The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Martin Hierling <martin.hierling AT hs-owl.de>]

Hi Stefan, 
works now, thanks a lot for the fast response.

What i noticed, the password Input for the p12 shows the password in clear
on the screen? 
Can i change that?

Regards Martin

Hochschule Ostwestfalen-Lippe
  S(kim) Service - Kommunikation - Information - Medien
   Dipl. Ing. Martin Hierling
   Liebigstr. 87 - 32657 Lemgo
   Tel: +49 5261 702 5896
----------------------------------------------------------------
  Press any key... no, no, no, NOT THAT ONE!
----------------------------------------------------------------


-----Ursprüngliche Nachricht-----
Von: Stefan Winter [mailto:stefan.winter AT restena.lu] 
Gesendet: Dienstag, 5. Februar 2019 08:32
An: Martin Hierling; 'cat-users AT lists.geant.org'
Betreff: Re: example for client side p12 file inside android config

Hello,

below is a full file with a client certificate. This is what eduroam managed
IdP produces and what the eduroam CAT Android app is fully prepared to
consume. Actual certificate content is redacted.

Greetings,

Stefan Winter

<?xml version="1.0" encoding="utf-8"?>
<EAPIdentityProviderList
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:noNamespaceSchemaLocation="eap-metadata.xsd">
  <EAPIdentityProvider ID="14-12.lu.hosted.eduroam.org"
  namespace="urn:RFC4282:realm" lang="en" version="1">
    <AuthenticationMethods>
      <AuthenticationMethod>
        <EAPMethod>
          <Type>13</Type>
        </EAPMethod>
        <ServerSideCredential>
          <CA format="X.509" encoding="base64"> MII...XA==</CA>
          <ServerID>auth.lu.hosted.eduroam.org</ServerID>
        </ServerSideCredential>
        <ClientSideCredential>
          <ClientCertificate format="PKCS12" encoding="base64">
MII...nbc=</ClientCertificate>
        </ClientSideCredential>
        <InnerAuthenticationMethod>
          <EAPMethod>
            <Type>999</Type>
          </EAPMethod>
        </InnerAuthenticationMethod>
      </AuthenticationMethod>
    </AuthenticationMethods>
    <CredentialApplicability>
      <IEEE80211>
        <SSID>eduroam</SSID>
        <MinRSNProto>CCMP</MinRSNProto>
      </IEEE80211>
      <IEEE80211>
        <ConsortiumOID>001bc50460</ConsortiumOID>
      </IEEE80211>
    </CredentialApplicability>
    <ProviderInfo>
      <DisplayName>eduroam Luxembourg - Test Accounts</DisplayName>
      <ProviderLocation>
        <Longitude>5.948345661163329</Longitude>
        <Latitude>49.50425451619779</Latitude>
      </ProviderLocation>
      <Helpdesk>
        <EmailAddress>stefan.winter AT restena.lu</EmailAddress>
      </Helpdesk>
    </ProviderInfo>
  </EAPIdentityProvider>
</EAPIdentityProviderList>

Am 05.02.19 um 08:06 schrieb Martin Hierling:
> Hi,
> 
> i am trying to generate a android eap xml config with a p12 File 
> inside for client authentication.
> What i have so far ist he cat tool generated config without the cert 
> data, i also have a link to the metadata file:
> https://github.com/GEANT/CAT/blob/master/devices/xml/eap-metadata.xsd
> Also i bane some base64 encoded p12/pfx file with key/cert in it.
> 
> But i am not a xml/programmer guy so i didnt get this together.
> 
> Our config looks like this:
> 
> <?xml version="1.0" encoding="utf-8"?> <EAPIdentityProviderList 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:noNamespaceSchemaLocation="eap-metadata.xsd">
>   <EAPIdentityProvider ID="th-owl.de" namespace="urn:RFC4282:realm"
> lang="de" version="1">
>     <AuthenticationMethods>
>       <AuthenticationMethod>
>         <EAPMethod>
>           <Type>13</Type>
>         </EAPMethod>
>         <ServerSideCredential>
>           <CA format="X.509" encoding="base64">MII...wg==</CA>
>           <CA format="X.509" encoding="base64">MII...chk5</CA>
>           <CA format="X.509" encoding="base64">MII...Bg==</CA>
>           <ServerID>radsec.skim.th-owl.de</ServerID>
>         </ServerSideCredential>
>         <ClientSideCredential/>
>       </AuthenticationMethod>
>     </AuthenticationMethods>
>     <CredentialApplicability>
>       <IEEE80211>
>         <SSID>eduroam</SSID>
>         <MinRSNProto>CCMP</MinRSNProto>
>       </IEEE80211>
>     </CredentialApplicability>
>     <ProviderInfo>
>       <DisplayName>Technische Hochschule Owstwestfalen-Lippe</DisplayName>
>       <Description>Eduroam Profil fuer die TH-OWL</Description>
>       <ProviderLocation>
>         <Longitude>8.905039999999985</Longitude>
>         <Latitude>52.01665</Latitude>
>       </ProviderLocation>
>       <Helpdesk>
>         <EmailAddress>support AT hs-owl.de</EmailAddress>
>         <WebAddress>https://www.hs-owl.de/skim/</WebAddress>
>         <Phone>+495261 702-2222</Phone>
>       </Helpdesk>
>     </ProviderInfo>
>   </EAPIdentityProvider>
> </EAPIdentityProviderList>
> 
> I can guess that i have to add something to ClientSideCredential with 
> some of ClientCertificate data.
> Can anybody provide a example where i can copy / paste the relevant 
> parts ...
> 
> Regards Martin
> 
> Hochschule Ostwestfalen-Lippe
>   S(kim) Service - Kommunikation - Information - Medien
>    Dipl. Ing. Martin Hierling
>    Liebigstr. 87 - 32657 Lemgo
>    Tel: +49 5261 702 5896
> ----------------------------------------------------------------
>   Press any key... no, no, no, NOT THAT ONE!
> ----------------------------------------------------------------
> 
> 


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: smime.p7s
Description: S/MIME cryptographic signature