The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[JÁKÓ András <jako.andras AT eik.bme.hu>]

 Hello,

> That is why the eduroam policy is very explicit about server-side
> validation: you need to instruct your users to configure server-side
> validation, and need to supply them with the means to do so (i.e. tell
> them about CA and expected server name).

We tell them to use CAT, and also tell them all the parameters
(including the CA certificate, the server name, and that verification is
a must) so that they can set up their client devices without using CAT
if they need to.  However, a lot of our users try to connect simply by
selecting eduroam from the available SSIDs, entering their credentials,
and tweaking the settings only as long as it is necessary to connect,
which usually does not include certificate verification.

I'm sure we can improve the way we are promoting CAT, but is there any
way to force them to verify the IdP's identity? (The least bad idea I
have is setting up a few honeypots, and disabling sucessfully
authenticating users' accounts, but that seems completely unacceptable
for more reasons.)

András