Hello,

> Here, at University of Minho, we are struggling with an issue related to
> re-authentication on wi-fi network eduroam

> We would prefer not to use the configuration profiles due to the burden
> it carries itself – we want our infrastructure to allow users to connect
> just by inserting their credentials, what we achieved long time ago and
> want to keep going this way.
You "achieved" subjecting your users to evil twin attacks, which make
them send their password to arbitrary third parties. Congratulations on
that.

You are violating the eduroam policy with that: it is specifically noted
that Identity Providers MUST supply their users with all the information
needed to verify the server identity, which includes the server name and
CA. This can be done using profiles (easiest) or even with manual
instructions on a support web page. Instructing users NOT to do any of
that and just type their username password, and clicking "Continue"
without verifying the server certificate such as you do
onhttp://www.scom.uminho.pt/Default.aspx?tabid=8&pageid=368&lang=pt-PT
is unacceptable.

BTW, using a profile would pinpoint the inner method and likely solve
the operational problem at hand. But that's only a collateral of
achieving security.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to