cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Paul Dekkers <paul.dekkers AT surf.nl>
- To: Timothée Peraldi <Timothee.Peraldi AT etu.univ-paris1.fr>
- Cc: Tony Skalski <ajs AT stolaf.edu>, cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?
- Date: Fri, 7 Oct 2022 12:44:06 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B1Pa6q2wPXksGO1slqGDZDqp3/xrOL9zfVCEcuobZSM=; b=D8sgLjPdBzVkrDzVR5E2OKMAAyFgunb8hcXAMiSVvfjYz4WDjXqjin5y5JXQUAiw5CSoeJCBRU1jrGZaLv3Gc5ZK3PNyPpGWWo+7xMVW9wzlKIb58G2hxozj6E7wn5ouvMUpM+88uo6nV3OklKGaXppHN5nhJTJX8/UP94u7PLOYRbvO4El0533ayJ2S6Pybqfk/xlpxiTiKZ5BrVOzXTYHg1FkQqVHq8sgdsRsMi1I1rZFrUCxhz33uvLvhzca+zmoHYaNHYcS/2evnXH6XwtaLo/9V8FVGgK/wAxd4ZsmBTWdRPrYLnnn4eeUdWA3T7FJ5s0w61zXZMyngWC6oXg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Rh9UVw8dnCfeD22/4IvXwMIHsgHF24i+CdSs3t/D63BhSTPN4ZQHQaM6nzgNF1j5YghEejJNqpohbQw2cjV1FZcTI0EeaKQwofrOrafogEb+wlc2y1t/SSYIndEMjOlLeUeKR/YA3L/mfsS+G3Bn1aUgc058L7l/CPDwMqmu/weS7s5+rygtjAvBlJ0kCHe8D3oL64/MVsxLMmTpD4pMwIvYYH/Nmd7uHJ4JM9pvd5zZBoE5OScWmaBPKrbuIsiNKnpshKl3wduL95sxYD9L2yCs1CZuvUgirLWWqNXdVD8mB1POtxpZZmbP2jvQ4uRoYyUKyXVSYO7VffPPLeFtdQ==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=surf.nl;
Hi,
Glad we tested this; this indeed means you're not affected by
Credential Guard (may still apply to others) but since your
Windows update your client now tries to negotiate TLS 1.3 and the
RADIUS servers of your university doesn't handle that properly and
there is thus no fallback to TLS 1.2
If you have contacts with your university IT desk, I guess it
makes sense to inform them: you can now exactly indicate what the
issue is.
Now I hope we can still find someone where Credential Guard is
indeed the issue, so we can get more clarity on that.
Regards,
Paul
20221007123927.Horde.vpi1IrmAD-cHsDXy-7wJHsS AT courrier-etu.univ-paris1.fr">Hi there!
I've ran the tests you've asked me:- This command line in Powershell gives me 0 as an answer, so it seems like I'm not on CredentialGuard.- I've installed eduroam again (with the CAT installer) with the login you've sent me, and it works! So I guess the issue is with my university's configuration.Should I forward this conversation to my university's IT desk to get them to fix this? I've seen on Twitter that other people are having the same issue after updating Windows in other French universities.Thank you for your help,TimothéePaul Dekkers <paul.dekkers AT surf.nl> a écrit :
Hi,
Thanks for making those screenshots and performing tests. Let's get to the bottom of this;
There are differences in Windowws 11 Professional and Enterprise; and I believe it's only Enterprise that enables Credential Guard by default. You can see this in "System Information" (or msinfo32.exe) at the bottom of the list in "Virtualization-based security services configured" and "Virtualization-based security services running". It should list "Credential Guard" if it's enabled.
You can also run this in powershell:
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
and if the result is 0, you're not on CredentialGuard.
So what could be at play is that you're seeing the TLS 1.3 issue; Because Microsoft changed 2 things at the same time for eduroam... I sent you a separate mail with a username/password and I hope you are so kind to test this account on this particular client. I'm sure this account works with TLS 1.3
The TLS 1.3 issue means that some Identity Providers are not compatible with clients trying to do TLS 1.3 authentication: and the authentication then fails, it doesn't try to fallback to TLS 1.2. This is something that can be resolved by an upgrade at the IdP. With the proper configuration, clients do fallback to TLS 1.2.
Regards,
Paul
On 06/10/2022 18:10, Timothée Peraldi wrote:20221006181048.Horde.GC3ROiatO9sEtl3J1Tjrg4a AT courrier-etu.univ-paris1.fr">Hi Tony and Paul,Here are some screenshots of the issue:The system configuration :Please note that I have the Professional edition of Windows 11, and not the Entreprise one (but I believe those mostly share the same security policies?).When I try to connect to eduroam, it asks me for my username and password ("an action is required"), then it says "we couldn't connect to this network":If I try again, it will ask for my password again, and so on and so on.I have also tried the geteduroam app, but it says "unable to connect to eduroam", then sends me back the same "couldn't connect to this network" error:For reference, here is a screenshot of eduroam working normally on Android 12, with the same login and at the exact same place:Please let me know if you need any additional information.Have a great day,Timothée
Paul Dekkers <paul.dekkers AT surf.nl> a écrit :Hi,
If someone has more experience with Credential Guard and/or this Windows update, I'd love to find out. If true, we may need to write up an advisory, but it will affect a lot of people.
So far, it looks like this affects Windows Enterprise edition users (maybe Timothée can confirm?) and it would be a rolling update: so some already get it, others may not yet.
There is word about some Cumulative Updates fixing some of the "save credentials" issues for users, but it's unclear to me if that resolves the PEAP-MSCHAPv2 authentication for users that entered the credentials manually, and did not get them via "AD user credentials".
If this truely affects all PEAP-MSCHAPv2 authentications on Windows, and the majority of our users has Enterprise editions for Windows, we need to investigate what options still work,
Timothée; could you in fact check if geteduroam for Windows would work? We have some reports of a strange error, maybe this is actually related. You could download from https://www.geteduroam.app/
Regards,
Paul
On 05/10/2022 18:20, Tony Skalski (via cat-users Mailing List) wrote:CAO7ix5keWHv1bqbKf-f0_oDZcUXJra1Wq3ftb2-QZF8kxh-spA AT mail.gmail.com">Credential Guard is reportedly on by default in the latest W11 update (have not confirmed this myself). This will block the use of NTLM hashes and will prevent EAP-PEAP from working.
On Wed, Oct 5, 2022 at 10:29 AM Timothée Peraldi <cat-users AT lists.geant.org> wrote:Hello,
I have updated my computer to the 22H2 update of Windows 11, that was
released yesterday by Microsoft.
Since then, I cannot connect my computer to eduroam. My other devices
(Android 12, ChromeOS) still work fine, and other WiFi networks still
work on this computer.
I've tried uninstalling and reinstalling CAT but it still won't connect.
I just checked on Reddit and I'm seeing a few other similar threads,
all posted in the last few days.
Is this a widespread issue?
Have a great day,
Timothée
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
--
To unsubscribe, send this message: MailScanner soupçonne le lien suivant d'être une tentative de fraude de la part de "lists.geant.org" MailScanner soupçonne le lien suivant d'être une tentative de fraude de la part de "lists.geant.org" MailScanner soupçonne le lien suivant d'être une tentative de fraude de la part de "lists.geant.org" MailScanner soupçonne le lien suivant d'être une tentative de fraude de la part de "lists.geant.org" mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-usersTony Skalski (he/him/his)System Administrator | ITOffice: 507-786-32271510 St. Olaf Avenue Northfield, MN 55057
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
- [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Timothée Peraldi, 10/05/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Tony Skalski, 10/05/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/05/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Timothée Peraldi, 10/06/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Timothée Peraldi, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Tomasz Wolniewicz, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Stefan Winter, 10/10/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Vittorio Gambaletta, 10/10/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Christina Klam, 10/11/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Timothée Peraldi, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/07/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Timothée Peraldi, 10/06/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/05/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Tony Skalski, 10/05/2022
- Message not available
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Daniel Dittrich, 10/06/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Paul Dekkers, 10/06/2022
- Re: [[cat-users]] Windows 11 22H2 update breaks CAT eduroam?, Daniel Dittrich, 10/06/2022
Archive powered by MHonArc 2.6.19.