The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Michael Davies (Infrastructure Mgr)" <Michael.Davies AT gowercollegeswansea.ac.uk>]

Hi David

 

We are seeing evidence to the contrary where by the user cannot enter their new password and carry on using eduroam, it just fails to connect until they remove the profile and enter their new password which is then stored in the new profile on the device.

 

Alan, I will investigate the use of using EAP-TLS certs & may review  our password policy as a last resort.

 

Thanks for your input all.

 

 

From: IAM David Bantz [mailto:dabantz AT alaska.edu]
Sent: 11 December 2018 18:55
To: Alan Buxey
Cc: Michael Davies (Infrastructure Mgr); cat-users AT lists.geant.org
Subject: Re: [[cat-users]] eduroam Issue

 

Our pre-deployment testing of expired password behavior of supplicants on most current release of iOS, Android, macOS, and Windows with CAT-installed profiles determined that it is not necessary to re-install the profile for a changed password in the authentication source. Of course the supplicants configured with invalid password will fail to connect; but if the user manually initiates connection to eduroam SSID, they are prompted for the correct password; once the correct new password is entered, automatic connection to eduroam is restored. YMMV

 

David Bantz

U Alaska

 

 

 

On Tue, Dec 11, 2018 at 6:47 AM Alan Buxey <alan.buxey AT gmail.com> wrote:

hi,

 

yes, unfortunately most mobile platforms have issues with stored profile passwords if the user has changed them - repeated failures to auth - usually remeied easily by just rejoining the

network after forgetting it (at that point, if not using a deployment tool such as eduroamCAT, the new connection will be without checking the RADIUS cert correctly).

 

so, use EAP-TLS certs instead (self-enroll using their current user/password to get a cert that is only for wireless) - Aruba clearpass etc etc

 

or maybe look at your password policy - why changing them every 3 months? the current security best practices is to ensure the password is strong and ONLY change it if

there is a reason to believe that its been compromised, use multi factor auth where possible etc.

 

https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

 

 

alan

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

Ymwadiad - Mae'r e-bost hwn wedi'i fwriadu ar gyfer y derbynnydd(derbynyddion) yn unig.  Os ydych wedi derbyn yr e-bost ar gam, dylech ddileu pob copi ohono ac unrhyw atodiadau, a thrin y cynnwys fel cynnwys cyfrinachol.  Ymddiheurwn am unrhyw anghyfleustra y gall hyn ei achosi.  Mae'r barnau a safbwyntiau a fynegir yn y neges e-bost hon yn rhai'r awdur ac ni ddylid cymryd eu bod yn rhai'r coleg.  Mae'r e-bost hwn wedi cael ei wirio gan feddalwedd gwrthfeirysau.  Nid yw'r coleg yn cymryd unrhyw gyfrifoldeb am unrhyw niwed sy'n gysylltiedig â derbyn yr e-bost hwn, sut bynnag y'i hachosir.

Disclaimer - This email is intended for the addressee(s) only. If however you have received this email in error, please delete all copies of it and any attachments, and treat the contents as confidential. We apologise for any inconvenience this may cause. The views and opinions expressed in this email message are those of the author and must not be assumed to be those of the college. This email has been checked by anti-virus software. The college accepts no liability for any damages related to receipt of this email, howsoever caused.