IEEE 802.1X EAP configuration simple AND secure - https://802.1x-config.org

Stefan Winter stefan.winter at restena.lu
Tue Apr 29 16:27:54 CEST 2014


Hi,

> We in the academic/EDUROAM community have had CAT in the web format for
> quite a while. The problem is the service provides executables in the
> form of installers for the Windows plataforms, and even run-time
> additions to your client/SO software. 
> 
> Nonetheless, this service provided by Dante, and somewhat, that in
> itself is a seal of guarantee and peace of mind.

Just to get the (unrelated) record straight; the service is run by the
GEANT project. While DANTE is one of the GEANT consortium partners,
there is no involvement of DANTE in the operation of eduroam CAT.

The one thing which qualifies as a seal of authenticity is the *digital
code signing signature* you get from the eduroam CAT, and that signature
is one from TERENA (which is the global governing body of eduroam).

> The interface of this
> service seems similar, maybe the codebase is the same too.

*ahem* look at the footer *ahem*

> What
> guarantee I would have on this situation about installing foreign
> binaries in our workstations? 
> 
> Even if I am not making myself the question, I know for sure, someone
> will ask me.

You should ask yourself the same question for every other configuration
tool; e.g. if you use Apple's iPhone Configuration Tool, its XML output
will either be unsigned, or signed by a self-signed (i.e. meaningless)
certificate. If you handicraft a NSIS installer, the .exe will have no
assurance whatsoever.

802.1x-config.org also provides "proper" digitally signed installers in
one of the paid upgrade packages, and getting these requires a manual
out-of-band identity vetting process; so there is definitely some
assurance in that - plus the implicit liability of the admin who wanted
to have them generated; he paid for upgrade and is thus identifiable
with the payment he made.

This is a lot better than the *nothing* you get when downloading random
.exe's.

Greetings,

Stefan Winter

> Regards,
> Rui Ribeiro
> 
> http://www.linkedin.com/pub/rui-ribeiro/16/ab8/434
> 
> 
> 
>     Message: 4
>     Date: Tue, 29 Apr 2014 07:04:21 +0200
>     From: 1x-config Info <info at 1x-config.org <mailto:info at 1x-config.org>>
>     To: freeradius-users at lists.freeradius.org
>     <mailto:freeradius-users at lists.freeradius.org>
>     Subject: IEEE 802.1X EAP configuration simple AND secure -
>             https://802.1x-config.org
>     Message-ID: <535F32D5.8050208 at 1x-config.org
>     <mailto:535F32D5.8050208 at 1x-config.org>>
>     Content-Type: text/plain; charset=ISO-8859-15; format=flowed
> 
>     Hello list,
> 
>     on this list, people somewhat regularly lament that they can't get their
>     WPA2-Enterprise WiFi RADIUS server setup deployed to clients easily.
> 
>     That is understandable. Especially in a BYOD context, getting all of
>     your users to "do the right thing" usually involves an error-prone
>     process in lengthy PDF instructions: click through a madness of options
>     here, import CA there, don't disable cert validation, etc.
> 
>     Earlier this month, a new web service was launched which is called
>     "Enterprise Network Configuration Assistant Tool (CAT)" which allows
>     RADIUS / network admins to make deployment of IEEE 802.1X simple and
>     easy.
> 
>     Visit:
> 
>     https://802.1x-config.org
> 
>     (and especially take the tour at https://802.1x-config.org/tour1.php )
> 
>     As a network admin, you upload the characteristics of your network
>     (issuing CA, expected server name in server cert, supported EAP types,
>     SSIDs to configure...) and in return get a mostly automatic installer
>     for that network, which you can hand out to your users. None of the
>     information you need to upload is a secret.
> 
>     And the best is: the base functionality is *free*. Only if you are a
>     business or enterprise that cares about branding, helpdesk hints, or
>     digital signatures for the generated installers, then you'll need to
>     purchase one of the paid upgrades.
> 
>     I hope I can do something good to the community of IEEE 802.1X / EAP
>     users out there by making sure that a secure deployment can be achieved
>     with ease, and for free. Especially now that some/many people need to
>     replace their EAP deployment profiles due to a possible Heartbleed
>     compromise.
> 
>     Thanks for tolerating this ad ;-)
> 
>     The good folks of https://802.1x-config.org
> 
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140429/3b28ac1f/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140429/3b28ac1f/attachment.pgp>


More information about the Freeradius-Users mailing list