cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Denying Eduroam access without using the CAT tool

From: Chris Phillips <Chris.Phillips AT canarie.ca>
To: Paul Jackson <pjackson AT ocadu.ca>, Martin Pauly <pauly AT hrz.uni-marburg.de>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] Denying Eduroam access without using the CAT tool
Date: Wed, 19 Oct 2022 16:08:35 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=canarie.ca; dmarc=pass action=none header.from=canarie.ca; dkim=pass header.d=canarie.ca; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZvBuLsQvyw4I/cMLuQ2CT6y6W60ItwwRm+fxtKsqWgc=; b=KX8hpWUnQhJxM6w1Xi8Z82KHp03o97uQ5iJlM89q0+leSwv+6JPP4EQ6mIAT95/axD5tJ8K5UeuFAfUjW7oWfbNToPNoUmejsaFj7882Clrx6qdSW2qtKgU8zJ5uBh3j3NlPa8YnmzybG4SjBroFsDIn6iYjx+36+QhJkUNCv604rRS+l4kPP4goQDNNOjjJKUIO5wxyVD58qNO9mWy00DBU2H19AuJ3uMp2Rr8ZuprO+A/JS4eevWzP/FuIccsJikTHssJ9XyheBGRdV7uHiZfdjAZKhjDiA9zvo/92xVk45AQ4mjj6M6EF9Rbl1aKUTWyKuZ+3dYEaR+OPKXXTGw==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LIVZFnDYgdo2Jwd0QBiQH8h3Yv1631siDzkgsSDF2X8cuIMrcSICFDunbSunuPZBDdn7EKF7VutUal1ak1ucqS8h6qWntvAG1iCgWNGP71WA/BhInqkQ1V5B39irMTTWs3vSky63ZWlw37S9xUuIvgzhC1suFt4MSQqWL92zg4CkImFJhR/aE1mgivBQnS0SAORg/1rMCq+wbrHCJ9G8GDMKHwMtFhJLWKZlr8RkzysNUqxCgZ4vTpXqk20L4KDRjhhHTl5xRh7/ZU0MSiS6PeEPncpFmn0+E+cNXy/OTO/WAkhka6pGVVbNBaRq/6GVnlgTpUMQNZHIlQqXQnVREQ==
Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=canarie.ca;

Sharing on the list, happy to discuss off-list as well, let us know at tickets AT canarie.ca.

For the question on how to deny poorly/insufficiently configured eduroam devices:

OCADU’s profile uses the specific outerid already and is well positioned to take advantage of Thomasz’ specific outerid recommendation.

As Canada’s eduroam roaming operator we are working with all sites in Canada to have their CAT profile updated to this style for quite awhile.

The next step is to set your RADIUS server to *ONLY* authenticate authN requests possessing the appropriate outerid and issuing access-rejects to all others.

NPS guidance is here BTW: https://www.canarie.ca/document/enabling-anonymous-outer-identity-with-eduroam-cat-and-nps/

As people have mentioned, hand crafting settings is possible but it’s tough and do not recommend it. It’s too high maintenance, not sustainable, and tough to support well.

We recommend the tools like CAT.eduroam.org and geteduroam.app for the best UX. With the OCADU profile, these should work out of the box.

If there’s a specific gap in the tools like CAT or geteduroam.app, we’re eager to hear about it to better understand the challenges..

Thanks and hope this helps!

Chris.

From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> on behalf of Paul Jackson <cat-users AT lists.geant.org>
Date: Wednesday, October 19, 2022 at 10:52 AM
To: Martin Pauly <pauly AT hrz.uni-marburg.de>, cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: RE: [[cat-users]] Denying Eduroam access without using the CAT tool

________________________________

External This email originated from outside the organization. Use caution when following links as they could open malicious web sites.
________________________________

Thanks Tomasz - I'll look into that.

Martin, I'm the Eduroam admin for OCADU. We don't currently push the CAT tool due to issues with the user experience of the app. We may merge our main campus SSID with Eduroam and require users use the app.

Paul

-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> On Behalf Of Martin Pauly
Sent: Tuesday, October 18, 2022 5:38 PM
To: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Denying Eduroam access without using the CAT tool

On 18.10.22 22:44, Tomasz Wolniewicz (via cat-users Mailing List) wrote:
> One way (not completely watertight) is to set some special (not
> obvious) outer identity and require that all authentications have it.
> Of course users can set the same manually, but this requires some
> knowledge and what you relay want to exclude are users who just
> connect providing username and password.

... and most probably do not enable the all-essential certificate check.
This has been a huge security gap on thousands of (mainly Android) devices for over a decade.
Happily, the BIG problem is going away beacause Google agreed to a standards change and is removing the "CA: do not validate" option from all current Android devices.
If you know how to get things straight manually, get the Android profile of ocadu.ca from CAT, run xmltidy on it, extract the information and set up you supplicant. Or let the app do the job, it's better at that than most humans. Or ask their helpdesk. What Manufacturer and Android version do you have?

Martin
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://can01.safelinks.protection.outlook.com/?url="https%3A%2F%2Flists.geant.org%2Fsympa%2Fsigrequest%2Fcat-users&data=05%7C01%7Cpjackson%40ocadu.ca%7C5da5b6ff19b041f4cb4f08dab150ff72%7C06e469d12d2a468fae9b7df0968eb6d7%7C0%7C0%7C638017258689085154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zVBq3ZQh5K%2F3xz7ZZIsipgCmaZptVS3%2BQ7l3I%2FfId8g%3D&reserved=0
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[[cat-users]] Denying Eduroam access without using the CAT tool, Paul Jackson, 10/18/2022
- Re: [[cat-users]] Denying Eduroam access without using the CAT tool, Tomasz Wolniewicz, 10/18/2022
  - Re: [[cat-users]] Denying Eduroam access without using the CAT tool, Martin Pauly, 10/18/2022
    - RE: [[cat-users]] Denying Eduroam access without using the CAT tool, Paul Jackson, 10/19/2022
      - Re: [[cat-users]] Denying Eduroam access without using the CAT tool, Chris Phillips, 10/19/2022