The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> Just a quick question in relation to the CAT install process. Is it
> expected that users receive a warning about our CA certificate being
> untrusted and to verify identity (Android app) or that the connection
> may involve traffic being inspected by HTTPS proxy (iOS)?

No, this is not expected.

> We’re using a self-signed certificate as per the Jisc UK eduroam
> configuration guide so on a technical level you might expect the warning
> but it is very prominent to the user given we’ve had to manually upload
> certificates as part of the CAT profile and the interception message
> seems a bit surprising.

Yes, this is a bit surprising.

I see from your installers that you don't really have a self-signed
certificate; it's more like a private CA (i.e. server certificate is
issued by your CA, but not identical to it).

The issuer would be

Issuer: DC = uk, DC = ac, DC = havering-college, DC = campus, CN =
Havering College eduroam service

Since your RADIUS server refuses to even engage in an EAP conversation
with me, I can't actually see the /server/ certificate and chain that
would be presented during the actual authentication.

Can you double-check that your server certificate has a CN and
subjectAltName:DNS of "edurad1.havering-college.ac.uk", is signed by the
CA above, has a 2048 bit key, is signed with SHA-2 etc.?

If you don't want to verify all this yourself, sending me the server
cert would also do, I can take a quick look.

> Also on the Android app is there any reason why Havering College doesn’t
> always appear if we try to search for a profile within the app “Nearby
> Configs” (rather than going back out to the CAT website and obtaining it
> there?) Sometimes it loads via the manual search and other times not
> (oddly at one point I had Anglia Ruskin but with the Havering College
> logo appear?)

We get very occasional reports on the sort order sometimes being
incorrect. It would be great if you could find a reproducible case; we
haven't had much luck reproducing such an issue so far.

> Finally on the list of institutions what is the initial method of
> Geolocation if the user doesn’t select HTML5? It seems to be defaulting
> to somewhere in London on my 4G connection, is this because the CAT site
> sees the location of my ISP rather than device?

We use a geolocation database from MaxMind to guess from IP address to
physical location. Naturally, this gives a result dependent on the ISP.
Accuracy varies in the km order of magnitude.

That isn't usually a big deal - unless you are in a city like London
where one km makes a huge difference of hundreds of IdPs being
re-ordered wrongly. There is unfortunately little we can do about this.

Greetings,

Stefan Winter


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature