Hello, > Here, at University of Minho, we are struggling with an issue related to > re-authentication on wi-fi network eduroam
> We would prefer not to use the configuration profiles due to the burden > it carries itself – we want our infrastructure to allow users to connect > just by inserting their credentials, what we achieved long time ago and > want to keep going this way. You "achieved" subjecting your users to evil twin attacks, which make them send their password to arbitrary third parties. Congratulations on that. You are violating the eduroam policy with that: it is specifically noted that Identity Providers MUST supply their users with all the information needed to verify the server identity, which includes the server name and CA. This can be done using profiles (easiest) or even with manual instructions on a support web page. Instructing users NOT to do any of that and just type their username password, and clicking "Continue" without verifying the server certificate such as you do onhttp://www.scom.uminho.pt/Default.aspx?tabid=8&pageid=368&lang=pt-PT is unacceptable. BTW, using a profile would pinpoint the inner method and likely solve the operational problem at hand. But that's only a collateral of achieving security. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
0x8A39DC66.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator
