The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>]

Hi Martin, 

>    Conclusion: Forcing your clients to use an anonymous outer ID will 
> protect you from this trivial attack almost completely!

Which requires you to use an MDM profile (à la the CAT profile) on Apple. You 
cannot specify an anonymous outer in a manual setup on iOS. When you simply 
tap to join 'eduroam' on iOS, you are only prompted for your username (or 
NAI, rather) and password, and the NAI is not anonymised. 

>    NB: Most of this could be avoided by methods like EAP-TLS in the first 
> place, but this is future work for most of us.

Yes and no. EAP-TLS requires you to visit your organisation's site again to 
get the profile that includes a private key and the cert for it. I had this 
with SecureW2, in that I attempted to use one profile on two devices. That 
was not allowed. Each device had to visit the SecureW2 site separately to 
obtain keys and certs. Maybe it was a configuration on the server side, but 
there we are. 

But Aruba and others are in agreement that the only way we'll get around 
issues of credential leakage is... EAP-TLS. (

>    Sorry, the focus shift and additional work introduced by Covid hampered 
> us to the point
>    that we were hardly able to conduct the research at all.

The research is nonetheless fascinating, and it would be great to read it. 
We'll wait until it's ready (

(

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp AT jabber.dev.ja.net
skype: stefan.paetow.janet


In line with government advice, at Jisc we’re now working from home and our 
offices are currently closed. Read our statement on coronavirus 
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.
 

On 17/05/2021, 10:55, "Martin Pauly" <cat-users-request AT lists.geant.org on 
behalf of pauly AT hrz.uni-marburg.de> wrote:

    Conclusion: Forcing your clients to use an anonymous outer ID will 
protect you from this trivial attack almost completely!
    NB: Most of this could be avoided by methods like EAP-TLS in the first 
place, but this is future work for most of us.
    The vulnerability has been present all the way from the start of eduroam 
until _now_.
    And: EAP-PWD won't help either as the users have to configure it, just as 
    cert checking.
    I promise to give a sensible write-up of the results some time this year.
    Sorry, the focus shift and additional work introduced by Covid hampered 
us to the point
    that we were hardly able to conduct the research at all.
    
    The need to require an anonymous outer ID brings us back to that big 
Korean manufacturer ...
    >>         in most Samsung devices (with the notable exception of the 
Galaxy S21).
    > Is it possible that the S21 has already received a fix for this issue? 
I have a Samsung device here that did display the problem 
    > when I upgraded to Android 11. I'll power it up and check whether it's 
getting any updates.
    I should be more precise here: Our specimen of a Galaxy S21 which is the 
German/Germany version of
    this model, did not exhibit the "Samsung Bug". It just worked.
    
    Regards, Martin
    
    -- 
       Dr. Martin Pauly     Phone:  +49-6421-28-23527
       HRZ Univ. Marburg    Fax:    +49-6421-28-26994
       Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
       D-35032 Marburg