The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Alberto Martínez <alberto_martinez AT deusto.es>]

Hi,

El vie., 7 sept. 2018 a las 4:14, David Andrus (<david_andrus AT byu.edu>) escribió:

One of my biggest arguments for using the installer is that it helps fix a lot of issues with Windows. I’ve had quite a few users that were unable to connect to eduroam on Windows 7/8/10 for no discernable reason. It’s become our first troubleshooting step after ensuring that users are entering their credentials correctly. It’s been a very valuable time-saving tool for us in troubleshooting. One of the things it also does is install the security certificate thereby avoiding the warning messages from the O/S regarding certificate installation that come up during a manual connection.

Not to mention connection security enforcement provided by the installer and just not there if configured manually.

 

With Apple devices I see less benefit. You still have to accept the certificate and enter admin credentials to connect.

Well, Apple pins the first server certificate they see. No problem with that except:

• First server they see is a rogue one.
• Server certificate expires (2 years).
• User sees a rogue eduroam SSID, wonders why it's not connecting and tries to connect. Apple prompts to accept the new certificate. Good luck.
  

 

I find the benefit for Android questionable at best. On one hand manual connections with Android require users to manually select their EAP type, Phase 2 authentication, and a CA certificate (if not preinstalled you have to select “Do not validate” which gets a message in red text warning you that your connection won’t be private) as well as an additional entry for Anonymous identity. I’ve never understood why Android does this while every other desktop and mobile O/S just asks for username/password.

The Android profile is in fact the most important one, just for the fact that no one seems to care about the "Do not validate" thingie. Not even a "Network Product Manager".

As I understand their position, if a user initally chooses the eduroam SSID, they will be presented with a challenge for network authentication which is passed via RADIUS to either local AD (for alaska.edu identities) or on to the RADIUS federation for any other realm). The only wrinkle they forsee is the need for users to enter the domain-qualified identity username AT alaska.edu rather than the unqualified username they enter for most authentication.

You could let your users use unqualified usernames or no anonymous qualified usernames, but then their eduroam WiFi profile won't work outside your institution. How can other institutions know where to send the auth request? What is the point of using eduroam then?

Cheers,

Alberto