cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] eduroam Issue

From: IAM David Bantz <db AT alaska.edu>
To: Tomasz Wolniewicz <twoln AT umk.pl>
Cc: Michael.Davies AT gowercollegeswansea.ac.uk, Alan Buxey <alan.buxey AT gmail.com>, cat-users AT lists.geant.org
Subject: Re: [[cat-users]] eduroam Issue
Date: Thu, 13 Dec 2018 08:57:22 -0900
Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (2048-bit key) header.d=alaska-edu.20150623.gappssmtp.com

To clarify the experiences I reported after password change in the authentication source:

1) the normal automatic connection to the wireless network silently fails to connect;

2) use the device's wireless network connectivity tool to manually select the wireless network and explicitly request connection to that wireless network;

3) now the user is prompted to enter a new password (the username pre-filled);

4) upon successful authentication with the new password, automatic connection is restored.

caveats:

we tested only single instance of 4 platforms (Win10, macOS, iOS, Android) - maybe we somehow got lucky

testing was on the "secondary" SSID eduroam-test (our broadcast eduroam will cut over to new infrastructure 26 December)

David Bantz

On Thu, Dec 13, 2018 at 3:25 AM Tomasz Wolniewicz <twoln AT umk.pl> wrote:

Indeed, I have also observed that Windows 10 will not prompt the user for new credentials, it will just fail silently.

Tomasz

W dniu 12.12.2018 o 10:22, Michael Davies (Infrastructure Mgr) pisze:

Hi David

We are seeing evidence to the contrary where by the user cannot enter their new password and carry on using eduroam, it just fails to connect until they remove the profile and enter their new password which is then stored in the new profile on the device.

Alan, I will investigate the use of using EAP-TLS certs & may review our password policy as a last resort.

Thanks for your input all.

From: IAM David Bantz [mailto:dabantz AT alaska.edu]
Sent: 11 December 2018 18:55
To: Alan Buxey
Cc: Michael Davies (Infrastructure Mgr); cat-users AT lists.geant.org
Subject: Re: [[cat-users]] eduroam Issue

Our pre-deployment testing of expired password behavior of supplicants on most current release of iOS, Android, macOS, and Windows with CAT-installed profiles determined that it is not necessary to re-install the profile for a changed password in the authentication source. Of course the supplicants configured with invalid password will fail to connect; but if the user manually initiates connection to eduroam SSID, they are prompted for the correct password; once the correct new password is entered, automatic connection to eduroam is restored. YMMV

David Bantz

U Alaska

On Tue, Dec 11, 2018 at 6:47 AM Alan Buxey <alan.buxey AT gmail.com> wrote:

hi,

yes, unfortunately most mobile platforms have issues with stored profile passwords if the user has changed them - repeated failures to auth - usually remeied easily by just rejoining the

network after forgetting it (at that point, if not using a deployment tool such as eduroamCAT, the new connection will be without checking the RADIUS cert correctly).

so, use EAP-TLS certs instead (self-enroll using their current user/password to get a cert that is only for wireless) - Aruba clearpass etc etc

or maybe look at your password policy - why changing them every 3 months? the current security best practices is to ensure the password is strong and ONLY change it if

there is a reason to believe that its been compromised, use multi factor auth where possible etc.

https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

alan

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

Ymwadiad - Mae'r e-bost hwn wedi'i fwriadu ar gyfer y derbynnydd(derbynyddion) yn unig. Os ydych wedi derbyn yr e-bost ar gam, dylech ddileu pob copi ohono ac unrhyw atodiadau, a thrin y cynnwys fel cynnwys cyfrinachol. Ymddiheurwn am unrhyw anghyfleustra y gall hyn ei achosi. Mae'r barnau a safbwyntiau a fynegir yn y neges e-bost hon yn rhai'r awdur ac ni ddylid cymryd eu bod yn rhai'r coleg. Mae'r e-bost hwn wedi cael ei wirio gan feddalwedd gwrthfeirysau. Nid yw'r coleg yn cymryd unrhyw gyfrifoldeb am unrhyw niwed sy'n gysylltiedig � derbyn yr e-bost hwn, sut bynnag y'i hachosir.

Disclaimer - This email is intended for the addressee(s) only. If however you have received this email in error, please delete all copies of it and any attachments, and treat the contents as confidential. We apologise for any inconvenience this may cause. The views and opinions expressed in this email message are those of the author and must not be assumed to be those of the college. This email has been checked by anti-virus software. The college accepts no liability for any damages related to receipt of this email, howsoever caused.
-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

[[cat-users]] eduroam Issue, Michael Davies (Infrastructure Mgr), 12/11/2018
- Re: [[cat-users]] eduroam Issue, Stefan Winter, 12/11/2018
- Re: [[cat-users]] eduroam Issue, Alan Buxey, 12/11/2018
  - Re: [[cat-users]] eduroam Issue, IAM David Bantz, 12/11/2018
    - RE: [[cat-users]] eduroam Issue, Michael Davies (Infrastructure Mgr), 12/12/2018
      - Re: [[cat-users]] eduroam Issue, Tomasz Wolniewicz, 12/13/2018
        
        Re: [[cat-users]] eduroam Issue, IAM David Bantz, 12/13/2018