Skip to Content.

cat-users - [[cat-users]] How we deal with [unsecure] devices on eduroam

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


[[cat-users]] How we deal with [unsecure] devices on eduroam


Chronological Thread 
    < Chronological >      < Thread >
  • From: Per Mejdal Rasmussen <pmr AT its.aau.dk>
  • To: <cat-users AT lists.geant.org>
  • Subject: [[cat-users]] How we deal with [unsecure] devices on eduroam
  • Date: Mon, 30 Sep 2019 13:06:01 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 130.225.198.192) smtp.rcpttodomain=lists.geant.org smtp.mailfrom=its.aau.dk; dmarc=pass (p=none sp=none pct=100) action=none header.from=its.aau.dk; dkim=none (message not signed); arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8CQDPbpzQvDdkqJvj8MyBLAKZiSRGon4MPyUnHKpyQs=; b=IRysXUu8yxI54IDUZxF1fV7uaxcfgv2hzXED5r4VOIh4yXzKtJstGjyiLRN5iMHfIH2IR4npnl8zk1WpKM+59aW/czy6Zpwygnwguc7X/rlCc03CGn8XxCN5hadW45gazRsoxz2PzYTOCpDw+u5Ub1RykdwM5mJgu6i19z9dBIWlzeiYg31/i+JYpZP1Raz0Nh170T+JGNuHGgU7WInHkWhMzgtq6N/DcT+qLDHPpAJn+rpjPO0pQHPCLM1uZ3uqY6ebTjWXbe1YAs3GrPv8oSrhgTVqWAU3Hvy9AfMXZ3/Ed6czWtP+EXHC0+zCT6qDVoQQ/Mh9scj5HWsOYuG5hw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ca2EtbPnMPliPFjJUhLqVOMhecQ7ImZzpuH0Np1bxLfHuKssGhUsUQoHNnDAAM6t3O9AqXMOwvmOpel7fNrM5bikbgqUpvYnfJg6RrLgPgTCawZDjT4omHE6+KAYFIm4whDb6+3TpCXqoVmBZOaIsNpNX4wq9cqjg+JI6GS2wbYxBeheSH1glhckg9QlLr5N6X2LKvJR2G9aEzGMZIAf6MiYshJbg5vvylzcBDapdNdHqxTCfXJ28gXrkezBmB/BmJca6k1QxGx6KNzpL7OHdaWzW8fuIs0gBWiOzujhCJ1HRdMRA8aToqbmGxQ0qcRtdV3LZPnkD0dVOvv400auvA==
  • Authentication-results: spf=pass (sender IP is 130.225.198.192) smtp.mailfrom=its.aau.dk; lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=pass action=none header.from=its.aau.dk;
At our university many student devices are not configured to verify the radius server certificate, despite we for many years have told the students to use the CAT tool. This makes is possible to steal the credential and use them to login eduroam, email and filesystems. I suspect this is even greater problem at most institutions that uses 802.1X on BYOD.

To make it impossible to reuse stolen eduroam credentials for other systems, we have made system that generates unique credentials per device. Where each username/password pair is locked to the MAC address of the device. The MAC address lock is implemented to prevent account sharing and to make it harder to use stolen credentials on eduroam.

After eduroam-account creation, the user can download a personal installer with the username/password and server certificate included. During the first week of this semester start, 4000 users created 6000 new devices, that logged on to eduroam.

The user does not need to type in the MAC address of the devices. It is harvest upon the first login. This allows the device to randomize the MAC address per SSID. We had no issues with locking the credential to a MAC address.

It is also possible to make guest accounts that only works at our university. This is a much more secure solutions that an open network or shared PSK.

We are cleaning up the source code, and intent to release it on GitHub.

The reason we don't just use device certificates, is that it is not as widely supported as username/password in devices, and installation is more difficult. There is a project called GetEduroam that is working on device certificates for eduroam.

[unsecure] added to subject to allow sending to mail server that does not support TLS.

--
Per Mejdal Rasmussen
http://personprofil.aau.dk/109070

Archive powered by MHonArc 2.6.19.

Top of Page