The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Fergusson, David" <D.J.Fergusson AT ljmu.ac.uk>]

Hi,
I work on the network team @ Liverpool John Moores University. One of our 
staff has this issue with their personal chromebook. As we don't have any 
Chromebooks in the office to play with we have ordered one. We should have 
that in a few days.

Regards

Dave

-----Original Message-----
From: Visser,Ramon R.D. 
[mailto:r.visser AT fontys.nl]
Sent: 07 February 2018 14:53
To: Stefan Winter 
<stefan.winter AT restena.lu>;
 Fergusson, David 
<D.J.Fergusson AT ljmu.ac.uk>;
 
'cat-users AT lists.geant.org'
 
<cat-users AT lists.geant.org>
Subject: RE: [[cat-users]] FW: eduroam CAT tool Chromebook issue

Hi Stefan,

Thanks for the mail.

I will ask my collegue's from operations if this issue is on-going and if 
it's possible to get an non-EV certificate tested.

Met vriendelijke groet,

Ramon


Ramon Visser *  Virtueel Security Cluster Coördinator, Dienst IT * Fontys 
Hogescholen Het Eeuwsel 2, 5612 AS * Gebouw S1, kamer /flex * Postbus 347, 
5600 AH Eindhoven 
r.visser AT fontys.nl
 +31618390398


-----Oorspronkelijk bericht-----
Van: Stefan Winter 
[mailto:stefan.winter AT restena.lu]
Verzonden: vrijdag 26 januari 2018 15:41
Aan: Fergusson, David 
<D.J.Fergusson AT ljmu.ac.uk>;
 
'cat-users AT lists.geant.org'
 
<cat-users AT lists.geant.org>;
 Visser,Ramon R.D. 
<r.visser AT fontys.nl>
Onderwerp: Re: [[cat-users]] FW: eduroam CAT tool Chromebook issue

Hello,

this is now the second time in three months that someone reported an issue 
with Chromebook CAT installers. Since we weren't able to conclude what the 
exact problem was back in the day, and both of you share common setup 
specialities, I'm cc'ing Ramon Visser in this thread again; maybe there's 
something in it for both of you.

Both Ramon and David are using proper CA-signed certificates with a correct 
intermediate chain, so one might think this should work :-)

However, both have Extended Validation certificates, one coming from DigiCert 
and one from QuoVadis. Both do not work.

The counter-test was our own RESTENA certificates which are self-signed and 
(obviously) not EV, and they did work. There are also thousands of downloads 
for Chromebook, so the corresponding CAT modules are in frequent use, and I 
haven't heard of massive problems. So this can't be a programmatic mistake 
affecting everybody. There's a mix of commercial CA roots and self-signed 
throughout the user base, so I don't think the discriminating property is 
self-signedness.

This makes me believe that ChromeOS somehow does not trust EV certificates in 
the context of Wi-Fi.

Which is rather stupid, as those are typically considered even /more/ valid 
than normal certs - but they are only defined as such for Web Browser use 
cases, so an implementer might construct a strange argument that they aren't 
valid/meant for Wi-Fi.

So - if any of you two could get hold of a non-EV certificate to test this 
hypothesis, I would be most grateful.

Greetings,

Stefan Winter

Am 25.01.2018 um 17:30 schrieb Fergusson, David:
>
>
> Hi, we have recently updating our eduroam certificate. All our Windows
> and MAC client have be able to use the eduroam CAT tool to update
> their settings with no issue which is great.
>
>
>
> However we have recently had an issue reported to us for Google
> Chromebooks. Unfortunately the CAT tool does not seem to be working on
> these devices (or importing the correct settings) onto the device.
> Also if you go through manually we cannot see the new root CA
> (QuoVadis Root VA 2 G3). Is this something Jisc or eduroam is aware of
> ? Is there a fix for this.
>
>
>
> Any help would be much appreciated.
>
>
>
> Kind Regards
>
>
>
> * *
>
> *Dave Fergusson
> Client Networks Lead*
>
> *Information and Technology Services
> *2^nd Floor, Exchange Station, Tithebarn St, Liverpool, L3 2QP
> t: 0151 904 6503 m:07826 893 427
>
> d.j.fergusson AT ljmu.ac.uk
>  
> <mailto:d.j.fergusson AT ljmu.ac.uk>
>
> *JMU*
>
>
>
>
> ----------------------------------------------------------------------
> -- */Important Notice:///*///the information in this email and any
> attachments is for the sole use of the intended recipient(s). If you
> are not an intended recipient, or a person responsible for delivering
> it to an intended recipient, you should delete it from your system
> immediately without disclosing its contents elsewhere and advise the
> sender by returning the email or by telephoning a number contained in
> the body of the email. No responsibility is accepted for loss or
> damage arising from viruses or changes made to this message after it
> was sent. The views contained in this email are those of the author
> and not necessarily those of Liverpool John Moores
> University./////////// To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
========================================================== Op deze e-mail 
zijn de volgende voorwaarden van toepassing: 
https://fontys.nl/E-maildisclaimer.htm The above disclaimer applies to this 
e-mail message.

________________________________
Important Notice: the information in this email and any attachments is for 
the sole use of the intended recipient(s). If you are not an intended 
recipient, or a person responsible for delivering it to an intended 
recipient, you should delete it from your system immediately without 
disclosing its contents elsewhere and advise the sender by returning the 
email or by telephoning a number contained in the body of the email. No 
responsibility is accepted for loss or damage arising from viruses or changes 
made to this message after it was sent. The views contained in this email are 
those of the author and not necessarily those of Liverpool John Moores 
University.