Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] How we deal with [unsecure] devices on eduroam

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] How we deal with [unsecure] devices on eduroam


Chronological Thread 
    < Chronological >      < Thread >
  • From: Per Mejdal Rasmussen <pmr AT its.aau.dk>
  • To: eduroam CAT Feedback <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] How we deal with [unsecure] devices on eduroam
  • Date: Tue, 1 Oct 2019 09:59:58 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 130.225.198.192) smtp.rcpttodomain=lists.geant.org smtp.mailfrom=its.aau.dk; dmarc=pass (p=none sp=none pct=100) action=none header.from=its.aau.dk; dkim=none (message not signed); arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zc0DCmHKhFQIK2l5XmxJo5HIn4n278TRh+oiEwNrJVI=; b=VCSc3wrw8DdDjwn6q5DhCWjn0CMwF46qBiyKe0Y7m8PbPQuuIRGI4W5qmqCuToCtGqatuoVtdhWBcvyNtvWZg6aoyXLfAHh2+kHxCYdqk7eKN9gvZ62QxW4Cj2KHRnzH1s0Rjk0vg2CDIGBoBIuVh605JWkfda6916IqpXH4Twj5/jXvvoMKdJdQSHi/XYxcyTS8lIltP51orlBlncIBiYRlALGID1PutOY/7pHIiwqyoG3jK3aO2apZh/Pw03H0rbOSrpNaEAbk2uj41IM1Vt6Dxs7jyaR7Tr8COMEup9ciofLdbRlet9VkFRiFIDlK8WnxanRikZPlfF30we/RMg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YHnfi+G5wVL9ZTESS+xHdtRDBjCwaH/7AMt7bX3hwtP09X6GiwsADT+Q1/S2M1aqpL1Twl9pllLdEucG7RaYsjxIJb/oVUJQQTIF9RmHMurR8pg0ILcByN1PF/7NpwOKzw7ewVPcKX4DPxLYmzGTjFv8EabItpLG2hyh9kq0Smv5Gvl0yugnZg8RGGtJ1s6NgW1iVVJtoYaTQiAAYCBbWjkrpzKrfsoLqTRED73ecQ86O+yjtSnQJoZH/NIKQAJTwkJDH1B0U9lhg6FutqxW2VOgXjyjDICY2qC+twSkVAI3pIWMDIWx/LLz27wccp0nww/v9f6N5vB22wUQxUlqdA==
  • Authentication-results: spf=pass (sender IP is 130.225.198.192) smtp.mailfrom=its.aau.dk; lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=pass action=none header.from=its.aau.dk;
Hi Alan

I will answer your questions and statements below.


On 2019-09-30 21:02, Alan Buxey wrote:
good luck when the devices start randomising their MAC addresses when
using the same SSID! :(

The MAC address lock is an extra layer of security than can be removed if it causes problems. For now it does not causes problems.


(the MAC address is usually only randomised per SSID right now - but
so many flaws already found for that
in terms of being able to track - and if user turns off the randomise
MAC option because of issues with eg some captive
portal network then the device will now have the default MAC for the
eduroam SSID now...)

With Windows this setting is configurable per SSID.

The risk of tracking of MAC addresses is a minor problem compared to the risk of getting your files an emails stolen, or being forced to run an installer that might include extra "security" stuff. Like the ability for the institution to intercept encrypted traffic or check which software your have installed (These are real wishes from some people at my institution).


coupled to that, the many installations in eduroam where
Calling-Station-ID is filtered out of the proxied request :(

About 3% of installations does not forward the MAC address. In this case the check is skipped.


Why use username/password? Just move to using EAP-TLS instead - not
sure why you don't think its as widely supported - which devices
did you find it not working on (as over time I've seen EAP-TLS and
PEAP on almost all devices - its EAP-TTLS/* and EAP-PWD or EAP-FAST
that are rarely seen :( (as for installation being difficult - not
if you are using a deployment tool/profile - the same tool that
ensures the correct
settings and certificate are added to the client, this can be
documented so that the end user can easily configure eduroam when away
from
the home institution - i cant see how a user can get a working
configuration when remote with your solution? )

I will answer to question later.


--
Per Mejdal Rasmussen
http://personprofil.aau.dk/109070

Archive powered by MHonArc 2.6.19.

Top of Page