The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

okay, next up in the list of things Android doesn't like: does your CAT
profile have more than one root CA listed? Up until the most recent
versions of Android, only one root CA could be installed. So if there is
more than one to choose from, you might have gotten the unlucky pick.

The realm check feature is available from the IdP overview page: once
you have a profile which is fully configured, the button "Check realm
reachability" becomes clickable. It is directly below the "Installer
Fine-Tuning ..." button inside the profile box.

Note that you have to entered the actual realm in the profile properties
- the realm is not strictly necessary to enable installer generation,
but it is needed if we are supposed to run checks against the realm,
obviously.

Greetings,

Stefan Winter

Am 22.02.2018 um 19:22 schrieb Jeremy Plumley:
> Yes, I have uploaded the root CA and the intermediate CA on our CAT 
> profile. I'm in the process now of seeing if I can combine the server and 
> intermediate together before applying it to my radius. How do I use the 
> realm check feature to see if that is my issue?
> 
> Jeremy Plumley
> ITS Network Administrator
> Ext 50024
> 
> 
> -----Original Message-----
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
> Sent: Thursday, February 22, 2018 4:28 AM
> To: Jeremy Plumley 
> <jmplumley AT gtcc.edu>;
>  
> cat-users AT lists.geant.org
> Subject: Re: [[cat-users]] Android Connectivity using CAT
> 
> Hello,
> 
> Android has an ample selection of shortcomings to choose from :-)
> 
> Do you by any chance have a setup with an intermediate CA in addition to 
> the root CA?
> 
> And you have uploaded that intermediate CA into the CAT profile?
> 
> That's great and makes all the operating systems you listed above work.
> 
> Except for Android: it is not possible to install the intermediate CA 
> together with the root there.
> 
> For Android, you have to make sure that your RADIUS server sends the 
> intermediate CA together with the server cert during the EAP conversation; 
> otherwise Android cannot create the chain up to the root CA.
> 
> There should be a warning in the realm check feature about intermediate CAs 
> only being in configuration, but not in the EAP conversation if that is the 
> cause of the problem. Do you see that warning?
> 
> Greetings,
> 
> Stefan Winter
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
> la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the 
> recipient's key is known to me
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> E-Mail correspondence to and from this address may be subject to the North 
> Carolina Public Records Law and shall be disclosed to third parties when 
> required by the statutes (G.S. 132-1.)
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature