cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Paul Dekkers <paul.dekkers AT surf.nl>
- To: Timothée Peraldi <Timothee.Peraldi AT etu.univ-paris1.fr>
- Cc: Tony Skalski <ajs AT stolaf.edu>, cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?
- Date: Fri, 7 Oct 2022 08:55:06 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TFsT6TgUK2Ukuid9CzwEgNx5Y0FwydCcSiYRoGtQzUo=; b=C9riEQL3yHowQ0KUwvgOIlIYQgtoT5k/uDHrwa+vbL9QZeZT/J3MzWhkpRxa6ncpnMgWpsqjENiNHo6BwYsuYXl1OFtotoFheEb7KfWXo1MK9W7GBa/dc9yowD8scf57BVn6mpFfni5HIjW3Gxh8bw0CdJhobt74vSP7VKVHnOMzrYSKOE6PMXW+V7rq08GMqSSjzjj7uwXMCFyBLQctds/7SK8fHYs2+Sr9rTCWhw7M8xtjxS8rcMzu60M4j4vQrtoudwxNiVUnJaaNLdYC89MsP39mW9qGvhh+R4Hrokvj5KMf2s+bnQQnoGkNrtuphTLIEveOmo/aoHFMSxi2/A==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lk9fGbcE+bzrbcSyjMZvOAH5i6VcQE5038BIDoRpnVlaTlxfUJTBogAGtQQE71lpqUx+dOMn2KydpIkfN0FTCXeV2xJ+GigrZe+KXl+CngjRisCzvfjsJ0bArnOxJtlasM7Wqvh/kzB9aI+9qnxmucS4lOlQUPrsE21rdcvv+6XRsBDuDxpAAJa+159Kowb1HPzj87hH0P5MAQdsRZbqH18F0soyV+NIVxWD3bnMn56tLqg5Mi8WAcjzhhHppVCnADCqkZRJ7zQu9JUG2+hdjOVqtAoPfziavrnXeCq2VNLuEzUfnU6QM/XS7n4XfO7stsAn75euY+gZgzIycztZmA==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=surf.nl;
Hi,
Thanks for making those screenshots and performing tests. Let's get to the bottom of this;
There are differences in Windowws 11 Professional and Enterprise; and I believe it's only Enterprise that enables Credential Guard by default. You can see this in "System Information" (or msinfo32.exe) at the bottom of the list in "Virtualization-based security services configured" and "Virtualization-based security services running". It should list "Credential Guard" if it's enabled.
You can also run this in powershell:
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace
root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
and if the result is 0, you're not on CredentialGuard.
So what could be at play is that you're seeing the TLS 1.3 issue; Because Microsoft changed 2 things at the same time for eduroam... I sent you a separate mail with a username/password and I hope you are so kind to test this account on this particular client. I'm sure this account works with TLS 1.3
The TLS 1.3 issue means that some Identity Providers are not
compatible with clients trying to do TLS 1.3 authentication: and
the authentication then fails, it doesn't try to fallback to TLS
1.2. This is something that can be resolved by an upgrade at the
IdP. With the proper configuration, clients do fallback to TLS
1.2.
Regards,
Paul
20221006181048.Horde.GC3ROiatO9sEtl3J1Tjrg4a AT courrier-etu.univ-paris1.fr">Hi Tony and Paul,Here are some screenshots of the issue:The system configuration :Please note that I have the Professional edition of Windows 11, and not the Entreprise one (but I believe those mostly share the same security policies?).When I try to connect to eduroam, it asks me for my username and password ("an action is required"), then it says "we couldn't connect to this network":If I try again, it will ask for my password again, and so on and so on.I have also tried the geteduroam app, but it says "unable to connect to eduroam", then sends me back the same "couldn't connect to this network" error:For reference, here is a screenshot of eduroam working normally on Android 12, with the same login and at the exact same place:Please let me know if you need any additional information.Have a great day,Timothée
Paul Dekkers <paul.dekkers AT surf.nl> a écrit :Hi,
If someone has more experience with Credential Guard and/or this Windows update, I'd love to find out. If true, we may need to write up an advisory, but it will affect a lot of people.
So far, it looks like this affects Windows Enterprise edition users (maybe Timothée can confirm?) and it would be a rolling update: so some already get it, others may not yet.
There is word about some Cumulative Updates fixing some of the "save credentials" issues for users, but it's unclear to me if that resolves the PEAP-MSCHAPv2 authentication for users that entered the credentials manually, and did not get them via "AD user credentials".
If this truely affects all PEAP-MSCHAPv2 authentications on Windows, and the majority of our users has Enterprise editions for Windows, we need to investigate what options still work,
Timothée; could you in fact check if geteduroam for Windows would work? We have some reports of a strange error, maybe this is actually related. You could download from https://www.geteduroam.app/
Regards,
Paul
On 05/10/2022 18:20, Tony Skalski (via cat-users Mailing List) wrote:CAO7ix5keWHv1bqbKf-f0_oDZcUXJra1Wq3ftb2-QZF8kxh-spA AT mail.gmail.com">Credential Guard is reportedly on by default in the latest W11 update (have not confirmed this myself). This will block the use of NTLM hashes and will prevent EAP-PEAP from working.
On Wed, Oct 5, 2022 at 10:29 AM Timothée Peraldi <cat-users AT lists.geant.org> wrote:Hello,
I have updated my computer to the 22H2 update of Windows 11, that was
released yesterday by Microsoft.
Since then, I cannot connect my computer to eduroam. My other devices
(Android 12, ChromeOS) still work fine, and other WiFi networks still
work on this computer.
I've tried uninstalling and reinstalling CAT but it still won't connect.
I just checked on Reddit and I'm seeing a few other similar threads,
all posted in the last few days.
Is this a widespread issue?
Have a great day,
Timothée
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
--
To unsubscribe, send this message: MailScanner soupçonne le lien suivant d'être une tentative de fraude de la part de "lists.geant.org" MailScanner soupçonne le lien suivant d'être une tentative de fraude de la part de "lists.geant.org" mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-usersTony Skalski (he/him/his)System Administrator | ITOffice: 507-786-32271510 St. Olaf Avenue Northfield, MN 55057
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
- [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Timothée Peraldi, 10/05/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Tony Skalski, 10/05/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/05/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Timothée Peraldi, 10/06/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Timothée Peraldi, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Tomasz Wolniewicz, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Stefan Winter, 10/10/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Vittorio Gambaletta, 10/10/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Christina Klam, 10/11/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Timothée Peraldi, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Timothée Peraldi, 10/06/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/05/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Tony Skalski, 10/05/2022
- Message not available
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Daniel Dittrich, 10/06/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/06/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Daniel Dittrich, 10/06/2022
Archive powered by MHonArc 2.6.19.