The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Daniele Albrizio <daniele AT albrizio.it>]

Let me see if I understood properly.
I can figure this three deployment cases:

1. If an institution uses only PEAP-MSCHAPv2, since all the 
functionality is included in windows 8/10 should be preferable to use 
built-in wpa enterprise client.

2. If an institution uses TTLS and most people have administrator rights 
on their devices, should prefer GEANTLink to avoid helpdesk extra-work 
on users disoriented by the choice/windows 10 patch level (a number of 
our users has windows update hung by microsoft's bug).

3. If an institution uses TTLS and has a number of unprivileged device 
account/users, some in-windows-domain laptops and some personal devices 
using windows, this institution should offer both solutions letting the 
user decide which installer to use (or maybe using an helpesk driven 
decision).

Let me know whether I'm missing something (the full scenario is not that 
simple).

On 15/10/2018 11:11, Stefan Winter wrote:
> Hello,
>
> (** questions ** inside)
>
> as you have possibly read in recent mailing list traffic, we have
> received word that the Windows 10 built-in supplicant for TTLS is again
> functional (it was functional in the original release, broke somewhere
> along the way in a feature upgrade, and has now apparently come back
> with the 1803 update; there are separate patch updates for 1703 and 1709
> apparently).
>
> Ever since Windows 10's breakage, we introduced GEANTlink for all TTLS
> configurations in Windows 10, which is a viable workaround.
>
> GEANTlink has the drawback of requiring admin rights during installion.
> It has the upside of having much better logging, and the distinctive
> feature that it actually works :-).
>
> We are in a situation where many of you have gotten used to GEANTlink.
> I'm sure some/many of you like the features of it; OTOH I'm almost as
> sure that there are some/many among you who don't like the fact of
> requiring admin rights during installation.
>
> The thing is: with a Windows 10 built-in supplicant actually working, we
> now have a choice of two things we can do: configure the built-in
> supplicant (forgetting about GEANTlink) or continued use of GEANTlink
> (forgetting about built-in).
>
> A subtlety in this is that a user might have an un-updated Windows 10
> version which still has the broken built-in supplicant. In those cases,
> there is no choice and we will keep using GEANTlink.
>
> ** Do you think we should care about non-updated machines? **
>
> Since both supplicants have their pros and cons, our current thinking is
> that we want to give the choice to you, the IdP admins.
>
> The plan is: by default, keep things are they are today (principle of
> least surprise) - Windows 10 TTLS installers setup and configure
> GEANTlink - but provide an option on the "Fine-Tuning" level for the EAP
> type TTLS: "Prefer Built-In Supplicant" (boolean, check-box). It's going
> to be labelled "Prefer" because the installer might have to use
> GEANTlink anyway depending on the release of Windows 10 it finds on the
> end-user's machine (unless you tell us that we can ignore un-updated
> systems, in which case the built-in will always be chosen).
>
> That way, admins who don't take action are not subject to a potentially
> nasty surprise and get unchanged behaviour, but those who do care can
> make an informed decision.
>
> There's a subtlety in that, too, though: so far on Windows 8 we did not
> use GEANTlink because the built-in supplicant works there. Once we have
> an option to prefer the built-in supplicant or not, we will also honour
> it there, meaning that unless an admin configures the "Prefer Built-In
> Supplicant" option, the behaviour WILL change towards GEANTlink. So much
> for least surprise there, but Windows 8 has a very small footprint these
> days, so I don't think there is much of an impact there.
>
> ** Please let us know by replying to this mail if you see issues with
> this course of action, and if you care much about non-updated Windows 10
> systems and/or the behaviour change in Windows 8 installers. **
>
> Greetings,
>
> Stefan Winter


--
Daniele ALBRIZIO
ScoutTAG: Zona di Trieste (AGESCI) - Skype: bartuela
daniele AT albrizio.it
University of Trieste - Network Infrastructure & Security
albrizio AT units.it