The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Patrick Oberli <patrick.oberli AT ost.ch>]

Hello Andrea

For Android > 9 we don't anymore use the CAT installer in our university, 
because Android finally accepts a domain name to validate for the 
certificates. Thanks to this you don't anymore have to install the 
certificate or select "don't validate certificate".
This is of course only a workaround for the issue you are seeing. 
In your case, do you have the certificate installed on all Radius Servers 
(for that SSID) and also set as the active certificate? I have seen such a 
behavior if different certificates are being used, but not issued by the same 
CA. 

Kind regards

ICT - IT-Infrastructure
Netzwerk- und Multimediateam
Patrick Oberli

Tel direkt: +41 58 257 4958
Email: patrick.oberli AT ost.ch

OST – Ostschweizer Fachhochschule
ICT Information & Communication Technology | Oberseestrasse 10 | 8640 
Rapperswil | Switzerland | https://www.ost.ch 

OST – Ostschweizer Fachhochschule ist der Zusammenschluss aus HSR Rapperswil, 
FHS St.Gallen und NTB Buchs.


-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> 
On Behalf Of Andrea Delise
Sent: Montag, 7. Dezember 2020 08:35
To: cat-users AT lists.geant.org
Subject: [[cat-users]] Multiple CA - Android

Hi everybody,

I'm Andrea Delise, one of the cat (and eduroam) administrators for SISSA, an 
Italian university. Since Terena has changed the certificate provider, we are 
working on the rollout of the new CA. We are on a fairly tight schedule, we 
didn't plan ahead to get the last certificate from the previuous CA.

According to the documentation:

https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators#AguidetoeduroamCATforIdPadministrators-Note3-CArolloversupport

for Android greater or equal to 7.1 everything should go fine. For all the 
other OS (or at least the ones I tested) it went fine.

However, from my quick tests, a device with a rather vanilla Android 9.0 (my 
own device, an Asus Zenfone Max Pro M1) was unable to authenticate with the 
new CA, accepting certificates only from the old CA. Due to the COVID 
restrictions and the lack of colleagues with testing devices, I wasn't able 
to perform more extensive tests (but a Xiaomi with Android
10 worked ok, while a Samsung with Android 10 showed the failed screen lock 
detection bug discussed in another conversation).

What's your experience? Did I get an "unlucky" device or is the Android 
version threshold different (7.1 or 10)?

Thank you and best regards,

Andrea Delise


______________________________________________
Andrea Delise
tel: +39-040-3787537  e-mail: delise AT sissa.it SISSA Information Technology 
and Computing Services http://www.itcs.sissa.it via Bonomea 265 - I 34136 
Trieste - Italy


To unsubscribe, send this message: 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users