Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

At least with carriers you will know for sure that you have not expectation of privacy. > http://clark.com/technology/how-opt-out-verizons-super-cookie-tracking/ > Apr 28, 2017, at 8:12 PM, Jeffrey D. Sessler wrote: > > Philippe, > > This statement, “each user that uses eduroam has a

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Philippe, This statement, “each user that uses eduroam has a verified affiliation with a University/College somewhere in the world” while sort of true, is also meaningless. They are numerous universities out there that grant identities to anyone in their local community for the sake of services

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Curtis et al., You can mitigate the PEAP/EAP-TTLS password issue by using an installer. In the case of CAT (cat.eduroam.org , free to eduroam connectors), a profile will be created that will lock the infrastructure certificate. If a user is presented with a fake eduroam

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

> On Apr 28, 2017, at 3:49 PM, Jeffrey D. Sessler > wrote: > > Philippe, > > I’m not arguing the “convenience factor” or OTA encryption, which eduroam > certainly provides, just that users (and universities advocating for it) > shouldn’t blindly trust it any more, or less, than any other gu

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

It matters to your PEAP user that might lose his credentials while connecting to our network on our property even though he was told it was a "secure" connection. I'm talking about preventing the attack to the degree possible by not providing a service that incorporates the vulnerable component

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Philippe, I’m not arguing the “convenience factor” or OTA encryption, which eduroam certainly provides, just that users (and universities advocating for it) shouldn’t blindly trust it any more, or less, than any other guest network. You touch on my concern with this statement, “Most Schools ten

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Curtis, That makes sense. But, if a user set up an evil twin on your campus, it would not matter, because you are using EAP-TLS, right? So you're not vulnerable to the attack where a user's credentials might be exposed. If they wanted to exploit some other flaw that can be exploited via evil twin

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Jeff, > > Why do I say this? > · Organization - A university can’t assume and/or guarantee that > “eduroam” is administered at another campus in the same way that it is at > home. There is no guarantee of privacy, be it the data collected during > authentication/authorization, or inf

RE: [WIRELESS-LAN] Eduroam adoption (and migration process)

I thought about ways to respond to this, but figure simple is better… Most of those concerns are either easily mitigated with user education, or are issues we haven’t experienced. Since we’ve had eduroam as primary for 2 years with hundreds of thousands of devices onboarded and a lot of traveli

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

No matter what direction I come at it, “eduroam” is fundamentally a guest network with very little intrinsic value, but with many downsides. As such, I would be reluctant to make it our default SSID, and I caution those that use it as such to explore its shortcomings. Why do I say this? ·

RE: [WIRELESS-LAN] Eduroam adoption (and migration process)

Me, too. You can absolutely require your local users to require EAP-TLS while supporting other institutions ability to support whatever EAP type they like. And when your users are abroad, those requirements are still in force. We only run eduroam as our 802.1x using EAP-TLS and force non suppo

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

I think there is one problem with just using eduroam SSID that your users could have problem connecting to eduroam at other institutions, depends on your username policy. If you can force all your users to use u...@yourdomain.xxx as username, you don't have this issue. But if you allow a variet

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

I guess it boils down to an attacker being less likely to setup a fake AP/evil twin on the property of an institution that does not support PEAP vs. one that does. -Curtis From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Hunte

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

I'm still not sure I follow. It sounds like, in your current config, you have your constituents use EAP-TLS, and cannot use PEAP. Meanwhile your visitors use whatever their home institution offers. If you ran with only the eduroam ESSID, you could run with the same config. Your constituents are u

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

My point is not that eduroam mandates a given EAP type. My point is that if a given EAP type presents a vulnerability to users that will come into my institution's property but I allow it anyway so that another institution's configuration will be compatible - then I have surrendered a better se

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

On Fri, Apr 28, 2017 at 09:54:55AM +, Cappalli, Tim (Aruba Security) wrote: > Can you elaborate on this comment? > > “whereas with eduroam we were kind of locked-in to the PEAP model.” > > Eduroam is EAP agnostic. Quite - I was thinking the same thing. There's no reason why you can't use EA

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Can you elaborate on this comment? “whereas with eduroam we were kind of locked-in to the PEAP model.” Eduroam is EAP agnostic. On 4/27/17, 10:57 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Curtis K. Larsen" wrote: We also use eduroam and a university SSI