option in CAT configuration (as an admin) your users will not need to enter a domain, they can enter their regular username. Another advantage of CAT: the profile is locked and does a good job preventing man in the middle attack.

Choosing the anymous AT alaska.edu

is also a great privacy protection method!

Let us know if this helps,

Philippe 

Philippe Hanset, CEO

ANYROAM LLC

+1 (865) 236-0770

On Sep 6, 2018, at 8:21 PM, IAM David Bantz <dabantz AT alaska.edu> wrote:

My institution (U Alaska) is transitioning RADIUS implementations, more comprehensive 802.1X and hoping to deprecate current home-grown eduroam profile installers using EAP-TLS.

CAT seemed a great fit but networking team is questioning the need or value of any profile installer, and proposes relying on built-in 802.1X supplicant support in common OS's (macOS, iOS, Windows, Android) for EAP-PEAP authentication. Please validate, challenge, or elaborate on this as a viable strategy.

As I understand their position, if a user initally chooses the eduroam SSID, they will be presented with a challenge for network authentication which is passed via RADIUS to either local AD (for alaska.edu identities) or on to the RADIUS federation for any other realm). The only wrinkle they forsee is the need for users to enter the domain-qualified identity username AT alaska.edu rather than the unqualified username they enter for most authentication.

Thank you,

David Bantz

UA IAM

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users

Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

Mark as Spam



To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users




Archive powered by MHonArc 2.6.19.

Top of Page