cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID)
Chronological Thread
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: IAM David Bantz <db AT alaska.edu>
- Cc: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID)
- Date: Tue, 16 Oct 2018 08:35:13 +0200
- Autocrypt: addr=stefan.winter AT restena.lu; prefer-encrypt=mutual; keydata= xsFNBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABzTxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT7CwXkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8c7BTQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAcLBXwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello,
> To expand a bit on our need for testing CAT installers with multiple
> devices: in our case, testing is demonstrate to networking and user
> support groups that CAT installers are a viable approach to client
> configuration. Our network and user support groups are skeptical of
> relying on CAT installers, while confident that simplest manual
> configuration (providing scoped username and password to native
> supplicants) is adequate; downloading and installing CAT profile
> installers is regarded as unnecessary more complex configuration they
> fear will be less robust and require additional support.
First the pragmatic comment, then the one about glaring ignorance of
security best practice by those support teams.
In the scenario you describe, there is no need for a test SSID. You
simply create CAT installers for the production eduroam SSID. Since your
eduroam SSID is properly set up, it works regardless if configured by
hand or configured by CAT. IOW, you don't need a test /network/. You
just need to test /devices/ on the existing network. You can prevent the
installers from appearing at the main download site by not setting the
"Production-Ready" flag. As an admin, you can still download them via
the "Fine-Tuning" page.
And then, have you talked to your network and user support groups about
the very real-life risk of credential theft when not verifying that the
username and password are sent to the actual, authorised authentication
server? Maybe you could tell them in plain words: just typing the
username and password in this box means that the user will send his
password to *arbitrary third parties* who happen to set up a Wi-Fi with
the name "eduroam" in the user's vicinity. If your support groups fear
the extra complexity of a click-through installer, how do they think
about blocking end user accounts and resetting passwords over and over
again because the credentials leak in an uncontrolled manner?
Really, the best a supplicant could do if not properly configured with
trust anchors to connect to would be to NOT CONNECT AT ALL.
Unfortunately, most supplicants do not do that. Exploiting this weakness
for one's end users is not good service to the end users. It's lazyness
and recklessness in the face of very real attack scenarios.
Greetings,
Stefan Winter
>
> David Bantz
> U Alaska
>
> On Mon, Oct 15, 2018 at 2:03 AM Stefan Winter <stefan.winter AT restena.lu
> <mailto:stefan.winter AT restena.lu>> wrote:
>
> Hello,
>
> > I've generated installers for a new RADIUS and local eduroam
> deployment,
> > currently broadcasting on eduroam-test so as not to interfere with
> > ongoing eduroam connections relying on legacy infrastructure.
> >
> > I configured eduroam-test as additional SSID. That requires user entry
> > of full credentials twice (once for eduroam, again for
> eduroam-test) and
> > disrupts device connection to the real eduroam network (which
> relies on
> > different RADIUS servers and different user authN method).
> >
> > Is it possible to configure installers ONLY for eduroam-test? I
> > understand the supplicants would not be functional for roaming, but
> > that's not an issue at this stage of testing.
>
> CAT is a tool to facilitate configuration of eduroam and its roaming
> use; and so we always include the SSID eduroam in all installers.
>
> However if you want to do local testing, you may not even need CAT - if
> you are testing on a small number of select devices, these can just as
> well be configured by hand?
>
> If the test device population is larger and/or diverse and you really
> want/need to include CAT installers in the testing phase, I'd suggest:
>
> - create a second deployment profile for your IdP
> - only in that profile add the additional SSID eduroam-test
> - if you want to enable download of these installers on the CAT UI: in
> the profile description, include text to say that this is for testing
> purposes and may disturb normal eduroam operations
> - if you do not want to enable public download: do not set the
> "Production-Ready" flag - then only you as an administrator can download
> the installers in the "Fine-Tuning" page and distribute to the testers
> via your own means.
>
> Greetings,
>
> Stefan Winter
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0xC0DE6A358A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] installers for use on eduroam-test (local non-production SSID), IAM David Bantz, 10/12/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), Stefan Winter, 10/15/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), IAM David Bantz, 10/15/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), Stefan Winter, 10/16/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), IAM David Bantz, 10/16/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), Stefan Winter, 10/17/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), IAM David Bantz, 10/17/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), Stefan Winter, 10/19/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), Martin Pauly, 10/19/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), IAM David Bantz, 10/17/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), Stefan Winter, 10/17/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), IAM David Bantz, 10/16/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), Stefan Winter, 10/16/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), David Andrus, 10/16/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), IAM David Bantz, 10/15/2018
- Re: [[cat-users]] installers for use on eduroam-test (local non-production SSID), Stefan Winter, 10/15/2018
Archive powered by MHonArc 2.6.19.