Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] CAT \ Google Play domains

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] CAT \ Google Play domains


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Gerrard Shaw <GShaw AT havering-college.ac.uk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] CAT \ Google Play domains
  • Date: Wed, 23 May 2018 14:48:28 +0200
  • Autocrypt: addr=stefan.winter AT restena.lu; prefer-encrypt=mutual; keydata= xsFNBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABzTxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT7CwXkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8c7BTQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAcLBXwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hi,

> Just a quick question in relation to the CAT install process. Is it
> expected that users receive a warning about our CA certificate being
> untrusted and to verify identity (Android app) or that the connection
> may involve traffic being inspected by HTTPS proxy (iOS)?

No, this is not expected.

> We’re using a self-signed certificate as per the Jisc UK eduroam
> configuration guide so on a technical level you might expect the warning
> but it is very prominent to the user given we’ve had to manually upload
> certificates as part of the CAT profile and the interception message
> seems a bit surprising.

Yes, this is a bit surprising.

I see from your installers that you don't really have a self-signed
certificate; it's more like a private CA (i.e. server certificate is
issued by your CA, but not identical to it).

The issuer would be

Issuer: DC = uk, DC = ac, DC = havering-college, DC = campus, CN =
Havering College eduroam service

Since your RADIUS server refuses to even engage in an EAP conversation
with me, I can't actually see the /server/ certificate and chain that
would be presented during the actual authentication.

Can you double-check that your server certificate has a CN and
subjectAltName:DNS of "edurad1.havering-college.ac.uk", is signed by the
CA above, has a 2048 bit key, is signed with SHA-2 etc.?

If you don't want to verify all this yourself, sending me the server
cert would also do, I can take a quick look.

> Also on the Android app is there any reason why Havering College doesn’t
> always appear if we try to search for a profile within the app “Nearby
> Configs” (rather than going back out to the CAT website and obtaining it
> there?) Sometimes it loads via the manual search and other times not
> (oddly at one point I had Anglia Ruskin but with the Havering College
> logo appear?)

We get very occasional reports on the sort order sometimes being
incorrect. It would be great if you could find a reproducible case; we
haven't had much luck reproducing such an issue so far.

> Finally on the list of institutions what is the initial method of
> Geolocation if the user doesn’t select HTML5? It seems to be defaulting
> to somewhere in London on my 4G connection, is this because the CAT site
> sees the location of my ISP rather than device?

We use a geolocation database from MaxMind to guess from IP address to
physical location. Naturally, this gives a result dependent on the ISP.
Accuracy varies in the km order of magnitude.

That isn't usually a big deal - unless you are in a city like London
where one km makes a huge difference of hundreds of IdPs being
re-ordered wrongly. There is unfortunately little we can do about this.

Greetings,

Stefan Winter


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page