Re: Eduroam and Microsoft

[Louis Twomey <louis.twomey@xxxxxxxxx>]

Hi,
When I was documenting the steps of configuring a Windows7 wireless client for
eduroam recently, I encountered the following problems:

* I could find no way to make the client support both WPA2 and WPA1 within a
profile. So, if you configure a profile for WPA2, then it will not connect to
the same SSID via WPA1 if you roam to a site where only WPA1 is offered. I
guess that you could argue that this is a reasonable restriction to apply, in
some circumstances, but I think the option of supporting both should be
available to the end user.

* Also, because the profiles are named according to the SSID, you can't create
more than one profile for the same SSID (so, for example, you can't add a WPA1
eduroam profile as less preferred than a WPA2 eduroam profile).

I could not find a workaround to either of the above issues and from a quick
check I think the same issues apply to the Windows Vista client. Both are
significant problems, I believe.

Regards,
Louis.

"Paul Dekkers" wrote the following on 20/10/09 09:57:
> Hi,
> 
> On Tue, 20 Oct 2009, James Sankar wrote:
> 
>> I met with Microsoft representatives in Australia today, I mentioned
>> eduroam
>> and was unsure whether we still have issues with Windows operating
>> systems
>> requiring a supplicant such as SecureW2, I agree to check where that
>> all got
>> to, hence this email.  What is the current position, is it resolved,
>> if not
>> what exactly needs to be done so that I can push this along within
>> Microsoft.
> 
> I think we still need things like SecureW2 in order to use TTLS-PAP, for
> IdPs that are unable to deploy the (Microsoft PEAP-way) MSCHAPv2
> authentication. This is still the case for a fairly large amount of
> Dutch institutions, at least. PAP works against every backend, a regular
> LDAP password, or even unix passwords or yp, while MSCHAPv2 really
> requires either an AD or reversable-crypto entries in your directory.
> 
> There are also users that prefer to have a little more control, during
> installation (for certificate installation) or afterwards, which is
> something that the Microsoft PEAP-implementation does not provide yet,
> I'm afraid.
> 
> The other issue with Microsoft's zero configuration is I think not
> EAP-based, but the roaming between eduroam networks with different
> encryption settings. We still have a mix in the Netherlands, as I just
> reported here during the TF meeting in Rome ;-) and it's moving towards
> the right direction - but in particular on Windows platforms it's hard
> to roam from a WEP-8021x to WPA1 or WPA2 network. The Windows supplicant
> tends to forget the network-settings, or at least doesn't share this
> information between the networks - so that there is still quite some
> instructions involved for setting up networks (especially while using
> PEAP, because people need to toggle some bits, disabling the
> domain-authentication, and so forth).
> 
> I'm afraid that Windows does not have the most user-friendly Wireless
> stuff around, where our use-case is concerned. But maybe others have
> different experiences :-)
> 
> Regards,
> Paul
> 

-- 
HEAnet Limited                               louis.twomey@xxxxxxxxx
5 George's Dock, IFSC, Dublin 1              Tel: +353-1-6609040
Web: http://www.heanet.ie                    Fax: +353-1-6603666
Registered in Ireland, no 275301             PGP key: C77D9256

--- Please consider the environment before printing this e-mail ---