The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Martin Pauly <address@concealed>]

Hi Dominic,

Am 24.01.26 um 12:50 schrieb dominic.stalder (via cat-users Mailing List):
> But to be honest, I was also a little suprised, that the anonymous identity 
> is set to «anonymous» and not «address@concealed». But as written above, it 
> somehow seems to work...

This is one more quirk of the Windows supplicant, surprisingly this adheres 
to some old PEAP variety.
Windows will NOT allow you to pre-set a realm. You can only provide the 
username part
of the outer identity. If the user is required to enter their username, the 
realm part
will ALWAYS be what the user types after the '@'.
OTOH, you do want to make your anonymous outer id mandatory in the freeradius 
config,
as this prevents clueless Android users/devices from naively typing in just 
the short, realm-less username
(both inner and outer ID), along with specifying the weakest of certificate 
checks
This would be "Accept all CAs present in system store" in most cases.
I am afraid that even with this setting (as compared to no check at all),
it would not be too hard to stage another Evil Twin attack and steal
you users' passwords.

A mandatory outer ID can be quite tedious for your Windows users though,
as the USER must ALWAYS type in their realm correctly.
The least of evils currently seems to be:
- require correct(=well-defined anonymous) outer ID from everyone and
- enable password saving on the Windows client, even in system context before 
user login
  (do this only with Bitlocker/HD encryption enabled)

This is pretty much our current setup.
But there seems to be another bug in the Windows supplicant:
Even with these settings, the supplicant randomly ignores them
when trying to connect before user logon. Rather, we see some
Username like host/pcxyz on the WLAN controller, at least with
machines that are AD domain members.

Mit freundlichen Grüßen/Kind regards
Martin Pauly

--
Dr. Martin Pauly
Abt. Kommunikation
Hochschulrechenzentrum (HRZ)

Philipps-Universität Marburg
35032 Marburg

T +49 6421 28-23527
E address@concealed

https://www.uni-marburg.de/de/hrz

Attachment: smime.p7s
Description: Kryptografische S/MIME-Signatur