Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Multiple CA - Android

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Multiple CA - Android


Chronological Thread 
  • From: Paul Dekkers <paul.dekkers AT surf.nl>
  • To: Andrea Delise <delise AT sissa.it>
  • Cc: <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Multiple CA - Android
  • Date: Mon, 7 Dec 2020 09:04:06 +0100

Hi Andrea,

> On 7 Dec 2020, at 08:35, Andrea Delise <delise AT sissa.it> wrote:
>
> Hi everybody,
>
> I'm Andrea Delise, one of the cat (and eduroam) administrators for SISSA,
> an Italian university. Since Terena has changed the certificate provider,
> we are working on the rollout of the new CA. We are on a fairly tight
> schedule, we didn't plan ahead to get the last certificate from the
> previuous CA.
>
> According to the documentation:
>
> https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators#AguidetoeduroamCATforIdPadministrators-Note3-CArolloversupport
>
> for Android greater or equal to 7.1 everything should go fine. For all the
> other OS (or at least the ones I tested) it went fine.
>
> However, from my quick tests, a device with a rather vanilla Android 9.0
> (my own device, an Asus Zenfone Max Pro M1) was unable to authenticate with
> the new CA, accepting certificates only from the old CA. Due to the COVID
> restrictions and the lack of colleagues with testing devices, I wasn't able
> to perform more extensive tests (but a Xiaomi with Android 10 worked ok,
> while a Samsung with Android 10 showed the failed screen lock detection bug
> discussed in another conversation).
>
> What's your experience? Did I get an "unlucky" device or is the Android
> version threshold different (7.1 or 10)?

I’m at risk of repeating myself: I was unable to get this lock screen issue
on a Samsung S10. If I can reproduce the issues you see, that may help us.

I had a hypothesis that the error showed up because of installing a private
CA; I see your current CA is from DigiCert: what are you planning to replace
it with? If that’s a self-signed CA, my hypothesis could still stand. If it’s
Sectigo instead of DigiCert, it could still be that my unlock pattern is
perceived stronger by Android than a pin-code (with a particular length:
related to the requirement for Exchange servers too).

I’m also very curious if on this particular device and profile the
“geteduroam” App works for you. (The plan is to suggest geteduroam for
Android 8+ instead of the existing eduroam CAT app, and it may or may not
solve the problem: but that’s important to know.) We paid attention to, and
did test, multiple CAs. And it consumes the eduroam CAT profiles just fine.

Regards,
Paul




Archive powered by MHonArc 2.6.19.

Top of Page