The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi

W dniu 12.09.2019 o 13:08, Toni Pérez pisze:

Hi,

With nonBroadcast=true the number of probe request with eduroam is increased in areas whrere there are no eduroam service. It affects security by making easier the fingerprinting of users devices (the profiles that are configured in one device). With fingerprinting the next step is a rouge/karma attack.

Is see you point. Changing this globally probably would not do any harm as eduroam is normally broadcasted anyway. We will definitely consider this.

It's true that the user is protected if the supplicant verifies root CA and CN in radius server certificate. But supplicants don't usually give the correct information to users with messages like "there are a problem" or "authentication error" instead "Warning! Malicious eduroam detected, don't try to reconfigure your configuration".

Just a comment on that. With our settings, such messages will only appear when the user tries to connect "manually". Automatic connections do not pop up any failure messages, which is probably the best approach.

Yours

Tomasz

With nonBroadcast=false may be fingerprinting is still possible but with nonBroadcast=true it's true thats is more easier the device fingerprinting.

Greetings,
Toni Pérez

El 11/09/2019 a las 20:38, Tomasz Wolniewicz escribió:

Hi,

   How would disabling this option make security better? A hidden eduroam SSID is stil covered by the security settings for the home RADIUS server, so th client will not connect to a rouge network. With eduroam connections mostly happen without thee user intervention anyway.

Cheers

Tomasz Wolniewicz

W dniu 11.09.2019 o 19:13, Toni Pérez pisze:

Hello!

We can see in Windows 10 profile that nonBroadcast optioin is enabled/true (the option to connect to networks which do not broadcast their network name or SSID).
I have not verified other operating systems.

For security reasons, would it be possible to disable (false) this option in eduroam CAT?

You can verify this option with cmd -->
    netsh wlan show profiles name="eduroam"
    or
    netsh wlan export name="eduroam"

Best regards,

Toni Pérez
Universitat de les Illes Balears

------------------------------------------------------------------------------------

<?xml version="1.0"?>
<WLANProfile xmlns=MailScanner ha detectat un possible intent de frau des de "www.microsoft.com" "http://www.microsoft.com/networking/WLAN/profile/v1">
    <name>eduroam</name>
    <SSIDConfig>
        <SSID>
            <hex>656475726F616D</hex>
            <name>eduroam</name>
        </SSID>
        <nonBroadcast>true</nonBroadcast>
    </SSIDConfig>
    <connectionType>ESS</connectionType>
    <connectionMode>auto</connectionMode>
    <autoSwitch>false</autoSwitch>

.....

------------------------------------------------------------------------------------

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750                            tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME