The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

> we got a few complaints from Android users that they couldn’t connect to 
> our eduroam network after installing the profile by using the eduroamCAT 
> App. I tried myself and even with all «green» flags in the app, it doesn’t 
> seem to work. After checking log entries with our AAI guys, the problem 
> appears to be the missing QuoVadis root certificate in Android. 

one of the apps' primary purposes of existence *is* the installation of
the trusted root certificate.
Unless something very strange has happened, your AAI colleagues have
misinterpreted the situation.

In fact, having all ticks green demonstrates that the CA is being checked.

I can imagine two reasons here:

* Maybe you have two or more root certificates in the CAT configuration?
The Android app can only configure exactly one root CA certificate (this
is a Android API limitating we cannot do anything about).

* Maybe your RADIUS server does not send the chain of intermediate CA
certificates along with the server certificate? With the app only having
the root, it requires the intermediates to be sent along with the server
certificate - otherwise it cannot build the full chain which is required
for certificate verification.

Regarding the latter case: this is something we actively test for during
our RADIUS checks. Did you run the RADIUS checks recently? Did they
yield one or more warnings?

> What do you propose to fix this issue?

Since it works for very many users, my proposal is to check for
administrative errors on the server side first. If you can confirm that
the above two are not relevant, you can also send me your realm and the
root CA you have in CAT and I can do some more in-depth investigations
on the command-line.

> In it’s current incarnation, the App is useless for University of Bern 
> members and causes confusion.
> In iOS, root certificates can be embedded in configuration profiles. Is 
> this not possible for Android?

It is definitely possible.

Greetings,

Stefan Winter

> 
> Cheers
> Philipp
> ________________________________________________
> Universität Bern
> Abt. Informatikdienste
> Gruppe Infrastruktur
> 
> Philipp Tobler
> 
> Gesellschaftsstrasse 6
> 3012 Bern
> Raum -104
> Tel. +41 (0)31 631 32 84
> mailto:philipp.tobler AT id.unibe.ch
> http://www.id.unibe.ch
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature