cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Tomasz Wolniewicz <twoln AT umk.pl>
- To: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] Windows 10 TTLS: a new choice
- Date: Mon, 15 Oct 2018 21:05:13 +0200
- Autocrypt: addr=twoln AT umk.pl; prefer-encrypt=mutual; keydata= xsBNBEvhYBEBCADIlSk8hnUtSfZ1hLbuqiUxTiBtm65lM6OlxjYnWEsH/boOsVS/WdFZebwK 53eg280UcX9VDjFjy5rimsknCvxabnxk13AF//t9mN9tq5MmIkIcRIpLrtqc8Q0s0E84cNzB bDMtRzAd7JUTmKyAnkKE9i2R9FJKzeR9TTeKtBdgXHtUKPHPGOdxUUv8UWKxsj9AYi2CgN98 jiWLx6lTIpaWegWxIyih7WUKSf43Bpi6wFxhfOxteLyQUpIlGg4CasTVGpFsha8KzlupXOLG Tl3hXtQFWvE0tl1GidvTyuQlOzsZ1vjTNEzI25VTkOIgP4IYcWSkP74p/a239ZcTOHhZABEB AAHNIFRvbWFzeiBXb2xuaWV3aWN6IDx0d29sbkB1bWsucGw+wsB4BBMBAgAiBQJL4WARAhsD BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA8PEwxkb+lPgkeB/9NAGlmopLel6EEDFz2 ra3KLBx8kXT3G1K/YYyrjDwNjCkAmm0evzQx8g9vPX2OzvE6Ai2Xi9hPd2K/ShPFPcgJzzjr h9H1XYfBb2N/tRwN9tb4XO5i9Tsa4jP+SG8h2yQY57QOeFy16joDmIZiZrAEIGpqqSV24PrX FSo2d1E4dMswqDXlEYk9hwbdW9H4zOQrnDZeRlRx/RW/cmWTd8r5C12dKhlT/D/fBkL3eYT7 rnjHtS+ArnMUsxu2Z/q6bmxqRyv4Vn4pR0n699iLa0ol2hWeQJFaZyTA7JksW8zWu/Zasd9K Dw3jM59vs/SXVdG8pMexAzH5jmEEAgwYwUbVzsBNBEvhYBEBCACgAz/z7VTnCsPSBUrjCLyS j+eRtr2tQzSU48Qa5hOcIxAKQJQNgOOqs0Mq9fT9lV+OttaYyKtijt1+G2dVMETVFkdZmM0c g8pVJp398993v89U/iwjfvNoqCM/9z312Poha/oL/EOk+gWYxZbyQ18SY69va2WHr6Pl3bzR 6BQpb86W85MreQ2lxd76b6BgjOXA/b39YyU/fMeFQd+wDpT3K1fUr89dYRnyzQIxTBSPOMLQ ShHKc/S8dStbNlLNcnaiyBOsH4A7b6IizQGqyVHBeL7u05X0/ZVdEIgsO3NmQouqY0/WjBdV qg4EsI1VvvgwXKWafP1MryLy4ZcnNjQZABEBAAHCwF8EGAECAAkFAkvhYBECGwwACgkQPDxM MZG/pT6lUQf8DC3i15okq3VycbpTYuH6f1lQkqanMS0z4z8F6xtCeXq0DBFk0ZzAU/mCwc3V PdUVGtRKGjouSAB1HDeTvAth1vY0oOJG3kXBwkcui3QxM3sxksNCRLLwcZVnsK9rt6UVp5aG qBwKf44BSApGyHNuKDhCfMCQHueqlfhJYfXocw6KDObvTkwygHLmw93ohV66v26yNvGo6+q2 qTDykGyuicACPDTyJTWFh2IwwZFAdzcc7St8aKkXFk0zWvoriWHeTLUnuFw7HN640IJkG74a 4NGco2yPc7Cz6q59rgE9xydOOXRdmnfiuJu0kQvQocD1rVLjW3qXdnxPd2/FhO4vWg==
- Openpgp: preference=signencrypt
Hi,
one more general comment about using built-in TTLS. We do not know
how to install user credentials, therefore we have to leave it to the
system to ask the user at the first connection. Perhaps someone on this
list has a description of the Windows TTLS user credential profile, like
the ones for PEAP or TLS (see
https://docs.microsoft.com/pl-pl/previous-versions/windows/desktop/eaphost/user-profiles)?
I have searched the web with no success.
W dniu 15.10.2018 o 20:24, Daniele Albrizio pisze:
> Let me see if I understood properly.
> I can figure this three deployment cases:
>
> 1. If an institution uses only PEAP-MSCHAPv2, since all the
> functionality is included in windows 8/10 should be preferable to use
> built-in wpa enterprise client.
In the case of PEAP the only difference would be that we would just have
a single installer for W8 and W10. (actually this can be easily achieved
if people think that it would be nice).
>
> 2. If an institution uses TTLS and most people have administrator
> rights on their devices, should prefer GEANTLink to avoid helpdesk
> extra-work on users disoriented by the choice/windows 10 patch level
> (a number of our users has windows update hung by microsoft's bug).
The installer would figure out by itself if the system has required
patches, we would not be asking users. If the system is not ready the
installer would simply install GEANTlink as it does now.
>
> 3. If an institution uses TTLS and has a number of unprivileged device
> account/users, some in-windows-domain laptops and some personal
> devices using windows, this institution should offer both solutions
> letting the user decide which installer to use (or maybe using an
> helpesk driven decision).
This would be doable with the scheme we are suggesting - you could
define two TTLS profiles with different settings, however thos could be
incredibly confusing for users. What we could probably do in the case
when GEANTlink is preferred would be to try installing GEANTlink and if
this fails (due to missing privileges) check that the builtin Windows
TTLS can be used and then install the profile for it. This would require
quite some changes to the current code, but would seem doable.
Tomasz
>
> Let me know whether I'm missing something (the full scenario is not
> that simple).
>
> On 15/10/2018 11:11, Stefan Winter wrote:
>> Hello,
>>
>> (** questions ** inside)
>>
>> as you have possibly read in recent mailing list traffic, we have
>> received word that the Windows 10 built-in supplicant for TTLS is again
>> functional (it was functional in the original release, broke somewhere
>> along the way in a feature upgrade, and has now apparently come back
>> with the 1803 update; there are separate patch updates for 1703 and 1709
>> apparently).
>>
>> Ever since Windows 10's breakage, we introduced GEANTlink for all TTLS
>> configurations in Windows 10, which is a viable workaround.
>>
>> GEANTlink has the drawback of requiring admin rights during installion.
>> It has the upside of having much better logging, and the distinctive
>> feature that it actually works :-).
>>
>> We are in a situation where many of you have gotten used to GEANTlink.
>> I'm sure some/many of you like the features of it; OTOH I'm almost as
>> sure that there are some/many among you who don't like the fact of
>> requiring admin rights during installation.
>>
>> The thing is: with a Windows 10 built-in supplicant actually working, we
>> now have a choice of two things we can do: configure the built-in
>> supplicant (forgetting about GEANTlink) or continued use of GEANTlink
>> (forgetting about built-in).
>>
>> A subtlety in this is that a user might have an un-updated Windows 10
>> version which still has the broken built-in supplicant. In those cases,
>> there is no choice and we will keep using GEANTlink.
>>
>> ** Do you think we should care about non-updated machines? **
>>
>> Since both supplicants have their pros and cons, our current thinking is
>> that we want to give the choice to you, the IdP admins.
>>
>> The plan is: by default, keep things are they are today (principle of
>> least surprise) - Windows 10 TTLS installers setup and configure
>> GEANTlink - but provide an option on the "Fine-Tuning" level for the EAP
>> type TTLS: "Prefer Built-In Supplicant" (boolean, check-box). It's going
>> to be labelled "Prefer" because the installer might have to use
>> GEANTlink anyway depending on the release of Windows 10 it finds on the
>> end-user's machine (unless you tell us that we can ignore un-updated
>> systems, in which case the built-in will always be chosen).
>>
>> That way, admins who don't take action are not subject to a potentially
>> nasty surprise and get unchanged behaviour, but those who do care can
>> make an informed decision.
>>
>> There's a subtlety in that, too, though: so far on Windows 8 we did not
>> use GEANTlink because the built-in supplicant works there. Once we have
>> an option to prefer the built-in supplicant or not, we will also honour
>> it there, meaning that unless an admin configures the "Prefer Built-In
>> Supplicant" option, the behaviour WILL change towards GEANTlink. So much
>> for least surprise there, but Windows 8 has a very small footprint these
>> days, so I don't think there is much of an impact there.
>>
>> ** Please let us know by replying to this mail if you see issues with
>> this course of action, and if you care much about non-updated Windows 10
>> systems and/or the behaviour change in Windows 8 installers. **
>>
>> Greetings,
>>
>> Stefan Winter
>>
>
>
--
Tomasz Wolniewicz
twoln AT umk.pl http://www.home.umk.pl/~twoln
Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
- [[cat-users]] Windows 10 TTLS: a new choice, Stefan Winter, 10/15/2018
- Re: [[cat-users]] Windows 10 TTLS: a new choice, Tomasz Wolniewicz, 10/15/2018
- Re: [[cat-users]] Windows 10 TTLS: a new choice, Daniele Albrizio, 10/15/2018
- Re: [[cat-users]] Windows 10 TTLS: a new choice, Tomasz Wolniewicz, 10/15/2018
Archive powered by MHonArc 2.6.19.