The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jose Manuel Macias Luna <jmanuel.macias AT rediris.es>]

Hi,

  I'm not sure about this, but surely Tomasz, Alan or Stefan can give an
appropriate answer.

One of our institutions is using a wildcard certificate for their radius
server (with CN *.someidp.tld), and that's what they have configured in
eduroam CAT admin interface. This institution in particular is having
problems with installers for win8 and win10, and the only thing
suspicious I see in their profile is the wildcard certificate.

I have been having a look to the admin guide and says nothing about this
particular case:

«The name of your server as specified in the Common Name (CN) of your
EAP server certificate»

https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+institution+administrators#AguidetoeduroamCATforinstitutionadministrators-Institution-wideSettings

I do have found some text (I think from Stefan?) in the "EAP Server
Certificate Considerations" article:

server name     not a wildcard name (e.g "*.someidp.tld")       Some 
supplicants
exhibit undefined/buggy behaviour when attempting to parse incoming
certificates with a wildcard. Windows 8 and 8.1 are known to choke on
wildcard certificates.

https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations

So my question is... is this accepted by all the clients configured by
CAT, or would some of them only admit somename.someidp.tld?

If so, I think we should maybe issue a warning at the CAT web interface
for admins, and/or update the admin guide to reflect this.


Thanks in advance,

Jose Manuel.