Skip to Content.

cat-users - Re: [[cat-users]] Eduroam : Password Update

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [[cat-users]] Eduroam : Password Update


Chronological Thread 
    < Chronological >      < Thread >
  • From: ALBRIZIO DANIELE <albrizio AT units.it>
  • To: "Philippe.Taurines AT crous-toulouse.fr" <Philippe.Taurines AT crous-toulouse.fr>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Eduroam : Password Update
  • Date: Wed, 24 Jan 2024 11:00:21 +0000
  • Accept-language: it-IT, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=units.it; dmarc=pass action=none header.from=units.it; dkim=pass header.d=units.it; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uN9LHG66GwayNGZvvmI9YLXSFPWYLSsFD9WLrdw3kEk=; b=mSp6jbeCvK2TRdl50/769caISKpn40AnQaM0oTiUREKvkWFpACvWAzY8Hiet1QEpKciJAMX4zQTgIJIOEG1CkyS8CoU6TX0Z2GWKUyN2/ke98EcY/a/N6PWuASKrnmxa2eDLsWt6Q6hoVkH/S+S7fw5Dbb2NmyDYG2NA5lHbAztdNtoOmnt7MG7XHpXnzKRsicFC31ZmAy1wqMBPPzBFAvqWg6FN5SS0ilPlLJkMJjE5iBsz9sfLke+KZ1dQMAp8ScM2JUgBfHDhYz3o4LIYXKNCpgxpxHByTJeeYzhgd35CJY/Cawvvx6MpeJSNSo5XRIWY1RzhuypxrX3p3CYeaA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B4vn+6rsg0rCMAETglqL2ulPiMqdAgZHiA9bIotqx5FIKLMdaU2unurfufQqxwRWf2ff/BvwoOtNPAw00xPOBChK2PMZzjAMLC252LkfSkPCaneWOUvPWSlct6okANCLK1j0985oLih4elJDznJPrkrFyzmCpp3VOxeg64KyRxyYslgcS5oW9GYcTDq2FTTRGtLWsAfRtbL6lZIFEtmdKST31ReOeazcviMiy9CFlkxXU9kXzNFHzM+xC7FDLbil8j6JzjJMYHLVJ042Gbe7nvvl3BBR5Mq9afaZi69KCaxjKb/J9/dyl71Nhvn8Xu48nJLuf7cBRuALHAil3fOOOA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=units.it;

Normally, in the chain of directories, password repositories, authentication middleware, etc. you lose the information about the reason the authentication fails.
This results in a 0 or 1 condition of authentication success or authenticatio fail. There are some radius attributes you can use out-of-standards to report about reasons, but since is an out of standardization use, this will not be grabbed by clients (supplicants).

This scenario is typically a lot different from a simple WPA passphrase authentication.

What I assume as an oversemplification (that means complication) of the scenario is also the operating system behaviour of re-requesting for secrets when something goes wrong such as:

- Temporary Timeouts (backends, radius hierarchy, ...)
- Errors in wifi (low signal and subsequents retransmission and timeouts)
- Wrong/unsupported authentication mechanisms
- TLS version mismatch and implementation issues
- ...

All those reasons should not lead to re-asking the user for password (default behaviour on windows and other os).

Users forget and unknowingly mistype their passwords. This leads to a worse user experience perception (think about retyping password due to a home server temporary unreachability).

The profile re-installation is a safer and better solution for what I understand.



On Wed, 2024-01-24 at 08:17 +0000, Philippe Taurines wrote:

Why would this be specific to the operation of Windows and not eduroam?

 

Because when connecting to an access point with a simple SSID such as “WPA2 PSK”, Window asks you to re-enter the password security key.

 

Which would suggest that in WPA2-Enterprise / AES / PEAP mode it behaves differently?

 

This could not be due to the fact that the Freeradius server does not indicate to the Windows client that the password is invalid?

 

Good day

 

De : Tomasz Wolniewicz <twoln AT umk.pl>
Envoyé : mardi 23 janvier 2024 16:43
À : Philippe Taurines <Philippe.Taurines AT crous-toulouse.fr>; cat-users AT lists.geant.org
Objet : Re: [[cat-users]] Eduroam : Password Update

 

Unfortunately this is how Windows works now, if you run the installer again it will remove the profile and install everything again. You could also "forget" the eduroam network, but this would result in the same thing - the need to run the installer again.

Yours

Tomasz Wolniewicz

 

W dniu 23.01.2024 o 16:07, Philippe Taurines (via cat-users Mailing List) pisze:

Good morning,

 

After eduroam configuration of the Windows machine (10/11) via “eduroamCAT” or “geteduroam”, the connection works.

 

On the other hand, when our users change the password in our directory, they are refused the connection.

 

But the Windows client never offers to enter the new password, so there are two questions belows:

 

• Why this behavior?

• How to force Windows clients to ask for the new password?

 

Sincerely,

 

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

--

Daniele Albrizio
Ufficio Reti e telefonia | ICT - Phone and Network Management
Università degli Studi di Trieste | University of Trieste
Via Alfonso Valerio 12 - 34127 Trieste (Italy)
daniele.albrizio AT units.it
Tel. | Ph. +39 040 558 3319
Ufficio Reti e telefonia | ICT - Phone and Network Management
Tel. | Ph. +39 040 558 3331

Archive powered by MHonArc 2.6.24.

Top of Page