The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Guy Halse <guy AT tenet.ac.za>]

Hi

Sorry for the late response. I was travelling and then forgot to add this reply.

On 2019/06/11 6:39 PM, Jenny Jordan wrote:

A number of Android users have reported being unable to connect to Eduroam having downloaded and installed the Eduroam CAT.  It appears that when you enter your username and password that part of the app doesn’t work as expected.  If you ignore it and at the end of the routine ‘forget’ the network, then join Eduroam in the usual way through the Android device wireless settings, then connection is successful.

We recently encountered a problem with Android Pie devices that turned out to be certificate related. The symptom was that, after installing the CAT profile and correctly entering usernames and passwords, Android reports authentication failed. Like you, manually adding a profile worked just fine -- even if I added the right CA certificate.

After a lot of digging we discovered the problem was related to SubjectAlternativeName entries in the final server certificate. Our certificate has multiple SANs in it because it is used for some other purposes, but we had only entered the subject CN into CAT's "Name (CN) of Authentication Server" field for the subject name match.

It turns out that this causes Android Pie (and maybe other versions, I didn't test) to fail certificate validation; it only works if we list all possible SANs as multiple "Name (CN) of Authentication Server" fields in CAT.

There's a small chance this could be the cause of your problem, and we happened to encounter it just when I first say your mail, so I thought to mention it.

- Guy

--
Guy Halse
Director Trust & Identity Tertiary Education & Research Network of South Africa NPC Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature