<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Well, whether they are less secure is subjective.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">WPA-PSK does not require a username or password. It just requires you to enter the key and get access. That’s handled by the WPA2 process.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Any captive portal requiring a username and password will be managed by either the hotspot that displays the captive portal (and as such one would hope the security certificate for said
portal will be one signed by a commercial CA that is trusted by the device OS, because the captive portal pages are browser-based), or it will be sent (hopefully securely) to a third party. Under *<b>NO</b>* circumstances should *<b>any</b>* student/staff
member *<b>ever</b>* enter their university/organisation usernames and passwords into a captive portal system *<b>unless</b>* they are categorically sure that it is run by their university/organisation. The risk to the university/organisation and its systems
is much too great. In the day and age of ransomware attacks, all it takes is *<b>one</b>* username with access to a system, which can be used to break into others, to inflict untold damage to the university/organisation and its students/employees/both.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">However, since universities and other organisations (including large enterprises) tend to be paranoid (which is a good thing), they would very much not like to have usernames and passwords
used on *<b>their</b>* systems handed over to anyone. This is why WPA-Enterprise works the way it does. It provides a level of trust in the sense that devices will be either manually configured or set up through a mobile device management (MDM) solution (like
Apple Configurator or Microsoft’s InTune) which in turn will ensure that only the right certificate is trusted (usually that involves a CA certificate and a set of CN and/or subjectAltName entries), or, in the most basic case, a certificate is pinned. The
latter becomes a problem when a certificate is renewed as the new certificate will no longer match the pinned fingerprint, and the trust breaks (and no authentication takes place). In the user’s eyes that’s extremely suboptimal, although from the security
officer of the user’s organisation’s perspective, it’s exactly what’s expected.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">By ensuring the CA certificate is either one of your own (and you’ve put it on the device with your MDM (or something like geteduroam, the eduroam CAT website or, on Android, the now
virtually obsolete eduroam CAT app), you ensure that any server claiming to be your home server better be signed by your CA, or, just like a browser would (in strict mode), be rejected for being a liar and a fraud. You can use a commercial certificate, sure,
but by doing that you trust that the commercial CA who signed that certificate doesn’t make a mess (like several have in the last 12-18 months).
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">I hope that explains things a little more from the security/tech aspect.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">With Kind Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:black;background:white">Stefan Paetow</span><span lang="EN-US" style="color:black"><br>
<span style="background:white">Federated Roaming Technical Specialist<o:p></o:p></span></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US" style="color:black"><br>
<span style="background:white">t: +44 (0)1235 822 125</span><br>
<span style="background:white">gpg: 0x3FCE5142</span><br>
<span style="background:white">xmpp: stefanp@jabber.dev.ja.net</span><br>
<span style="background:white">skype: stefan.paetow.janet</span><o:p></o:p></span></p>
<p class="MsoNormal">In line with government advice, at Jisc we’re now working from home and our offices are currently closed. Read our
<a href="https://www.jisc.ac.uk/about/corporate/coronavirus-statement"><span style="color:#0563C1">statement on coronavirus</span></a>.<span lang="EN-US" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"><br>
<span style="background:white">jisc.ac.uk</span><br>
<br>
<span style="background:white">Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol,
BS2 0JA. T 0203 697 5800.<o:p></o:p></span></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:36.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">radiator <radiator-bounces@lists.open.com.au> on behalf of "Ullfig, Roberto Alfredo" <rullfig@uic.edu><br>
<b>Date: </b>Thursday, 9 September 2021 at 17:41<br>
<b>To: </b>Heikki Vatiainen <hvn@open.com.au>, "radiator@lists.open.com.au" <radiator@lists.open.com.au><br>
<b>Subject: </b>Re: [RADIATOR] Certificate Not Trusted - InCommon?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:12.0pt;color:black">You're right - there is no username. Just an SSID and credentials. So why do these services not require trusting a certificate? Are those services less secure? Is the
shared password going over in clear text?<o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div id="Signature">
<div>
<div id="divtagdefaultwrapper">
<div>
<p class="MsoNormal" style="margin-left:36.0pt;background:white"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">---
<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:36.0pt;background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Roberto Ullfig - rullfig@uic.edu<br>
Systems Administrator<br>
Enterprise Applications & Services | Technology Solutions<br>
University of Illinois - Chicago</span><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">
<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="MsoNormal" align="center" style="margin-left:36.0pt;text-align:center">
<hr size="0" width="100%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal" style="margin-left:36.0pt"><b><span style="color:black">From:</span></b><span style="color:black"> radiator <radiator-bounces@lists.open.com.au> on behalf of Heikki Vatiainen <hvn@open.com.au><br>
<b>Sent:</b> Thursday, September 9, 2021 10:59 AM<br>
<b>To:</b> radiator@lists.open.com.au <radiator@lists.open.com.au><br>
<b>Subject:</b> Re: [RADIATOR] Certificate Not Trusted - InCommon?</span> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">On 9.9.2021 18.11, Ullfig, Roberto Alfredo wrote:<br>
<br>
> No, I'm referring to WiFi offered at airports, coffee shops, bars, or at <br>
> someone's home etc... You are given a username and password and the <br>
> phone shows the SSID, you just enter the username and password and are <br>
> connected. There is never a window asking you to trust a certificate.<br>
<br>
Could be WPA-Personal, also known as WPA-PSK, where a shared secret (Pre <br>
Shared Key) is needed, or Wi-Fi Protected Setup? But I think these don't <br>
require a username. One option is a built-in client that launches a <br>
customised browser to help with captive portal login.<br>
<br>
The problem with the above is that Wi-Fi client software in your device <br>
does not know how to authenticate the network. The network demands that <br>
credentials are used but the Wi-Fi client software has nothing to demand <br>
from the network.<br>
<br>
Thanks,<br>
Heikki<br>
<br>
-- <br>
Heikki Vatiainen<br>
OSC, makers of Radiator<br>
Visit radiatorsoftware.com for Radiator AAA server software<br>
_______________________________________________<br>
radiator mailing list<br>
radiator@lists.open.com.au<br>
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C223082975583478ac9e208d973aaf2f4%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637668000789719424%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=kwMBZeGt00F7dz4i7dD%2FH8Op%2FwfX6VZmzKxDEOqZe28%3D&reserved=0">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C223082975583478ac9e208d973aaf2f4%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637668000789719424%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=kwMBZeGt00F7dz4i7dD%2FH8Op%2FwfX6VZmzKxDEOqZe28%3D&reserved=0</a><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>