The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> thank you for your help, this configuration seems to work :-)

Great!

> I have a question: during the installation of a CAT profile on an
> Android KitKat device the installer didn't complete the installation and
> appeared a warning message like this "You have to set a pin code for the
> password manager..."
> Is it a normal behavior?

Yes, a user can't install a new CA certificate unless he protects the
device with a screen lock (a "swipe gesture" should be enough though,
doesn't have to be a PIN).

(Sure, this does not serve any useful purpose, but it's how the Android
overlords want it to be. Complain in a bug report and observe how it is
dumped into their /dev/null :-( )

Greetings,

Stefan Winter

> 
> Thanks again,
> 
> Michele
> 
> 
> On 08/07/2015 04:03 PM, Stefan Winter wrote:
>> Hi,
>>
>>>> EITHER: define the G5 root variant as the root, and *don't* send the
>>>> intermediate variant during EAP. This is utterly confusing to the
>>>> client.
>>> In this case  have I to modify the RADIUS certificate putting only
>>> server cert +
>>> intermediate with only Symantec Class 3 Secure Server CA - G4?
>>>
>>> On CAT side have I to put only G5 root?
>> That root, and for Android to work you also need to upload the Symantec
>> Class 3 Secure Server CA - G4.
>>
>> That should be it. Please check if the warnings are then going away :-)
>>
>> Stefan
>>
>>>> OR: define the "Primary CA" as the root, and include the G5
>>>> intermediate
>>>> variant in CAT config and EAP. Do not send the G5 root variant in the
>>>> EAP conversation then.
>>> I put the "Class 3 Public Primary Certification Authority"  root
>>> certificate on cat configuration (see attached file
>>> CAT_certificate_not_working.jpg).
>>> Android seems to work but in the Wi-Fi config I see "certificate not
>>> specified", Windows 7 doesn't work and when I run cat conf tool I see a
>>> message that I have never seen with the old confs  (see
>>> CAT_message.jpg).
>>> In this case I didn't touch the RADIUS server certificate.
>>>
>>>> (in both cases, of course continue to send the G4 intermediate)
>>>>
>>>> This is mostly a mess on VeriSign's side - but you need to be cautious,
>>>> too. "More helps more" does not apply to PKI certificates. You need to
>>>> send a consistent message. Superfluous items are okay (for most client
>>>> devices), but *conflicting ones* are not.
>>> You are right, I hope to not have conflicting items :-)
>>>
>>>> Greetings,
>>>>
>>>> Stefan Winter
>>>>
>>> Thanks a lot,
>>>
>>> Michele
>>>
>>
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature