Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] How we deal with [unsecure] devices on eduroam

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] How we deal with [unsecure] devices on eduroam


Chronological Thread 
    < Chronological >      < Thread >
  • From: Per Mejdal Rasmussen <pmr AT its.aau.dk>
  • To: <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] How we deal with [unsecure] devices on eduroam
  • Date: Tue, 1 Oct 2019 12:27:42 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 130.225.198.192) smtp.rcpttodomain=lists.geant.org smtp.mailfrom=its.aau.dk; dmarc=pass (p=none sp=none pct=100) action=none header.from=its.aau.dk; dkim=none (message not signed); arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UeVxl2nSOubpCrtM50lDb22o1AXDVK4MAa2uqKAHMfI=; b=hF+j2zvmerlRRVRQMpQOfB8+jkUT9gkNLHNqDs0nwsWbJeDBPileyTowG2o+tXPSUDucii6C4q6Lmg228FEaQo6DMpTTnWL6+iQqXoumXb6PpmUC0LCH2fnEReovAM7+vOXmT1JfKwwUvEQJ/gYg/ulmvSBuUAVM2KlRyEV14IKluutAhJ+g7LJjvPcBTb6BMd13V/Ji2Bve7CltMKvVBDJiK80MKM3G9OqjgSpqCVIfz4yDLIILPDxcyv5NPASolZCrK/4w3fNo11xsFOcYyShGWHa6y28mdYtJtnnwc0kLCtoELuhf8Yqk9fSXQoGHbz1p1aGSaclqoWuXXcLsjA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fOXFEc04vVWPyV9/P9DEsG1Eyxu5ZtPptDm9k8hckUkssBPIf5MAvXdPewHNRvkhR2rFg/J+ehuQ/pid3C6JwI7HqMQZUt08hT+FoqCKYg2sG5NpGyDG4avA5/ZSgvdhjhgo+ENvpPcz5nti4p1uA7W62+ivDOSwLiTQ2W6gol3BPlruRkeLfXIFT9NTWCGPoVb9JqTFRpzRBxQxAoHInMSiJisXjqj7CQvuSDxBYZb5RZE7cojpHJv4dXi7mAgK1FCZa26nlnsLOjS2dsnRC8Qf3/WJ05L232HW14gxPg6LOwWjGvjEXyDAWsxhrvEL/K+s+cDU7mWXvH/3krcSzQ==
  • Authentication-results: spf=pass (sender IP is 130.225.198.192) smtp.mailfrom=its.aau.dk; lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=pass action=none header.from=its.aau.dk;
On 2019-10-01 09:59, Per Mejdal Rasmussen wrote:
On 2019-09-30 21:02, Alan Buxey wrote:
Why use username/password?  Just move to using EAP-TLS instead - not
sure why you don't think its as widely supported - which devices
did you find it not working on (as over time I've seen EAP-TLS and
PEAP on almost all devices - its EAP-TTLS/* and EAP-PWD or EAP-FAST
that are rarely seen :(   (as for installation being difficult - not
if you are using a deployment tool/profile - the same tool that
ensures the correct
settings and certificate are added to the client, this can be
documented so that the end user can easily configure eduroam when away
from

This big advantage of my system is that it works...

Please see my presentation at:
https://events.nordu.net/pages/viewpage.action?pageId=69796070

Just click on the eduroam SSID, and type in the credentials. You can use an installer, if it is easier that typing ind a password. But it is entirely optional.

You can use another devices to generate the credentials for yourself or a guest.

You can send the credentials by email to a guest in advance, so their are prepared.

It works on special devices like Raspberry Pi and OpenWRT.

The bottom line is we don´t care if device credentials are stolen, because they only grans access to eduroam - a network shared by millions, and same MAC address must be used. There are much easier ways to get anonymous network access.


the home institution - I cant see how a user can get a working
configuration when remote with your solution? )

I don't understand why you think this a problem with my system, just use any device with network access to generate credentials. You can even phone home to support, and they can do it.

This is where EAP-TTLS has a big problem. If you have a devices without network access, how do run the installer, which you cannot download, because the is no open network where you are.

--
Per Mejdal Rasmussen
http://personprofil.aau.dk/109070

Archive powered by MHonArc 2.6.19.

Top of Page