The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[IAM David Bantz <dabantz AT alaska.edu>]

Our pre-deployment testing of expired password behavior of supplicants on most current release of iOS, Android, macOS, and Windows with CAT-installed profiles determined that it is not necessary to re-install the profile for a changed password in the authentication source. Of course the supplicants configured with invalid password will fail to connect; but if the user manually initiates connection to eduroam SSID, they are prompted for the correct password; once the correct new password is entered, automatic connection to eduroam is restored. YMMV

David Bantz

U Alaska

On Tue, Dec 11, 2018 at 6:47 AM Alan Buxey <alan.buxey AT gmail.com> wrote:

hi,

yes, unfortunately most mobile platforms have issues with stored profile passwords if the user has changed them - repeated failures to auth - usually remeied easily by just rejoining the

network after forgetting it (at that point, if not using a deployment tool such as eduroamCAT, the new connection will be without checking the RADIUS cert correctly).

so, use EAP-TLS certs instead (self-enroll using their current user/password to get a cert that is only for wireless) - Aruba clearpass etc etc

or maybe look at your password policy - why changing them every 3 months? the current security best practices is to ensure the password is strong and ONLY change it if

there is a reason to believe that its been compromised, use multi factor auth where possible etc.

https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

alan

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users