Hi,
We in the academic/EDUROAM community have had CAT in the web format for quite a while. The problem is the service provides executables in the form of installers for the Windows plataforms, and even run-time additions to your client/SO software.
Nonetheless, this service provided by Dante, and somewhat, that in itself is a seal of guarantee and peace of mind.
Just to get the (unrelated) record straight; the service is run by the GEANT project. While DANTE is one of the GEANT consortium partners, there is no involvement of DANTE in the operation of eduroam CAT. The one thing which qualifies as a seal of authenticity is the *digital code signing signature* you get from the eduroam CAT, and that signature is one from TERENA (which is the global governing body of eduroam).
The interface of this service seems similar, maybe the codebase is the same too.
*ahem* look at the footer *ahem*
What guarantee I would have on this situation about installing foreign binaries in our workstations?
Even if I am not making myself the question, I know for sure, someone will ask me.
You should ask yourself the same question for every other configuration tool; e.g. if you use Apple's iPhone Configuration Tool, its XML output will either be unsigned, or signed by a self-signed (i.e. meaningless) certificate. If you handicraft a NSIS installer, the .exe will have no assurance whatsoever. 802.1x-config.org also provides "proper" digitally signed installers in one of the paid upgrade packages, and getting these requires a manual out-of-band identity vetting process; so there is definitely some assurance in that - plus the implicit liability of the admin who wanted to have them generated; he paid for upgrade and is thus identifiable with the payment he made. This is a lot better than the *nothing* you get when downloading random .exe's. Greetings, Stefan Winter
Regards, Rui Ribeiro
http://www.linkedin.com/pub/rui-ribeiro/16/ab8/434
Message: 4 Date: Tue, 29 Apr 2014 07:04:21 +0200 From: 1x-config Info <info@1x-config.org <mailto:info@1x-config.org>> To: freeradius-users@lists.freeradius.org <mailto:freeradius-users@lists.freeradius.org> Subject: IEEE 802.1X EAP configuration simple AND secure - https://802.1x-config.org Message-ID: <535F32D5.8050208@1x-config.org <mailto:535F32D5.8050208@1x-config.org>> Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Hello list,
on this list, people somewhat regularly lament that they can't get their WPA2-Enterprise WiFi RADIUS server setup deployed to clients easily.
That is understandable. Especially in a BYOD context, getting all of your users to "do the right thing" usually involves an error-prone process in lengthy PDF instructions: click through a madness of options here, import CA there, don't disable cert validation, etc.
Earlier this month, a new web service was launched which is called "Enterprise Network Configuration Assistant Tool (CAT)" which allows RADIUS / network admins to make deployment of IEEE 802.1X simple and easy.
Visit:
(and especially take the tour at https://802.1x-config.org/tour1.php )
As a network admin, you upload the characteristics of your network (issuing CA, expected server name in server cert, supported EAP types, SSIDs to configure...) and in return get a mostly automatic installer for that network, which you can hand out to your users. None of the information you need to upload is a secret.
And the best is: the base functionality is *free*. Only if you are a business or enterprise that cares about branding, helpdesk hints, or digital signatures for the generated installers, then you'll need to purchase one of the paid upgrades.
I hope I can do something good to the community of IEEE 802.1X / EAP users out there by making sure that a secure deployment can be achieved with ease, and for free. Especially now that some/many people need to replace their EAP deployment profiles due to a possible Heartbleed compromise.
Thanks for tolerating this ad ;-)
The good folks of https://802.1x-config.org
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66