cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Michele de Varda <michele.devarda AT unimi.it>
- To: Stefan Winter <stefan.winter AT restena.lu>
- Cc: Daniele Albrizio <daniele AT albrizio.it>, Claudio Lori <claudio.lori AT unimi.it>, cat-users AT geant.net
- Subject: Re: [[cat-users]] Problems with Android Client after certificate update
- Date: Tue, 14 Feb 2017 12:14:12 +0100
Dear Stefan,
Il 14/02/2017 09:02, Stefan Winter ha scritto:
Hello,I've forgotten this "little detail" for Android System, I've inserted the intermediate CA into the server cert and all works fine.
Android without CAT connects to Eduroam no matter what certificatesThat's correct. "It works if I turn off all security" only demonstrates
Radius server presented them and this is very unsecure.
flawed thinking, not proper operation.
What about clients using eduroam CAT? Did you insert the serverHere Daniele is slightly wrong: the trust anchor is always the /root/
certificate too, in old eduroam CAT configuration for your institution?
If yes, this may be the problem: clients may not trust the new
certificate because they are clamped to the old. Suggestion for the
future is trying to use only the trust anchor needed. That is the
intermediate ca certificate.
certificate.
The screenshot of the OP shows that all is correct in that regards - the
CA certificate "CN=VeriSign Class 3 Public Primary Certification
Authority - G5"
is indeed a self-signed root and the correct trust anchor to use.
I believe I may know the source of your problem: maybe the root and
intermediate did not /change/ - but does your RADIUS server actually
*send* the intermediate cert during the EAP authentication exchange still?
Take a look at the old server cert PEM file vs. the new one (in your
RADIUS server). If you are not sending the intermediate (any more),
Android connection attempts will fail: Android does not allow the app to
install the intermediate together with the root and relies on getting
the intermediate during authentication time.
For all other operating systems, we install the intermediate together
with the root if you (optionally) upload that intermediate to CAT.
If I'm not mistaken, in addition Android doesn't support a double CA in the CAT configuration so is more difficult to migrate to another certification Authority.
Have you any idea if in the future this feature will be added on Android Systems?
Thanks a lot for your support,
However, there is a "Check realm reachability" check which would warn
you about missing intermediates during the EAP exchange. Do you see any
such warning when running the check?
Greetings,
Stefan Winter
Michele de Varda
--
Università degli Studi di Milano
Divisione Telecomunicazioni
tel. 02 503-15306
via Giuseppe Colombo 46
20133 Milano
- [[cat-users]] Problems with Android Client after certificate update, Michele de Varda, 02/13/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Daniele Albrizio, 02/13/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Stefan Winter, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Daniele Albrizio, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Daniele Albrizio, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Michele de Varda, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Stefan Winter, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Stefan Winter, 02/14/2017
- Re: [[cat-users]] Problems with Android Client after certificate update, Daniele Albrizio, 02/13/2017
Archive powered by MHonArc 2.6.19.