The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Philippe Taurines <Philippe.Taurines AT crous-toulouse.fr>]

For my part,

 

The idea of integrating a lifespan for accounts with login and password could be a start. But this will not fully satisfy the need because a user can install the eduroam profile via “eduroamCat” well after updating their password. And we will still end up with locked accounts, in my opinion, the most effective solution would be for the radius server to detect the event below:

 

• Auth: (1664815252)   Incorrect login (mschap: Program returned code (1) and output 'The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. (0xc0000234)'

 

And requires password renewal on the Windows client, so that it no longer makes incorrect connection attempts leading to account locking.

 

PS : Regarding the NIST recommendations on password renewal policy, I share your opinion. But on condition that you have implemented MFA because otherwise the risks of brute force or dictionary attack are too great.

 

 

 

De : Paul Dekkers <paul.dekkers AT surf.nl>
Envoyé : mercredi 24 janvier 2024 16:18
À : Philippe Taurines <Philippe.Taurines AT crous-toulouse.fr>; ALBRIZIO DANIELE <albrizio AT units.it>; cat-users AT lists.geant.org
Objet : Re: [[cat-users]] Eduroam : Password Update

 

Vous ne recevez pas souvent de courriers de la part de paul.dekkers AT surf.nl. Découvrez pourquoi cela est important

Hi,

In principle the geteduroam clients support the concept of "credential expiration". We use this in the pseudo-accounts, because the certificates have a limited lifespan. We know exactly what their lifespan is though. So after this time, we can remove the profile, and in advance we can ask the client to reconfigure.

For username/passwords we don't know how long the credentials are (still) valid. Also, the feature isn't built into CAT: but we could consider it. Assuming the credentials are "at most" valid for 6 months, you could use the timer.

Regards,
Paul

P.S. Personally I like the new NIST advise to no longer work with password expiration I must say. I don't think it adds a lot to the security to change a password periodically, unless you're certain there was a compromise.

 

On 24/01/2024 14:06, Philippe Taurines (via cat-users Mailing List) wrote:

Thank you for this explanation.

 

Our problem is that with this operation, when a user changes their password, it locks the accounts in our directory, because it does not systematically restart "eduroamcat".

 

However, we do not have an aggressive policy regarding account locking (account locking after 10 attempts within 15 minutes). What we see in the logs of our freeradius servers by the following messages:

 

1. Auth: (1664815252)   Incorrect login (mschap: Program returned code (1) and output 'The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. (0xc0000234)'

 

We are therefore looking for a method (server configuration, clients, etc.) which would allow us to maintain our locking policy and which would not block access to other services, because the account is locked in the directory.

 

Hence the question of how to force the Windows client to re-request the user's password. If you have any ideas?

 

 

De : ALBRIZIO DANIELE <albrizio AT units.it>
Envoyé : mercredi 24 janvier 2024 12:00
À : Philippe Taurines <Philippe.Taurines AT crous-toulouse.fr>; cat-users AT lists.geant.org
Objet : Re: [[cat-users]] Eduroam : Password Update

 

Vous ne recevez pas souvent de courriers de la part de albrizio AT units.it. Découvrez pourquoi cela est important

 

Normally, in the chain of directories, password repositories, authentication middleware, etc. you lose the information about the reason the authentication fails.

This results in a 0 or 1 condition of authentication success or authenticatio fail. There are some radius attributes you can use out-of-standards to report about reasons, but since is an out of standardization use, this will not be grabbed by clients (supplicants).

 

This scenario is typically a lot different from a simple WPA passphrase authentication.

 

What I assume as an oversemplification (that means complication) of the scenario is also the operating system behaviour of re-requesting for secrets when something goes wrong such as:

 

- Temporary Timeouts (backends, radius hierarchy, ...)

- Errors in wifi (low signal and subsequents retransmission and timeouts)

- Wrong/unsupported authentication mechanisms

- TLS version mismatch and implementation issues

- ...

 

All those reasons should not lead to re-asking the user for password (default behaviour on windows and other os).

 

Users forget and unknowingly mistype their passwords. This leads to a worse user experience perception (think about retyping password due to a home server temporary unreachability).

 

The profile re-installation is a safer and better solution for what I understand.

 

 

 

On Wed, 2024-01-24 at 08:17 +0000, Philippe Taurines wrote:

Why would this be specific to the operation of Windows and not eduroam?

 

Because when connecting to an access point with a simple SSID such as “WPA2 PSK”, Window asks you to re-enter the password security key.

 

Which would suggest that in WPA2-Enterprise / AES / PEAP mode it behaves differently?

 

This could not be due to the fact that the Freeradius server does not indicate to the Windows client that the password is invalid?

 

Good day

 

De : Tomasz Wolniewicz <twoln AT umk.pl>
Envoyé : mardi 23 janvier 2024 16:43
À : Philippe Taurines <Philippe.Taurines AT crous-toulouse.fr>; cat-users AT lists.geant.org
Objet : Re: [[cat-users]] Eduroam : Password Update

 

Unfortunately this is how Windows works now, if you run the installer again it will remove the profile and install everything again. You could also "forget" the eduroam network, but this would result in the same thing - the need to run the installer again.

Yours

Tomasz Wolniewicz

 

W dniu 23.01.2024 o 16:07, Philippe Taurines (via cat-users Mailing List) pisze:

Good morning,

 

After eduroam configuration of the Windows machine (10/11) via “eduroamCAT” or “geteduroam”, the connection works.

 

On the other hand, when our users change the password in our directory, they are refused the connection.

 

But the Windows client never offers to enter the new password, so there are two questions belows:

 

• Why this behavior?

• How to force Windows clients to ask for the new password?

 

Sincerely,

To unsubscribe, send this message:mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

 

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

 

-- 

 

---

Daniele Albrizio

Ufficio Reti e telefonia | ICT - Phone and Network Management
Università degli Studi di Trieste | University of Trieste
Via Alfonso Valerio 12 - 34127 Trieste (Italy)
daniele.albrizio AT units.it
Tel. | Ph. +39 040 558 3319

Ufficio Reti e telefonia | ICT - Phone and Network Management
Tel. | Ph. +39 040 558 3331

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users