The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Paul Dekkers <paul.dekkers AT surf.nl>]

Hi Andrea,

> On 7 Dec 2020, at 12:03, Andrea Delise <delise AT sissa.it> wrote:
> 
> Hi Paul and Patrick, thanks for your replies.
> 
> On 07/12/20 09:04, Paul Dekkers wrote:
> 
>> I had a hypothesis that the error showed up because of installing a 
>> private CA; I see your current CA is from DigiCert: what are you planning 
>> to replace it with? If that’s a self-signed CA, my hypothesis could still 
>> stand. If it’s Sectigo instead of DigiCert, it could still be that my 
>> unlock pattern is perceived stronger by Android than a pin-code (with a 
>> particular length: related to the requirement for Exchange servers too).
> 
> I have managed to get a test wifi with the new certificate. The CA I was 
> adding to Digicert was Sectigo. But the testing device was kindly provided 
> by a colleague, so I couldn't perform many tests. And I couldn't play much 
> with its security configuration, sorry...  The device (a Samsung A40) was 
> using a pattern lock, I tried to switch it to pin lock (I do not remember 
> the pin lenght).
> 
> I could get my hands on another Samsung Android device in a couple of days, 
> in case I'll let you know.

Ok. It was mostly about reproducing things; I may just have a different 
Android build on my S10, but I was unable to see the issues the last two 
reports stumbled upon!

> 
>> I’m also very curious if on this particular device and profile the 
>> “geteduroam” App works for you. (The plan is to suggest geteduroam for 
>> Android 8+ instead of the existing eduroam CAT app, and it may or may not 
>> solve the problem: but that’s important to know.) We paid attention to, 
>> and did test, multiple CAs. And it consumes the eduroam CAT profiles just 
>> fine.
> 
> Do you refer to the Samsung lock problem, or to the multiple CA 
> installation? Is the geteduroam app available for all eduroam institutions?

It is! It reads all institutions and profiles from eduroam CAT (it caches 
this, so there is a bit of a delay). So any profile in CAT should be usable 
in geteduroam.

We thought there should not be an(other) eduroam App in the stores if it’s 
not generic and for everyone to use. (There are already too many that target 
just a few users or a single organization.) So you can just try geteduroam 
and see how it works for you.

We test geteduroam with a few scenario’s and devices, and one of those 
scenario’s is multiple CAs. FWIW; there is also a scenario where geteduroam 
creates an eduroam-specific (pseudo) account for you, but that’s not the way 
the majority of the users will (currently) use it.

> For the multiple CA, that is my main concern now, my fear is that CAT 
> installs the correct CA file with both CA, but some Android devices refuse 
> to look further the first CA in the file. My main question remains: what 
> are the community statistics about installation and usage of multiple CA on 
> android < 10? Am I the unlucky guy?

I can’t answer that myself, but from what I’ve seen many do a “hard 
rollover”, or tell their Android users about possible issues. Or say “from 
day X the profiles from CAT use the new certificates”.

> I read the documentation more carefully, and it says:
> 
> Android 7.1 finally got its support for multiple trust roots; the 
> eduroamCAT app will support that in a future update.

Oh. I did not check, I assumed by what people wrote here. In that case, it 
may not be in eduroam CAT - but it for sure is in geteduroam.

> What is the current state of the app? Is it supported? To my tests it looks 
> working, but only for Android >=10...

Which is funny, because the eduroam CAT app uses APIs that are officially 
deprecated from >=10 ;-)

The current plan is to suggest from the eduroam CAT pages to use the 
geteduroam App on Android 8+, since geteduroam doesn’t do anything below. The 
geteduroam Apps do receive more development and updates, so in case we see 
problems we may be able to fix that in the future. (In particular on Android 
11 up, we need an entirely new way of configuring networks via the API/SDK 
than what is done in the current eduroam CAT App.)

Paul