cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Tony Skalski <ajs AT stolaf.edu>
- To: IAM David Bantz <db AT alaska.edu>
- Cc: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] CAT profile installer vs manual config
- Date: Fri, 7 Sep 2018 14:22:42 -0500
- Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=stolaf.edu
As others have alluded to, if you only rely on the OS's built-in supplicant, you are relying on the user to evaluate the trustworthiness of an authentication server. With the CAT tool, as well as other on-boarding software, you are pre-configuring the client to *only* trust your authn servers, and to validate the certs they present. Suppose the local coffee shop stands up an SSID named "eduroam" that is not part of the anyroam infrastructure. A pre-configured client will not connect to it, however, a user that clicks trust this server/cert could expose institutional credentials.
With the availability of eduroam in public places like airports and museums, on-boarding is increasingly important.
On Thu, Sep 6, 2018 at 7:21 PM IAM David Bantz <dabantz AT alaska.edu> wrote:
My institution (U Alaska) is transitioning RADIUS implementations, more comprehensive 802.1X and hoping to deprecate current home-grown eduroam profile installers using EAP-TLS.CAT seemed a great fit but networking team is questioning the need or value of any profile installer, and proposes relying on built-in 802.1X supplicant support in common OS's (macOS, iOS, Windows, Android) for EAP-PEAP authentication. Please validate, challenge, or elaborate on this as a viable strategy.As I understand their position, if a user initally chooses the eduroam SSID, they will be presented with a challenge for network authentication which is passed via RADIUS to either local AD (for alaska.edu identities) or on to the RADIUS federation for any other realm). The only wrinkle they forsee is the need for users to enter the domain-qualified identity username AT alaska.edu rather than the unqualified username they enter for most authentication.Thank you,David BantzUA IAMTo unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
- [[cat-users]] CAT profile installer vs manual config, IAM David Bantz, 09/07/2018
- Re: [[cat-users]] CAT profile installer vs manual config, Philippe Hanset, 09/07/2018
- Re: [[cat-users]] CAT profile installer vs manual config, David Andrus, 09/07/2018
- Re: [[cat-users]] CAT profile installer vs manual config, Felix Windt, 09/07/2018
- Re: [[cat-users]] CAT profile installer vs manual config, IAM David Bantz, 09/07/2018
- Re: [[cat-users]] CAT profile installer vs manual config, Alberto Martínez, 09/07/2018
- RE: [[cat-users]] CAT profile installer vs manual config, David Andrus, 09/07/2018
- Re: [[cat-users]] CAT profile installer vs manual config, IAM David Bantz, 09/07/2018
- Re: [[cat-users]] CAT profile installer vs manual config, Felix Windt, 09/07/2018
- Re: [[cat-users]] CAT profile installer vs manual config, David Andrus, 09/07/2018
- Re: [[cat-users]] CAT profile installer vs manual config, Tony Skalski, 09/07/2018
- Re: [[cat-users]] CAT profile installer vs manual config, Philippe Hanset, 09/07/2018
Archive powered by MHonArc 2.6.19.