cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Apple Proxy Settings

From: Stefan Winter <stefan.winter AT restena.lu>
To: "Higgs, Russell" <Russell.Higgs AT city.ac.uk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] Apple Proxy Settings
Date: Mon, 22 Nov 2021 11:26:05 +0100

Hello!

The configs that are pushed out to eduroam users need to work world-wide on all the hotspots out there. I.e. provisioning a profile with "Off" means the users are DoSed on every network that does deploy a transparent proxy (which is allowed per policy, and seen in the field). It is therefore not helpful to make this configurable.

The proper fix is to make the local network reply to auto-config requests with the reply "no proxy here" (using a DHCP option "WPAD"). (Any network should reply to such requests as a matter of security best practices anyway, if for no other reason than to prevent Microsoft client devices from asking at insecure places in the DNS hierarhcy where some third-party might "generously" implant them a proxy setting). Wikipedia is a good start: https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol (read especially the Security section!)

Greetings,

Stefan Winter

Am 22.11.21 um 11:03 schrieb Higgs, Russell:

We have same issue, and we can’t find any setting to change this either. I downloaded the profile for another University during testing, which seems to have the same settings and indicate it’s possibly not configurable. For now, we’ve had to update our instructions to the users to tell them to turn this setting off which is still an inconvenience as not all users see this instruction.

Thanks

Russell Higgs

Senior Network Analyst, Information Technology

City, University of London

Northampton Square

London EC1V 0HB

T: +44 (0)20 7040 8199

M: +44 (0)7391 868225

www.city.ac.uk

From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> On Behalf Of Perry, Matthew
Sent: 16 November 2021 13:51
To: cat-users AT lists.geant.org
Subject: [[cat-users]] Apple Proxy Settings

CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and believe the content to be safe.

We have recently noticed that the cat installer is setting the Proxy Settings on apple products both iOS and MacOS to Automatic. This seems to be suddenly breaking those devices from working until the user goes in can manually edits this setting to Off. Am I missing a setting in the ieduroam Configuration Tool? I don’t have any proxy setting set in there. I tried setting the “Mandatory Content Filtering Proxy” to off but it looks like that only accepts and IP address as a value.

Thanks,

Matthew Perry

Lesley University

Network Systems Engineer

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

[[cat-users]] Apple Proxy Settings, Perry, Matthew, 11/16/2021
- RE: [[cat-users]] Apple Proxy Settings, Higgs, Russell, 11/22/2021
  - Re: [[cat-users]] Apple Proxy Settings, Stefan Winter, 11/22/2021
  - RE: [[cat-users]] Apple Proxy Settings, Perry, Matthew, 11/22/2021
    - RE: [[cat-users]] Apple Proxy Settings, Daniel Sheppard, 11/22/2021
      - RE: [[cat-users]] Apple Proxy Settings, Daniel Sheppard, 11/24/2021