The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi,

   one more general comment about using built-in TTLS. We do not know
how to install user credentials, therefore we have to leave it to the
system to ask the user at the first connection. Perhaps someone on this
list has a description of the Windows TTLS user credential profile, like
the ones for PEAP or TLS (see
https://docs.microsoft.com/pl-pl/previous-versions/windows/desktop/eaphost/user-profiles)?
I have searched the web with no success.


W dniu 15.10.2018 o 20:24, Daniele Albrizio pisze:
> Let me see if I understood properly.
> I can figure this three deployment cases:
>
> 1. If an institution uses only PEAP-MSCHAPv2, since all the
> functionality is included in windows 8/10 should be preferable to use
> built-in wpa enterprise client.
In the case of PEAP the only difference would be that we would just have
a single installer for W8 and W10. (actually this can be easily achieved
if people think that it would be nice).
>
> 2. If an institution uses TTLS and most people have administrator
> rights on their devices, should prefer GEANTLink to avoid helpdesk
> extra-work on users disoriented by the choice/windows 10 patch level
> (a number of our users has windows update hung by microsoft's bug).
The installer would figure out by itself if the system has required
patches, we would not be asking users. If the system is not ready the
installer would simply install GEANTlink as it does now.
>
> 3. If an institution uses TTLS and has a number of unprivileged device
> account/users, some in-windows-domain laptops and some personal
> devices using windows, this institution should offer both solutions
> letting the user decide which installer to use (or maybe using an
> helpesk driven decision).
This would be doable with the scheme we are suggesting - you could
define two TTLS profiles with different settings, however thos could be
incredibly confusing for users. What we could probably do in the case
when GEANTlink is preferred would be to try installing GEANTlink and if
this fails (due to missing privileges) check that the builtin Windows
TTLS can be used and then install the profile for it. This would require
quite some changes to the current code, but would seem doable.

Tomasz


>
> Let me know whether I'm missing something (the full scenario is not
> that simple).
>
> On 15/10/2018 11:11, Stefan Winter wrote:
>> Hello,
>>
>> (** questions ** inside)
>>
>> as you have possibly read in recent mailing list traffic, we have
>> received word that the Windows 10 built-in supplicant for TTLS is again
>> functional (it was functional in the original release, broke somewhere
>> along the way in a feature upgrade, and has now apparently come back
>> with the 1803 update; there are separate patch updates for 1703 and 1709
>> apparently).
>>
>> Ever since Windows 10's breakage, we introduced GEANTlink for all TTLS
>> configurations in Windows 10, which is a viable workaround.
>>
>> GEANTlink has the drawback of requiring admin rights during installion.
>> It has the upside of having much better logging, and the distinctive
>> feature that it actually works :-).
>>
>> We are in a situation where many of you have gotten used to GEANTlink.
>> I'm sure some/many of you like the features of it; OTOH I'm almost as
>> sure that there are some/many among you who don't like the fact of
>> requiring admin rights during installation.
>>
>> The thing is: with a Windows 10 built-in supplicant actually working, we
>> now have a choice of two things we can do: configure the built-in
>> supplicant (forgetting about GEANTlink) or continued use of GEANTlink
>> (forgetting about built-in).
>>
>> A subtlety in this is that a user might have an un-updated Windows 10
>> version which still has the broken built-in supplicant. In those cases,
>> there is no choice and we will keep using GEANTlink.
>>
>> ** Do you think we should care about non-updated machines? **
>>
>> Since both supplicants have their pros and cons, our current thinking is
>> that we want to give the choice to you, the IdP admins.
>>
>> The plan is: by default, keep things are they are today (principle of
>> least surprise) - Windows 10 TTLS installers setup and configure
>> GEANTlink - but provide an option on the "Fine-Tuning" level for the EAP
>> type TTLS: "Prefer Built-In Supplicant" (boolean, check-box). It's going
>> to be labelled "Prefer" because the installer might have to use
>> GEANTlink anyway depending on the release of Windows 10 it finds on the
>> end-user's machine (unless you tell us that we can ignore un-updated
>> systems, in which case the built-in will always be chosen).
>>
>> That way, admins who don't take action are not subject to a potentially
>> nasty surprise and get unchanged behaviour, but those who do care can
>> make an informed decision.
>>
>> There's a subtlety in that, too, though: so far on Windows 8 we did not
>> use GEANTlink because the built-in supplicant works there. Once we have
>> an option to prefer the built-in supplicant or not, we will also honour
>> it there, meaning that unless an admin configures the "Prefer Built-In
>> Supplicant" option, the behaviour WILL change towards GEANTlink. So much
>> for least surprise there, but Windows 8 has a very small footprint these
>> days, so I don't think there is much of an impact there.
>>
>> ** Please let us know by replying to this mail if you see issues with
>> this course of action, and if you care much about non-updated Windows 10
>> systems and/or the behaviour change in Windows 8 installers. **
>>
>> Greetings,
>>
>> Stefan Winter
>>
>
>

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576