The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Blair T. Sawler" <blair.sawler AT unb.ca>]

Hi

Thanks for the replies, I've passed it on to the network and systems teams, 
I'll let you know.

-Blair

-----Original Message-----
From: Stefan Winter <stefan.winter AT restena.lu> 
Sent: January 18, 2019 10:39 AM
To: Blair T. Sawler <blair.sawler AT unb.ca>; cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Android CAT Issues

Hello,

my bad for giving you a canned answer without getting to the bottom of things 
first, sorry.

The issue is a different one.

In CAT, you configured the following two CAs:

1) root CA

Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert 
Global Root G2

2) intermediate CA (irrelevant for Android installers, but anyway)

Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS 
RSA CA G1

However, looking at your actual EAP conversation, I see that the RADIUS 
server is sending the following server cert and intermediate:

Server:

Issuer: C = US, O = DigiCert Inc,OU = www.digicert.com, CN = RapidSSL RSA CA 
2018
Subject: wireless.unb.ca

Intermediate:
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global 
Root CA
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA 
CA 2018

As you can see, the server cert's chain is NOT ending in the root CA you 
configured in CAT (... Global Root *CA* vs.. Global Root *G2*).

It is not surprising and actually intentional that Android refuses to 
authenticate against this (unknown, and from its POV possibly rogue) server.

To be honest, the bigger question which startles me somewhat is: why is this 
NOT an issue in all the other operating systems?

Would you happen to be aware of any special CA cross-signing going on in 
those CAs, which fixes this for operating systems knowing about the 
cross-signed variants?

Greetings,

Stefan Winter

Am 18.01.19 um 14:12 schrieb Stefan Winter:
> Hello,
> 
>> We’ve migrated our Wi-Fi at the University of New Brunswick (Canada) 
>> to eduroam only. We’re trying to streamline connectivity for our 
>> faculty/staff and students and have been promoting the eduroam CAT.
>> We’re having issues with the app on Android.
>>
>> If you set it up on the device, it just continually tries to connect.
>> Once you stop, and then go in to the wireless settings on the device, 
>> you can connect, if you do not validate the certificate.
>>
>> It works for all other operating systems. Has anyone else had this 
>> issue, and if so, were you able to resolve it?
>>
>> We are using PEAP with Pase2:MSCHAPv2.
>>
>> I’m asking on behalf of my team, so if you get too technical, I’ll 
>> pass on the question 😊
> 
> Your server certificate is issued by an intermediate CA, which in turn 
> ends in a root CA.
> 
> For Android, it is only possible to load root CAs onto the device, not 
> intermediates.
> 
> The intermediate is however /required/ for certificate validation to work.
> 
> The only way to make this happen is by making sure the RADIUS server 
> sends that intermediate certificate during the EAP exchange. If it is
> *only* sending the server certificate, the behaviour you describe occurs.
> 
> If that's the issue, then you should have a corresponding warning in 
> the admin area of CAT when running the realm reachability tests. Is that so?
> 
> Greetings,
> 
> Stefan Winter
> 


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66