Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] FW: [eduroam-support] Checking in on your eduroam service

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] FW: [eduroam-support] Checking in on your eduroam service


Chronological Thread 
    < Chronological >      < Thread >
  • From: Martin Pauly <pauly AT hrz.uni-marburg.de>
  • To: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] FW: [eduroam-support] Checking in on your eduroam service
  • Date: Mon, 18 Feb 2019 12:06:24 +0100
Hi Trenton (and list),

Am 16.02.19 um 03:27 schrieb Hurt,Trenton W.:
Who can help me with getting the cat tool setup for our institutions config?

good UL is joining cat.eduroam.org. This platform will hopefully soon help to
get
decent Wifi configuration on you users' devices. But as with many, other
institutions, an important part of your current WiFi docs tells people
otherwise:

E.g. all Android instructions for manual setup tell users NOT to check the
certificate
presented by the network, e.g. point 6 of
http://louisville.edu/it/departments/communications/wireless/configuration-guides/android-4.0-samsung-galaxy-nexus-o-s-wireless-setup
states:
CA certificate: N/A

For a decade, Android has been THE problematic client platform in this
respect, for two reasons:
1. Up to Android 6, the platform gives you a hard time checking a cert:
The JAVA cert store is inaccesssible for a non-root user, you have to
import the CA root cert again.
2. If you leave the setting on default (N/A or "Do not validate"), Android
will connect to an SSID
it knows immediately, and happily deliver the user's credential to the
SSID' RADIUS server -- whether
it is the real one or a fraud.

In conjunction with the ubiquitous SSID eduroam, running the so-called Evil
Twin attack
is extremely easy. We did it a couple of times against ourselves and would
have gathered
dozens of user accounts per hour in a busy environment, had we stored the
credentials.
Using MS-CHAPv2 inside the tunnel only adds a thin layer of protection.

I'm not stressing this point to bash UL, but rather I have identified so many
institutions
getting this wrong that I believe that it is a structural problem (and CAT is
part of the solution).

My personal top-of-the-list is no university but a well-known company selling
alls sorts of security products:
https://documentation.meraki.com/MR/Encryption_and_Authentication/WPA2_Enterprise_Profile_Setup_on_Android

In your case, you may simply remove the old docs once you are rolling out CAT.

Cheers, Martin

--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly AT HRZ.Uni-Marburg.DE
D-35032 Marburg

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Archive powered by MHonArc 2.6.19.

Top of Page