The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[IAM David Bantz <db AT alaska.edu>]

Thanks for thoughtful response. Comments interspersed below.

David Bantz

On Wed, Oct 17, 2018 at 5:12 AM Stefan Winter <stefan.winter AT restena.lu> wrote:

In essence, you are testing two things at the same time: whether CAT
works, and whether your new Wi-FI / auth backend setup works.

That's usually a bad idea - if authentication fails you don't have an
easy way to distinguish whether the failure was because CAT did
something wrong or if it's due to your new operational setup.

Arguably we're changing more than two things at once, alas. However the WiFi / authN backend is independently tested independent of device-specific installers; (1) the CAT tools simulating login from remote sites were enormously helpful in verifying and tuning set-up for receiving and processing eduroam requests from the eduroam federation (using a secondary domain we also control so as not to disrupt production); (2) simple manual configuration of supplicants verify on-site connections.

 

I'd suggest to first test CAT on the production SSID. If that works, you
can be rather confident that the only changes you'll have to do CAT-side
are the adaptation to the new server certificate and server name; after
all these are the only two properties of your auth backend which are
visible to the outside world, and thus the only thing CAT cares about.

I don't think that's true; as user authentication is changing from EAP-TLS to EAP-PEAP, there's a fundamental difference in the configurations for current and new 802.1X configuration. Unless I am badly mistaken, the CAT installers have in themselves no way to fully configure our existing eduroam requiring on-demand creation and insertion of a user certificate from our current unsupported certificate factory. But even supposing such near-magic, installers that create and install user certificates consumed by freeRADIUS hardly provide confidence in a different set of installers for password authentication brokered by Cisco ISE.

Independently of that, you can test your new equipment using manual
configuration.

check; done 

In fact, for almost all operating systems CAT installers support more
than one CA and more than one server name. So in theory, *one* installer
could indeed support both the prod and test setup.

Such an installer would have to generate a user certificate on the fly for the current production on-site eduroam configuration for use with EAP-TLS as well as supporting EAP-PEAP for new infrastructure. Perhaps all that can be crammed into one installer, but then what's the flow? - how does the wireless controller determine which RADIUS server to query? if determined by the supplicant, what triggers one or the other request? And once a RADIUS server is selected, how does the supplicant know whether to use TLS or PEAP for the inner identity?