Skip to Content.

cat-users - RE: [[cat-users]] CAT profile installer vs manual config

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


RE: [[cat-users]] CAT profile installer vs manual config


Chronological Thread 
    < Chronological >      < Thread >
  • From: David Andrus <david_andrus AT byu.edu>
  • To: Alberto Martínez <alberto_martinez AT deusto.es>
  • Cc: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: RE: [[cat-users]] CAT profile installer vs manual config
  • Date: Fri, 7 Sep 2018 16:53:16 +0000
  • Accept-language: en-US
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=byu.edu

“The Android profile is in fact the most important one, just for the fact that no one seems to care about the "Do not validate" thingie. Not even a "Network Product Manager".”

 

I never said I don’t care. Just that I find it annoying that a consumer-oriented mobile operating system makes this such a difficult process compared to every other O/S out there. This isn’t one rarely used Linux distro. It’s common to every Android device out there. Apple and Microsoft only present a username/password prompt – why does Android ask for EAP type, Phase 2 auth, etc? I’d actually really like to know the reason for this if anyone knows the answer.

 

I was also offering MY reasons why I like the installer and what I see as a problem. My primary role in our organization is improving network functionality and usability for nearly 40,000 daily users with over 100,000 devices – I look at things from the perspective of non-technical faculty, staff, students and visitors and that was the spirit of my response. Others have responded with deeper technical answers and I’ve found them to be quite informative.

 

--

David Andrus

Network Product Manager

Brigham Young University

O: (801)422-0969

C: (385)312-7414

 

From: Alberto Martínez <alberto_martinez AT deusto.es>
Sent: Friday, September 7, 2018 6:35 AM
To: David Andrus <david_andrus AT byu.edu>
Cc: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] CAT profile installer vs manual config

 

Hi,

 

El vie., 7 sept. 2018 a las 4:14, David Andrus (<david_andrus AT byu.edu>) escribió:

One of my biggest arguments for using the installer is that it helps fix a lot of issues with Windows. I’ve had quite a few users that were unable to connect to eduroam on Windows 7/8/10 for no discernable reason. It’s become our first troubleshooting step after ensuring that users are entering their credentials correctly. It’s been a very valuable time-saving tool for us in troubleshooting. One of the things it also does is install the security certificate thereby avoiding the warning messages from the O/S regarding certificate installation that come up during a manual connection.

 

Not to mention connection security enforcement provided by the installer and just not there if configured manually.

 

With Apple devices I see less benefit. You still have to accept the certificate and enter admin credentials to connect.

 

Well, Apple pins the first server certificate they see. No problem with that except:

  • First server they see is a rogue one.
  • Server certificate expires (2 years).
  • User sees a rogue eduroam SSID, wonders why it's not connecting and tries to connect. Apple prompts to accept the new certificate. Good luck.

 

I find the benefit for Android questionable at best. On one hand manual connections with Android require users to manually select their EAP type, Phase 2 authentication, and a CA certificate (if not preinstalled you have to select “Do not validate” which gets a message in red text warning you that your connection won’t be private) as well as an additional entry for Anonymous identity. I’ve never understood why Android does this while every other desktop and mobile O/S just asks for username/password.

 

The Android profile is in fact the most important one, just for the fact that no one seems to care about the "Do not validate" thingie. Not even a "Network Product Manager".

 

 

As I understand their position, if a user initally chooses the eduroam SSID, they will be presented with a challenge for network authentication which is passed via RADIUS to either local AD (for alaska.edu identities) or on to the RADIUS federation for any other realm). The only wrinkle they forsee is the need for users to enter the domain-qualified identity username AT alaska.edu rather than the unqualified username they enter for most authentication.

 

You could let your users use unqualified usernames or no anonymous qualified usernames, but then their eduroam WiFi profile won't work outside your institution. How can other institutions know where to send the auth request? What is the point of using eduroam then?

 

Cheers,

Alberto


Archive powered by MHonArc 2.6.19.

Top of Page