The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Martin Pauly <pauly AT hrz.uni-marburg.de>]

Am 21.05.21 um 14:59 schrieb Stefan Winter:
> The only way to prevent this from being a useful attack vector is by
> configuring the*client*  to exclusively talk EAP-pwd with any server it
> encounters.
Yes, full ack in principle.
But the current problem largely arises from the fact that users do
configure their device by typing in their username and password,
but leave everything else on default. If only EAP-PWD worked in your
environment, most of them would naturally configure the EAP method, too.

Reality is this: Even with my much praised requirement of an anonymous
outer ID, _some_ guys do configure nonsense so the device won't work,
but nonetheless type in a password wich can be harvested by an attacker.
We have seen these cases in the investigation, just as you can see people
passing their password to friends.
I guess a private key is much less error-prone here,
the "overhead" associated with its use is probably
a good thing.

Regards, Martin

--
  Dr. Martin Pauly     Phone:  +49-6421-28-23527
  HRZ Univ. Marburg    Fax:    +49-6421-28-26994
  Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
  D-35032 Marburg

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature