The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Paul Dekkers <paul.dekkers AT surf.nl>]

Hi,

Thanks for making those screenshots and performing tests. Let's get to the bottom of this;

There are differences in Windowws 11 Professional and Enterprise; and I believe it's only Enterprise that enables Credential Guard by default. You can see this in "System Information" (or msinfo32.exe) at the bottom of the list in "Virtualization-based security services configured" and "Virtualization-based security services running". It should list "Credential Guard" if it's enabled.

You can also run this in powershell:

(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning

and if the result is 0, you're not on CredentialGuard.

So what could be at play is that you're seeing the TLS 1.3 issue; Because Microsoft changed 2 things at the same time for eduroam... I sent you a separate mail with a username/password and I hope you are so kind to test this account on this particular client. I'm sure this account works with TLS 1.3

The TLS 1.3 issue means that some Identity Providers are not compatible with clients trying to do TLS 1.3 authentication: and the authentication then fails, it doesn't try to fallback to TLS 1.2. This is something that can be resolved by an upgrade at the IdP. With the proper configuration, clients do fallback to TLS 1.2.

Regards,
Paul

On 06/10/2022 18:10, Timothée Peraldi wrote:

20221006181048.Horde.GC3ROiatO9sEtl3J1Tjrg4a AT courrier-etu.univ-paris1.fr">

Hi Tony and Paul,

Here are some screenshots of the issue:

 

The system configuration :

http://tim.othee.fr/temp/eduroam_system_config.png

Please note that I have the Professional edition of Windows 11, and not the Entreprise one (but I believe those mostly share the same security policies?).

 

When I try to connect to eduroam, it asks me for my username and password ("an action is required"), then it says "we couldn't connect to this network":

http://tim.othee.fr/temp/eduroam_trying_to_connect.png

If I try again, it will ask for my password again, and so on and so on.

 

I have also tried the geteduroam app, but it says "unable to connect to eduroam", then sends me back the same "couldn't connect to this network" error:

http://tim.othee.fr/temp/geteduroam_not_working.png

 

For reference, here is a screenshot of eduroam working normally on Android 12, with the same login and at the exact same place:

http://tim.othee.fr/temp/eduroam_working_android12.jpeg

 

Please let me know if you need any additional information.

 

Have a great day,

Timothée

Paul Dekkers <paul.dekkers AT surf.nl> a écrit :

Hi,

If someone has more experience with Credential Guard and/or this Windows update, I'd love to find out. If true, we may need to write up an advisory, but it will affect a lot of people.

So far, it looks like this affects Windows Enterprise edition users (maybe Timothée can confirm?) and it would be a rolling update: so some already get it, others may not yet.

There is word about some Cumulative Updates fixing some of the "save credentials" issues for users, but it's unclear to me if that resolves the PEAP-MSCHAPv2 authentication for users that entered the credentials manually, and did not get them via "AD user credentials".

If this truely affects all PEAP-MSCHAPv2 authentications on Windows, and the majority of our users has Enterprise editions for Windows, we need to investigate what options still work,

Timothée; could you in fact check if geteduroam for Windows would work? We have some reports of a strange error, maybe this is actually related. You could download from https://www.geteduroam.app/

Regards,
Paul

 

On 05/10/2022 18:20, Tony Skalski (via cat-users Mailing List) wrote:

CAO7ix5keWHv1bqbKf-f0_oDZcUXJra1Wq3ftb2-QZF8kxh-spA AT mail.gmail.com">

Credential Guard is reportedly on by default in the latest W11 update (have not confirmed this myself). This will block the use of NTLM hashes and will prevent EAP-PEAP from working.

On Wed, Oct 5, 2022 at 10:29 AM Timothée Peraldi <cat-users AT lists.geant.org> wrote:

Hello,
I have updated my computer to the 22H2 update of Windows 11, that was 
released yesterday by Microsoft.
   
Since then, I cannot connect my computer to eduroam. My other devices 
(Android 12, ChromeOS) still work fine, and other WiFi networks still 
work on this computer.
   
I've tried uninstalling and reinstalling CAT but it still won't connect.
   
I just checked on Reddit and I'm seeing a few other similar threads, 
all posted in the last few days.
Is this a widespread issue?
   
Have a great day,
Timothée

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

 

--

Tony Skalski (he/him/his)

System Administrator | IT

Office: 507-786-3227

1510 St. Olaf Avenue Northfield, MN 55057

stolaf.edu

 

To unsubscribe, send this message: MailScanner soupçonne le lien suivant d'être une tentative de fraude de la part de "lists.geant.org" MailScanner soupçonne le lien suivant d'être une tentative de fraude de la part de "lists.geant.org" mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users