cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Denying Eduroam access without using the CAT tool

From: Martin Pauly <pauly AT hrz.uni-marburg.de>
To: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Denying Eduroam access without using the CAT tool
Date: Tue, 18 Oct 2022 23:37:31 +0200

On 18.10.22 22:44, Tomasz Wolniewicz (via cat-users Mailing List) wrote:

One way (not completely watertight) is to set some special (not
obvious) outer identity and require that all authentications have it.
Of course users can set the same manually, but this requires some
knowledge and what you relay want to exclude are users who just
connect providing username and password.

... and most probably do not enable the all-essential certificate check.
This has been a huge security gap on thousands of (mainly Android) devices
for over a decade.
Happily, the BIG problem is going away beacause Google agreed to a standards
change and
is removing the "CA: do not validate" option from all current Android devices.
If you know how to get things straight manually, get the Android profile of
ocadu.ca from
CAT, run xmltidy on it, extract the information and set up you supplicant. Or
let the app do the job,
it's better at that than most humans. Or ask their helpdesk. What
Manufacturer and Android
version do you have?

Martin

[[cat-users]] Denying Eduroam access without using the CAT tool, Paul Jackson, 10/18/2022
- Re: [[cat-users]] Denying Eduroam access without using the CAT tool, Tomasz Wolniewicz, 10/18/2022
  - Re: [[cat-users]] Denying Eduroam access without using the CAT tool, Martin Pauly, 10/18/2022
    - RE: [[cat-users]] Denying Eduroam access without using the CAT tool, Paul Jackson, 10/19/2022
      - Re: [[cat-users]] Denying Eduroam access without using the CAT tool, Chris Phillips, 10/19/2022