cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] Eduroam : Password Update

From: Philippe Taurines <Philippe.Taurines AT crous-toulouse.fr>
To: ALBRIZIO DANIELE <albrizio AT units.it>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: RE: [[cat-users]] Eduroam : Password Update
Date: Wed, 24 Jan 2024 13:06:19 +0000
Accept-language: fr-FR, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=crous-toulouse.fr; dmarc=pass action=none header.from=crous-toulouse.fr; dkim=pass header.d=crous-toulouse.fr; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ojyZxVGX5CxAi/nkBywoGKXqlD5F6nOwmlQ0DnsYZ4A=; b=ivi/qE+KcwTnS5dtefe7qu8e4P3OKLBcJYhYHZMinYaS8VcQDqffPqAry1Fq7HYqoYvCv1JWT3Lndka5F751OGl2nmEVR0Im7/iKSaTsayUxdTQEyTKyb/CxvDh9LZR8iZP/szF0W19xjREbYVQ03Hq0TlDPWty2vV18tKKRiMFzoGABCxyy00aNE3fQbOuOqvzoHxZJZJO+035G/HaITa2YhzvDFAmG9wfV8xN1gGH5rRZ+q67qg4OvpGO5QlWswWsy1WOLAVHj7Q/71UCtt+U7VPxFlHZhVHFLl21lDEmgTCqMUMy3rt7eiuoKHvdGXlj8f2bjtNBvj0nkPWJKoA==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PBF8D5rrqL3yMuVXokeeeCUB2aBFBtvhu2MkjT0S62tqYZOw/ZCK39dbslSwv7TcydaKxFf/RGR+XR/TfxG+XdWBUzKMqQ43vnrY8Bc7iBSj/ea7OSSoiQd1S26vRuTsIeaOO7j9R6kuyXVaAWr9yZ7Acn2gbLcCalE5PI6EsR+TRVM24IXKBF1zZjLtFadOyIgCMxk+gF24CWdP6QGot64bpL/hMo4oHe1K/H5i+yegZPMEYl+aYMyQHtyu4ZBAzNtvZFjO3XkagqXwMFG/2o+d8OLaNz8MFCFYBQrkf6a9rrtk9McTQbPPIhE5NRW01kUIPKRt4SQCC31YOWijGg==
Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=crous-toulouse.fr;

Thank you for this explanation.

Our problem is that with this operation, when a user changes their password, it locks the accounts in our directory, because it does not systematically restart "eduroamcat".

However, we do not have an aggressive policy regarding account locking (account locking after 10 attempts within 15 minutes). What we see in the logs of our freeradius servers by the following messages:

Auth: (1664815252) Incorrect login (mschap: Program returned code (1) and output 'The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. (0xc0000234)'

We are therefore looking for a method (server configuration, clients, etc.) which would allow us to maintain our locking policy and which would not block access to other services, because the account is locked in the directory.

Hence the question of how to force the Windows client to re-request the user's password. If you have any ideas?

De : ALBRIZIO DANIELE <albrizio AT units.it>
Envoyé : mercredi 24 janvier 2024 12:00
À : Philippe Taurines <Philippe.Taurines AT crous-toulouse.fr>; cat-users AT lists.geant.org
Objet : Re: [[cat-users]] Eduroam : Password Update

Vous ne recevez pas souvent de courriers de la part de albrizio AT units.it. Découvrez pourquoi cela est important

Normally, in the chain of directories, password repositories, authentication middleware, etc. you lose the information about the reason the authentication fails.

This results in a 0 or 1 condition of authentication success or authenticatio fail. There are some radius attributes you can use out-of-standards to report about reasons, but since is an out of standardization use, this will not be grabbed by clients (supplicants).

This scenario is typically a lot different from a simple WPA passphrase authentication.

What I assume as an oversemplification (that means complication) of the scenario is also the operating system behaviour of re-requesting for secrets when something goes wrong such as:

- Temporary Timeouts (backends, radius hierarchy, ...)

- Errors in wifi (low signal and subsequents retransmission and timeouts)

- Wrong/unsupported authentication mechanisms

- TLS version mismatch and implementation issues

- ...

All those reasons should not lead to re-asking the user for password (default behaviour on windows and other os).

Users forget and unknowingly mistype their passwords. This leads to a worse user experience perception (think about retyping password due to a home server temporary unreachability).

The profile re-installation is a safer and better solution for what I understand.

On Wed, 2024-01-24 at 08:17 +0000, Philippe Taurines wrote:

Why would this be specific to the operation of Windows and not eduroam?

Because when connecting to an access point with a simple SSID such as “WPA2 PSK”, Window asks you to re-enter the password security key.

Which would suggest that in WPA2-Enterprise / AES / PEAP mode it behaves differently?

This could not be due to the fact that the Freeradius server does not indicate to the Windows client that the password is invalid?

Good day

De : Tomasz Wolniewicz <twoln AT umk.pl>
Envoyé : mardi 23 janvier 2024 16:43
À : Philippe Taurines <Philippe.Taurines AT crous-toulouse.fr>; cat-users AT lists.geant.org
Objet : Re: [[cat-users]] Eduroam : Password Update

Unfortunately this is how Windows works now, if you run the installer again it will remove the profile and install everything again. You could also "forget" the eduroam network, but this would result in the same thing - the need to run the installer again.

Yours

Tomasz Wolniewicz

W dniu 23.01.2024 o 16:07, Philippe Taurines (via cat-users Mailing List) pisze:

Good morning,

After eduroam configuration of the Windows machine (10/11) via “eduroamCAT” or “geteduroam”, the connection works.

On the other hand, when our users change the password in our directory, they are refused the connection.

But the Windows client never offers to enter the new password, so there are two questions belows:

• Why this behavior?

• How to force Windows clients to ask for the new password?

Sincerely,

To unsubscribe, send this message:mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

--

Daniele Albrizio

Ufficio Reti e telefonia | ICT - Phone and Network Management
Università degli Studi di Trieste | University of Trieste
Via Alfonso Valerio 12 - 34127 Trieste (Italy)
daniele.albrizio AT units.it
Tel. | Ph. +39 040 558 3319

Ufficio Reti e telefonia | ICT - Phone and Network Management
Tel. | Ph. +39 040 558 3331

[[cat-users]] Eduroam : Password Update, Philippe Taurines, 01/23/2024
- Re: [[cat-users]] Eduroam : Password Update, Tomasz Wolniewicz, 01/23/2024
  - RE: [[cat-users]] Eduroam : Password Update, Philippe Taurines, 01/24/2024
    - Re: [[cat-users]] Eduroam : Password Update, Tomasz Wolniewicz, 01/24/2024
    - Re: [[cat-users]] Eduroam : Password Update, ALBRIZIO DANIELE, 01/24/2024
      - RE: [[cat-users]] Eduroam : Password Update, Philippe Taurines, 01/24/2024
        
        Re: [[cat-users]] Eduroam : Password Update, Paul Dekkers, 01/24/2024
        
        RE: [[cat-users]] Eduroam : Password Update, Philippe Taurines, 01/24/2024
  - Re: [[cat-users]] Eduroam : Password Update, Lukas Wringer, 01/24/2024
    - Re: [[cat-users]] Eduroam : Password Update, Tomasz Wolniewicz, 01/24/2024