The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Martin Pauly <pauly AT hrz.uni-marburg.de>]

Hi Stefan,

On 18.05.21 23:56, Stefan Paetow wrote:
> Yes and no. EAP-TLS requires you to visit your organisation's site
> again to get the profile that includes a private key and the cert for
> it. I had this with SecureW2, in that I attempted to use one profile
> on two devices. That was not allowed. Each device had to visit the
> SecureW2 site separately to obtain keys and certs. Maybe it was a
> configuration on the server side, but there we are.

This must be an effect of the specific MDM. With Sophos MDM, we once applied
the same client cert to 120 iPads for a WiFi test with that many devices.
The EAP-TLS worked, the WiFi test failed at that time, and the project was
abandoned.

 But Aruba and others are in agreement that the only way we'll get
> around issues of credential leakage is... EAP-TLS. (

I am curious to see the concepts behind Let's Wifi of geteduroam.
But no matter how good they are, it will at least take 2 years
before we will be able to invest any significant effort there.
In the mean time we will continue to require an anonymous outer ID
from our users (and hope there will be no more things like EAP-Success bug).

Just an academic question: If you had a mobile OS landscape all
capable of EAP-PWD and only allow this in the server, would you
be able to achieve the same level of security as with EAP-TLS?

Cheers, Martin

--
  Dr. Martin Pauly     Phone:  +49-6421-28-23527
  HRZ Univ. Marburg    Fax:    +49-6421-28-26994
  Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
  D-35032 Marburg

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature