The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[IAM David Bantz <dabantz AT alaska.edu>]

Thanks to consistently helpful support in this forum and especially from Stefan Winter, we are getting close to eduroam deployment on new infrastructure relying on the CAT installers at U Alaska. I'm documenting the changes we needed here "for the record."

Our new (RADIUS) authentication server was initially sending a certificate chain starting with InCommon (Comodo) server cert, terminating in a root CA that expires May 2020, and an intermediate cert that was a variant of a root CA. Two variants (well-known root CA and intermediate variant in the InCommon provisioned chain) of the same certificate flummoxed Windows supplicants preventing establishing trust. Other supplicants established trust but would be invalidated in just 18 months with the expiration of the root CA cert.

We confirmed that an alternative shorter trust chain from the server cert can be verified in all tested cases and persuaded an initially skeptical server admin to manually re-configure to use that shorter chain (InCommon server CA intermediate and USERTrust root CA good to 2038).

A revised CAT profile to use the new longer-lived root CA tested successful on current Android, iOS, Linux, MacOS and Windows clients. [Android installation seems significantly more cumbersome than others, and will probably create more help requests than all others combined, but that is apparently well known.]

GÉANT CAT and this community represent a shining example of collaboration and building trust.

David Bantz

U Alaska