Closed lonoak closed 7 years ago
restena-sw
commented
7 years ago The API certainly allows for it: https://developer.android.com/reference/android/net/wifi/WifiEnterpriseConfig.html#setEapMethod(int) PWD is one of the enums.
We don't ship XML files with PWD in it right now. Still searching why; my guess is that PWD was a recent addition. I'm checking.
restena-sw
commented
7 years ago Hm, no, it was in since API level 18. It's trivial to flip a few bits in the web-service side of CAT to produce PWD installers.
Gareth, is the app prepared to do the right thing when it sees EAP type "PWD"?
lonoak
commented
7 years ago Hi Stefan,
thanks for looking into it!
Looking in a 6.0 device, it now seems to support: PEAP, TLS, TTLS, PWD, SIM, AKA and AKA'. I think the other methods listed (apart from PEAP and TTLS) are useless...
In any case this, and proper support in FR (is available in 3.0? [*]) could maybe help in mitigating the Android mess...
[*] http://networkradius.com/doc/3.0.10/raddb/mods-available/eap/pwd.html
restena-sw
commented
7 years ago Hi,
well the biggest hurdle for PWD is that it's not supported on Mac OS.
So you will always have to run say PEAP and PWD simultaneously.
Still, getting PWD support out to as many platforms as possible is a GoodThing.
Am 02.02.2017 um 16:39 schrieb José Manuel Macías Luna:
Hi Stefan,
thanks for looking into it!
Looking in a 6.0 device, it now seems to support: PEAP, TLS, TTLS, PWD, SIM, AKA and AKA'. I think the other methods listed (apart from PEAP and TTLS) are useless...
In any case this, and proper support in FR (is available in 3.0? [*]) could maybe help in mitigating the Android mess...
[*] http://networkradius.com/doc/3.0.10/raddb/mods-available/eap/pwd.html
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/GEANT/CAT-Android/issues/7#issuecomment-276992007, or mute the thread https://github.com/notifications/unsubscribe-auth/AGDYvwqGWrq_vcnE7Da8au3_yYrpMzuGks5rYfjEgaJpZM4L1PNo.
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette
Tel: +352 424409 1 Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
edelahozuah
commented
7 years ago I am the colleague @lonoak was referring to.
In our institution, we estimate that roughly a 10% of all users is using a properly configured eduroam in Android (aprox. 300 downloads from eduroam-CAT for 3000+ connected devices). This constitutes an important security risk, as we are using the same credentias for both eduroam and or corporate applications. That is why we are highly interested in promoting support for EAP-PWD.
restena-sw
commented
7 years ago Here's a little catch which renders EAP-PWD less useful than you probably think it is:
a totally unconfigured device (only username and password input by user) will allow any EAP type. So once the user connects to a rogue server, the rogue server can and will suggest the EAP type PEAP or TTLS, and the device will not complain about this.
The fact that your server promotes security isn't exactly important if it never gets asked for its opinion...
edelahozuah
commented
7 years ago Well, you are right. My first idea was not allowing othe methods but that is not feasible, as it is not supported in other platforms currently. It seems like we will have to wait, as we cannot rule out the use of TTLS/PEAP.
We are also considering other alternatives for securing eduroam clients: alternative password for eduroam, OTPs...
lonoak
commented
7 years ago I forgot abut this important catch, Stefan, you are right.
But still, in the lines of what Enrique says, I wonder if we can do anything, server-side (or home organisation-side), to detect users with missconfigured clients, or to try to reduce problems in the case of Android devices (well, there's also the educating users path to solve the problem, but difficult to reach the entire user base).
Apart from the figures mentioned by Enrique, Android sums up for more than 50% of devices connected in some organizations... it's cheap, and users do not think in terms of security when they buy a device, nor care about configuring it properly... I know this is only trying to patch Android mess, but doing nothing, 'because it's Android fault', is probably not the way...
Should we better move this conversation to mobility ml? :)
Cheers.
restena-sw
commented
7 years ago The feature request for EAP-pwd support belongs here. All philosophical questions beyond that indeed should go to mobility.
GarethAyres
commented
7 years ago Hello,
Just an update. I added support for EAP-PWD : https://github.com/GEANT/CAT-Android/commit/9e11284ee4cc354bb6681a5dbec4a20f17625260
I dont think the .eapconfig files on cat.eduroam.org support it yet, so i cant test it. So i havent pushed this to the Play Store yet.
Stefan, is there a way to test this with a manually edited .eapconfig file? I can commit a compiled APK with PWD support to github if someone can.
Gareth
twoln
commented
7 years ago Hi Gareth,
Actually the EAP config module does support EAP_PWD so you should be able to download a working configuration from cat.eduroam.org.
Tomasz
W dniu 30.06.2017 o 16:37, GarethAyres pisze:
Hello,
Just an update. I added support for EAP-PWD : 9e11284 https://github.com/GEANT/CAT-Android/commit/9e11284ee4cc354bb6681a5dbec4a20f17625260
I dont think the .eapconfig files on cat.eduroam.org support it yet, so i cant test it. So i havent pushed this to the Play Store yet.
Stefan, is there a way to test this with a manually edited .eapconfig file? I can commit a compiled APK with PWD support to github if someone can.
Gareth
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/GEANT/CAT-Android/issues/7#issuecomment-312284335, or mute the thread https://github.com/notifications/unsubscribe-auth/AAEZuEPG6E0Ww81KR8S--a48qoHvtkQkks5sJQgQgaJpZM4L1PNo.
restena-sw
commented
7 years ago Well he needs to browse to an IdP which has EAP-pwd as most prioritised EAP type. To avoid long searching, I've created such a profile on cat-test/branch:
https://cat-test.eduroam.org/branch/?idp=2&profile=340
The download button "EAP Config" at the end will produce an EAP-pwd installer for you.
GarethAyres
commented
7 years ago OK great, ive got an EAP-Config now.
Ill test the app swallows it correctly.
twoln
commented
7 years ago You should use the blue EAP-config button.
Tomasz
W dniu 03.07.2017 o 10:08, GarethAyres pisze:
Hi,
I am getting this:
image https://user-images.githubusercontent.com/329527/27783686-1e4b0c22-5fcf-11e7-90c8-1f954d4e7686.png
Gareth
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/GEANT/CAT-Android/issues/7#issuecomment-312578093, or mute the thread https://github.com/notifications/unsubscribe-auth/AAEZuBCoxuo_wfHnuwb00rbPnobsPSLNks5sKKF7gaJpZM4L1PNo.
--
Tomasz Wolniewicz
twoln@umk.pl http://www.home.umk.pl/~twoln
Uczelniane Centrum Informatyczne Information&Communication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
GarethAyres
commented
7 years ago OK i have fixed two bugs that occurred with eap-pwd.
It now parses the profile fine, and installs it fine.
But:
These are only UI warnings, but im guessing they may confuse users unnecessarily?
Gareth
restena-sw
commented
7 years ago Hi,
ah, yes... EAP-pwd is /so/ different that many of those items do not make sense.
1) EAP-pwd does not support anon IDs. It may make sense to keep alerting users about that fact, but the wording needs to be different: "Anon ID not supported". But it's not even a warning, it's more like an FYI.
2) there is no phase 2, so that warning should just not be displayed
3) there is no CA certificate, so that warning should just not be displayed
But for "Server Subject Match missing" I wonder: the EAP-pwd spec does have a server name. And I've set one in the profile I linked to.
I see it does not show up in the .eapconfig though -> something to be added in CAT.
But the more interesting question is: what can you actually do with that info once it's in the file?
The halfways pertinent methods setDomainSuffixMatch, setAltSubjectMatch and setSubjectMatch are "usually" attributed to certificate-based methods.
Since the serverID in EAP-pwd is not cryptographically secured and is trivially forgeable, it doesn't really add to security, and even if it were supported, it wouldn't add anything to signal that it's set.
So in the end, I think (please comment if you disagree) that it's safe not to warn about this at all.
At the same time, we should add ServerID to the .eapconfig file if the serer name is set in the admin UI - maybe other implementations consuming the file do want to do something with that info.
Greetings,
Stefan Winter
Am 03.07.2017 um 10:46 schrieb GarethAyres:
OK i have fixed two bugs that occurred with eap-pwd.
It now parses the profile fine, and installs it fine.
But: image https://user-images.githubusercontent.com/329527/27785084-62bb9b92-5fd4-11e7-94ed-1130f41aa816.png
These are only UI warnings, but im guessing they may confuse users unnecessarily?
Gareth
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/GEANT/CAT-Android/issues/7#issuecomment-312586524, or mute the thread https://github.com/notifications/unsubscribe-auth/AGDYv4w-2DDQOlD4dnTQ6PwMKWz-6elIks5sKKpegaJpZM4L1PNo.
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette
Tel: +352 424409 1 Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
twoln
commented
7 years ago It looks like I will need to check the implementation, perhaps we have missed something. Tomasz
W dniu 03.07.2017 o 11:41, Stefan Winter pisze:
Hi,
ah, yes... EAP-pwd is /so/ different that many of those items do not make sense.
1) EAP-pwd does not support anon IDs. It may make sense to keep alerting users about that fact, but the wording needs to be different: "Anon ID not supported". But it's not even a warning, it's more like an FYI.
2) there is no phase 2, so that warning should just not be displayed
3) there is no CA certificate, so that warning should just not be displayed
But for "Server Subject Match missing" I wonder: the EAP-pwd spec does have a server name. And I've set one in the profile I linked to.
I see it does not show up in the .eapconfig though -> something to be added in CAT.
But the more interesting question is: what can you actually do with that info once it's in the file?
The halfways pertinent methods setDomainSuffixMatch, setAltSubjectMatch and setSubjectMatch are "usually" attributed to certificate-based methods.
Since the serverID in EAP-pwd is not cryptographically secured and is trivially forgeable, it doesn't really add to security, and even if it were supported, it wouldn't add anything to signal that it's set.
So in the end, I think (please comment if you disagree) that it's safe not to warn about this at all.
At the same time, we should add ServerID to the .eapconfig file if the serer name is set in the admin UI - maybe other implementations consuming the file do want to do something with that info.
Greetings,
Stefan Winter
Am 03.07.2017 um 10:46 schrieb GarethAyres:
OK i have fixed two bugs that occurred with eap-pwd.
It now parses the profile fine, and installs it fine.
But: image
https://user-images.githubusercontent.com/329527/27785084-62bb9b92-5fd4-11e7-94ed-1130f41aa816.png
These are only UI warnings, but im guessing they may confuse users unnecessarily?
Gareth
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/GEANT/CAT-Android/issues/7#issuecomment-312586524, or mute the thread
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette
Tel: +352 424409 1 Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/GEANT/CAT-Android/issues/7#issuecomment-312599403, or mute the thread https://github.com/notifications/unsubscribe-auth/AAEZuHXJOFKTq7_-3iQDV_2uVvxOZDpaks5sKLdIgaJpZM4L1PNo.
--
Tomasz Wolniewicz
twoln@umk.pl http://www.home.umk.pl/~twoln
Uczelniane Centrum Informatyczne Information&Communication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
twoln
commented
7 years ago I have fixed this now. Tomasz
W dniu 03.07.2017 o 11:41, Stefan Winter pisze:
But for "Server Subject Match missing" I wonder: the EAP-pwd spec does have a server name. And I've set one in the profile I linked to.
I see it does not show up in the .eapconfig though -> something to be added in CAT.
--
Tomasz Wolniewicz
twoln@umk.pl http://www.home.umk.pl/~twoln
Uczelniane Centrum Informatyczne Information&Communication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
GarethAyres
commented
7 years ago Hi,
OK i have fixed the UI for EAP-PWD currently to:
Android appears to accept an enterpriseConfig with setSubjectMatch and EAP-PWD outer. I cant test what it does when it connects to an actual EAP-PWD IdP, though.
setSubjectMatch has been depreciated in API 23. setAltSubjectMatch has a description which specifically mentions a server side certificate: "Set alternate subject match. This is the substring to be matched against the alternate subject of the authentication server certificate."
I dont understand EAP-PWD enough to say if we should even be setting this at all then?
Gareth
restena-sw
commented
7 years ago Hi,
OK i have fixed the UI for EAP-PWD currently to: image https://user-images.githubusercontent.com/329527/27841986-85ec1c98-60fd-11e7-9e32-48fe1ab504bd.png
I'd avoid the word "unrequired". It's not like it's optional - it is impossible to have that feature in this protocol.
"Anon ID not possible" better captures the underlying issue. It is then admittedly strange to accompany this with a green checkmark though. It's also not something to warn about with a yellow exclamation mark because there's nothing the user nor admin can do about it.
If you have something else UI-wise to express "Remark" besides the text then that would be perfect...
Android appears to accept an enterpriseConfig with setSubjectMatch and EAP-PWD outer. I cant test what it does when it connects to an actual EAP-PWD IdP, though.
setSubjectMatch has been depreciated in API 23. setAltSubjectMatch has a description which specifically mentions a server side certificate: "Set alternate subject match. This is the substring to be matched against the alternate subject of the authentication server certificate."
I dont understand EAP-PWD enough to say if we should even be setting this at all then?
Let's ignore it entirely. It serves no security purpose. When I talked to the spec author, he said it can help you uncover accidental misconfigs (e.g. typed wrong realm, ended up at unexpected server) but it's not for anything serious as it is not cryptographically secured at all.
Greetings,
Stefan
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette
Tel: +352 424409 1 Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
lonoak
commented
7 years ago Hi, thanks Gareth and Stefan for looking into this.
Have a question (surely for Stefan)... does «not having AnonId» means that for routing purposes (I mean with this, discovery of the home organization), the inner (Username?) field must contain the home organization realm? or is it configured somewhere else (without the user noticing the realm being used), and regardless if the user enters or not her realm?
Greetings.
restena-sw
commented
7 years ago That's right: there is only one username. It has to contain the routing and the actual auth info. So there's no way around using usernames with the realm suffix. I never thought that was a big issue. Is it?
lonoak
commented
7 years ago Well, not if the user is instructed to provide the realm...it's that the way it's done for other methods?
I mean, for other methods, my belief was that routing comes from outer identity, which somewhat either takes into account the realm provided by the institution (realm field in profile configuration), or alternatively use the anonymous outer identity provided by the admin, without the user needing to add the realm part.
restena-sw
commented
7 years ago Yes, the user needs to be told to use the full id including realm.
It is slightly different from other methods where was /possible/ (but AFAICT not very popular) to define a routing/outer ID with realm, and tell users to use the (inner) username without realm. I.e.
Outer: anon@realm.tld Inner: john.doe
That kind of combination becomes impossible with EAP-pwd. The user has to be told to use the username
john.doe@realm.tld
and has to accept the fact that that string will be world-visible.
GarethAyres
commented
7 years ago Hi,
OK in the latest commit i have just removed the anon ID feedback for PWD profiles as it surves no meaningful purpose to mention it.
I havent removed the SubjectMatch as it comes down in the eap-config, and can be set by IdP admins. So i imagine they may want/expect feedback on this even if it serves no functional purpose. Or if you like i can just remove it also.
Gareth
restena-sw
commented
7 years ago Hm, the green checkmark implies that we've actually checked it and found it to be okay. But since it doesn't actually transpire to device config, that's not correct.
I'd say either remove it, or do not put any icon in front. And maybe put the whole string in parentheses.
Am 07.07.2017 um 11:15 schrieb GarethAyres:
Hi,
OK in the latest commit i have just removed the anon ID feedback for PWD profiles as it surves no meaningful purpose to mention it. image https://user-images.githubusercontent.com/329527/27951438-dc6c04ec-62fc-11e7-932c-f3a485c05f31.png
I havent removed the SubjectMatch as it comes down in the eap-config, and can be set by IdP admins. So i imagine they may want/expect feedback on this even if it serves no functional purpose. Or if you like i can just remove it also.
Gareth
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/GEANT/CAT-Android/issues/7#issuecomment-313630929, or mute the thread https://github.com/notifications/unsubscribe-auth/AGDYv6PjSvGHxcPZchKyWHNs3v--WTTyks5sLfcVgaJpZM4L1PNo.
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette
Tel: +352 424409 1 Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
GarethAyres
commented
7 years ago OK i have removed the Subject Match feedback line, as it serves not purpose.
PWD support should now be complete. Are we happy to now close this issue?
Gareth
restena-sw
commented
7 years ago Hi,
yes, happy to close this as "done".
Stefan
Am 07.07.2017 um 15:00 schrieb GarethAyres:
OK i have removed the Subject Match feedback line, as it serves not purpose. image https://user-images.githubusercontent.com/329527/27958697-343624cc-631c-11e7-9eab-d4e9255d5d1d.png
PWD support should now be complete. Are we happy to now close this issue?
Gareth
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/GEANT/CAT-Android/issues/7#issuecomment-313674507, or mute the thread https://github.com/notifications/unsubscribe-auth/AGDYv5bdrLlMTS7NmdijOHP4p3F8MMr2ks5sLivzgaJpZM4L1PNo.
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette
Tel: +352 424409 1 Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
GarethAyres
commented
7 years ago closing issue
Hello Gareth,
I have been discussing with a collueague the possibility of configuring EAP-PWD programatically in CAT-Android... do you think this is feasible, or not possible with the Android API for configuring enterprise WiFi?
Cheers,
Jose.