The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi all,

      I have run connectivity tests form cat-test.eduroam.org for the
      realm univ-paris1.fr and I see that the negotiated TLS version is
      1.2

Thanks for having run such extensive diagnostics so far, for ruling out Credential Guard, TLS 1.3 server-side and TLS 1.2 client-side as certainly being not the issue.

What remains is to figure out which TLS server-side in combination with TLS 1.3 client-side on Windows 11 22H2 is causing the trouble. I think what we can say with some certainty is that the newest FreeRADIUS servers (3.0.26 and 3.2.0+) handle TLS 1.3 correctly. I also recall seeing issues in TLS 1.3 server-side in earlier versions of FreeRADIUS but can't say which ones exactly, and which configurations are affected.

So, as more people find this particular issue, it would be very nice if you could share which RADIUS server product and version you deploy on your servers. Ideally, not only if you have issues with Win 22H2 and TLS 1.3, but also if things work fine on that OS: being able to exclude products, versions and configurations is also helping.

Finally, this looks like neither a CAT nor geteduroam specific problem then.

Greetings,

Stefan Winter

Tomasz

W dniu 07.10.2022 o 12:44, Paul Dekkers (via cat-users Mailing List) pisze:

Hi,

Glad we tested this; this indeed means you're not affected by Credential Guard (may still apply to others) but since your Windows update your client now tries to negotiate TLS 1.3 and the RADIUS servers of your university doesn't handle that properly and there is thus no fallback to TLS 1.2

If you have contacts with your university IT desk, I guess it makes sense to inform them: you can now exactly indicate what the issue is.

Now I hope we can still find someone where Credential Guard is indeed the issue, so we can get more clarity on that.

Regards,
Paul

On 07/10/2022 12:39, Timothée Peraldi wrote:

Hi there!

I've ran the tests you've asked me:

 

- This command line in Powershell gives me 0 as an answer, so it seems like I'm not on CredentialGuard.

 

- I've installed eduroam again (with the CAT installer) with the login you've sent me, and it works! So I guess the issue is with my university's configuration.

 

Should I forward this conversation to my university's IT desk to get them to fix this? I've seen on Twitter that other people are having the same issue after updating Windows in other French universities.

 

Thank you for your help,

Timothée

Paul Dekkers <paul.dekkers AT surf.nl> a écrit :

Hi,

Thanks for making those screenshots and performing tests. Let's get to the bottom of this;

There are differences in Windowws 11 Professional and Enterprise; and I believe it's only Enterprise that enables Credential Guard by default. You can see this in "System Information" (or msinfo32.exe) at the bottom of the list in "Virtualization-based security services configured" and "Virtualization-based security services running". It should list "Credential Guard" if it's enabled.

You can also run this in powershell:

(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning

and if the result is 0, you're not on CredentialGuard.

So what could be at play is that you're seeing the TLS 1.3 issue; Because Microsoft changed 2 things at the same time for eduroam... I sent you a separate mail with a username/password and I hope you are so kind to test this account on this particular client. I'm sure this account works with TLS 1.3

The TLS 1.3 issue means that some Identity Providers are not compatible with clients trying to do TLS 1.3 authentication: and the authentication then fails, it doesn't try to fallback to TLS 1.2. This is something that can be resolved by an upgrade at the IdP. With the proper configuration, clients do fallback to TLS 1.2.

Regards,
Paul

 

On 06/10/2022 18:10, Timothée Peraldi wrote:

Hi Tony and Paul,

Here are some screenshots of the issue:

 

The system configuration :

http://tim.othee.fr/temp/eduroam_system_config.png

Please note that I have the Professional edition of Windows 11, and not the Entreprise one (but I believe those mostly share the same security policies?).

 

When I try to connect to eduroam, it asks me for my username and password ("an action is required"), then it says "we couldn't connect to this network":

http://tim.othee.fr/temp/eduroam_trying_to_connect.png

If I try again, it will ask for my password again, and so on and so on.

 

I have also tried the geteduroam app, but it says "unable to connect to eduroam", then sends me back the same "couldn't connect to this network" error:

http://tim.othee.fr/temp/geteduroam_not_working.png

 

For reference, here is a screenshot of eduroam working normally on Android 12, with the same login and at the exact same place:

http://tim.othee.fr/temp/eduroam_working_android12.jpeg

 

Please let me know if you need any additional information.

 

Have a great day,

Timothée

Paul Dekkers <paul.dekkers AT surf.nl> a écrit :

Hi,

If someone has more experience with Credential Guard and/or this Windows update, I'd love to find out. If true, we may need to write up an advisory, but it will affect a lot of people.

So far, it looks like this affects Windows Enterprise edition users (maybe Timothée can confirm?) and it would be a rolling update: so some already get it, others may not yet.

There is word about some Cumulative Updates fixing some of the "save credentials" issues for users, but it's unclear to me if that resolves the PEAP-MSCHAPv2 authentication for users that entered the credentials manually, and did not get them via "AD user credentials".

If this truely affects all PEAP-MSCHAPv2 authentications on Windows, and the majority of our users has Enterprise editions for Windows, we need to investigate what options still work,

Timothée; could you in fact check if geteduroam for Windows would work? We have some reports of a strange error, maybe this is actually related. You could download from https://www.geteduroam.app/

Regards,
Paul

 

On 05/10/2022 18:20, Tony Skalski (via cat-users Mailing List) wrote:

Credential Guard is reportedly on by default in the latest W11 update (have not confirmed this myself). This will block the use of NTLM hashes and will prevent EAP-PEAP from working.

On Wed, Oct 5, 2022 at 10:29 AM Timothée Peraldi <cat-users AT lists.geant.org> wrote:

Hello,
I have updated my computer to the 22H2 update of Windows 11, that was 
released yesterday by Microsoft.
   
Since then, I cannot connect my computer to eduroam. My other devices 
(Android 12, ChromeOS) still work fine, and other WiFi networks still 
work on this computer.
   
I've tried uninstalling and reinstalling CAT but it still won't connect.
   
I just checked on Reddit and I'm seeing a few other similar threads, 
all posted in the last few days.
Is this a widespread issue?
   
Have a great day,
Timothée

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

 

                  --

Tony Skalski (he/him/his)

System Administrator | IT

Office: 507-786-3227

1510 St. Olaf Avenue Northfield, MN 55057

stolaf.edu

 

                   To unsubscribe, send this message: MailScanner
                          soupçonne le lien suivant d'être une tentative
                          de fraude de la part de "lists.geant.org" 
                      MailScanner soupçonne le lien
                          suivant d'être une tentative de fraude de la
                          part de "lists.geant.org"  MailScanner soupçonne le lien
                          suivant d'être une tentative de fraude de la
                          part de "lists.geant.org"  MailScanner soupçonne le lien
                          suivant d'être une tentative de fraude de la
                          part de "lists.geant.org" 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
                    Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
                
              
              
               
          
          
          
        
        To unsubscribe,
          send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
          Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
      
-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uniwersyteckie Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika         Nicolaus Copernicus University,
pl. Rapackiego 1, Torun                pl. Rapackiego 1, Torun, Poland
            tel: +48-56-611-2750; tel kom.: +48-693-032-576
      To unsubscribe,
        send this message:
        mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
        Or use the following link:
        https://lists.geant.org/sympa/sigrequest/cat-users
    
-- 
This email may contain information for limited distribution only, please treat accordingly.

Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette