The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

One additional comment. Our additional aim would be to be able to return
to a single Windows8/10 installer.
Tomasz


W dniu 15.10.2018 o 11:11, Stefan Winter pisze:
> Hello,
>
> (** questions ** inside)
>
> as you have possibly read in recent mailing list traffic, we have
> received word that the Windows 10 built-in supplicant for TTLS is again
> functional (it was functional in the original release, broke somewhere
> along the way in a feature upgrade, and has now apparently come back
> with the 1803 update; there are separate patch updates for 1703 and 1709
> apparently).
>
> Ever since Windows 10's breakage, we introduced GEANTlink for all TTLS
> configurations in Windows 10, which is a viable workaround.
>
> GEANTlink has the drawback of requiring admin rights during installion.
> It has the upside of having much better logging, and the distinctive
> feature that it actually works :-).
>
> We are in a situation where many of you have gotten used to GEANTlink.
> I'm sure some/many of you like the features of it; OTOH I'm almost as
> sure that there are some/many among you who don't like the fact of
> requiring admin rights during installation.
>
> The thing is: with a Windows 10 built-in supplicant actually working, we
> now have a choice of two things we can do: configure the built-in
> supplicant (forgetting about GEANTlink) or continued use of GEANTlink
> (forgetting about built-in).
>
> A subtlety in this is that a user might have an un-updated Windows 10
> version which still has the broken built-in supplicant. In those cases,
> there is no choice and we will keep using GEANTlink.
>
> ** Do you think we should care about non-updated machines? **
>
> Since both supplicants have their pros and cons, our current thinking is
> that we want to give the choice to you, the IdP admins.
>
> The plan is: by default, keep things are they are today (principle of
> least surprise) - Windows 10 TTLS installers setup and configure
> GEANTlink - but provide an option on the "Fine-Tuning" level for the EAP
> type TTLS: "Prefer Built-In Supplicant" (boolean, check-box). It's going
> to be labelled "Prefer" because the installer might have to use
> GEANTlink anyway depending on the release of Windows 10 it finds on the
> end-user's machine (unless you tell us that we can ignore un-updated
> systems, in which case the built-in will always be chosen).
>
> That way, admins who don't take action are not subject to a potentially
> nasty surprise and get unchanged behaviour, but those who do care can
> make an informed decision.
>
> There's a subtlety in that, too, though: so far on Windows 8 we did not
> use GEANTlink because the built-in supplicant works there. Once we have
> an option to prefer the built-in supplicant or not, we will also honour
> it there, meaning that unless an admin configures the "Prefer Built-In
> Supplicant" option, the behaviour WILL change towards GEANTlink. So much
> for least surprise there, but Windows 8 has a very small footprint these
> days, so I don't think there is much of an impact there.
>
> ** Please let us know by replying to this mail if you see issues with
> this course of action, and if you care much about non-updated Windows 10
> systems and/or the behaviour change in Windows 8 installers. **
>
> Greetings,
>
> Stefan Winter
>

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME