Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] How we deal with [unsecure] devices on eduroam

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] How we deal with [unsecure] devices on eduroam


Chronological Thread 
  • From: Alex Sharaz <alex.sharaz AT york.ac.uk>
  • To: Per Mejdal Rasmussen <pmr AT its.aau.dk>
  • Cc: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] How we deal with [unsecure] devices on eduroam
  • Date: Mon, 30 Sep 2019 12:27:37 +0100

Any more details on GetEduroam ?

Rgds
Alex

On Mon, 30 Sep 2019 at 12:06, Per Mejdal Rasmussen <pmr AT its.aau.dk> wrote:
At our university many student devices are not configured to verify the
radius server certificate, despite we for many years have told the
students to use the CAT tool. This makes is possible to steal the
credential and use them to login eduroam, email and filesystems. I
suspect this is even greater problem at most institutions that uses
802.1X on BYOD.

To make it impossible to reuse stolen eduroam credentials for other
systems, we have made system that generates unique credentials per
device. Where each username/password pair is locked to the MAC address
of the device. The MAC address lock is implemented to prevent account
sharing and to make it harder to use stolen credentials on eduroam.

After eduroam-account creation, the user can download a personal
installer with the username/password and server certificate included.
During the first week of this semester start, 4000 users created 6000
new devices, that logged on to eduroam.

The user does not need to type in the MAC address of the devices. It is
harvest upon the first login. This allows the device to randomize the
MAC address per SSID. We had no issues with locking the credential to a
MAC address.

It is also possible to make guest accounts that only works at our
university. This is a much more secure solutions that an open network or
shared PSK.

We are cleaning up the source code, and intent to release it on GitHub.

The reason we don't just use device certificates, is that it is not as
widely supported as username/password in devices, and installation is
more difficult. There is a project called GetEduroam that is working on
device certificates for eduroam.

[unsecure] added to subject to allow sending to mail server that does
not support TLS.

--
Per Mejdal Rasmussen
http://personprofil.aau.dk/109070
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users



Archive powered by MHonArc 2.6.19.

Top of Page