The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Mark Blinman <mblinman AT brookes.ac.uk>]

Hi Stefan,

Thanks for the explanation of the need for the proxy to be set to auto. Makes sense. 

And for that reason, we probably won't experiment with earlier installers that omit the auto-proxy setting.

The vendor's (F5) dev team is, I'm told, in touch with Apple over this issue - F5 are currently unsure whether it's their code at fault, or Apple's.

I'll check with our network team whether we have a dummy PAC file in place - sounds like we don't and that we probably need one to avoid a 'helpful' third party providing one as you say.

I'll let you know how we get on.

Regards,

Mark

Mark Blinman

Systems Analyst

IT Services

Oxford Brookes University

T: 00 44 (0) 1865 483320

Connect with IT:

IT Services website  IT Service Desk  IT intranet

On Tue, 13 Nov 2018 at 10:00, Stefan Winter <stefan.winter AT restena.lu> wrote:

Hello,

> We have an odd issue for IOS users (iphone, ipad, etc) who have upgraded
> to IOSv12. When they use our VPN (F5 BigIP SSL-VPN) over Eduroam they
> can no longer login unless they switch off Eduroam's WiFi web proxy. 
>
> The issue is undoubtedly the fault of the VPN vendor and/or Apple, and I
> am pursuing a case with the vendor. I attach no blame to Eduroam :) 
>
> However, I'm curious why the web proxy is set to Auto. Is it necessary? 
> Manually switching off the proxy seems to have no ill effects.

It is unfortunately not quite that easy.

You are not seeing any ill effects with the feature turned off /on your
own hotspot/.

That's very probably because you don't enforce a proxy at that hotspot.

However, eduroam policy allows for the deployment of a web proxy so long
as it can be auto-discovered and does not need any manual configuration.

Since we install eduroam settings for global use, we have to set this
setting to Automatic to ensure that your users can roam to other
hotspots have a web proxy.

> I have identified that this non-default setting is set by the CAT tool
> that my Uni created (though the person who created it has long gone).
> And that many other universities in the UK do the same. 
>
> The setting doesn't matter to IOSv11 (and presumably earlier, though I
> cannot test this),

This is a bit strange. iOS knows about and honours this setting since iOS 7.

It doesn't cause any trouble because the auto-detection is supposed to,
well, auto-detect, that no proxy is present and then the connection just
carries on.

If everything worked until iOS 11 and now not under iOS 12 then indeed
Apple may have a regression in their own support for a feature they control.

> but if the vendor is unable to resolve the issue, I'm
> trying to find the least painful way forward for existing and new IOS12
> clients, and re-issuing our CAT tool with the web proxy set to Off is
> one possibility, providing it doesn't break something that I haven't
> come across yet.

Did the vendor confirm that this is an issue on their side? Is that F5,
or Apple?

You could try two things:

- do you already have a dummy PAC file in place? Independently of
eduroam, it is considered to have a Proxy Auto Config (PAC) file on your
network. There are some attacks if none is present (basically, a third
party can "helpfully" provision a web proxy to your users if you don't
claim the space yourself). Possibly, the presence of the dummy is enough
to change the code path in iOS 12.

- You can experiment with a download of our installers for "iOS 5 and
6". The single difference between those installers and the more recent
ones is that they do not contain any proxy setting configuration. Be
aware though that your end users may have issues connecting to hotspots
which do require a proxy auto-configuration as per above.

Please let us know how it goes...

Greetings,

Stefan Winter

>
> Regards,
> Mark Blinman
>
> Mark Blinman
> Systems Analyst
> IT Services
> Oxford Brookes University
> T: 00 44 (0) 1865 483320
>
> Connect with IT:
> IT Services website <https://www.brookes.ac.uk/obis/>  IT Service Desk
> <http://service.brookes.ac.uk/brookes>  IT intranet
> <http://intranet.brookes.ac.uk/it-services-intranet>
>
>
>
>
>
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66