The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jethro Binks <jethro.binks AT strath.ac.uk>]

I second Eleanor's question about whether there are other sites to whitelist; we will be in a similar position as we do the same, we have a captive portal setup SSID that limits to certain URLs for patching, app stores and the like.

It seems geteduroam pulls from CAT, so presumably the current whitelisting of "cat.eduroam.org" is sufficient?  Oh, now that I look I see we actually have 

"*.eduroam.org" too.

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 

Jethro R Binks, Network Manager, 

Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.

---

From: cat-users-request AT lists.geant.org on behalf of Stefan Winter
Sent: Wednesday, March 17, 2021 12:12
To: Eleanor Coultish; cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Android 11 Samsung Galaxy Note 20

Hello Eleanor,

thanks for getting in touch.

Looking at your University of York CAT profile, I see that you are using QuoVadis roots with the "QuoVadis Global SSL ICA G3" intermediate. You are probably aware of the revocation of an intermediate with that name by QuoVadis and their re-issue of an intermediate with the identical name but different fingerprint. https://community.jisc.ac.uk/groups/certificate-service/article/quovadis-intermediate-revoke-update

The reason why I think you're aware is because you have uploaded the new, correct variant of the intermediate with SHA1 fingerprint D4:66:18:CA:00:5D:4F:F3:7F:3B:14:00:93:D5:81:E0:63:CA:5A:E4 to CAT. Good!

Your RADIUS server also sends exclusively the new variant of the intermediate in its chain. Even better!

The only possible reason why cert validation might fail would be if something on those specific devices is interfering. Maybe the devices ship with the old variant of the intermediate still included in their trust store? The device might then get confused when seeing two "identical" certificates, both successfully leading to a root, but one revoked and one not.

TBH, that's about the only thing I can imagine going wrong. Especially when this happens only on one particular brand/version combination.

I'd be very interested in hearing from you if there is anything to be found in the device trust stores regarding this...

Greetings,

Stefan Winter

Am 16.03.21 um 15:17 schrieb Eleanor Coultish:

Hi,

When using either the geteduroam app or Ruckus Cloudpath to configure a Samsung Galaxy Note 20 the device is unable to connect to eduroam when the certificate is set to be validated. The particular Android build on this phone (11 with Feb security patch) still has the option for 'do not validate certificate' and it will connect to eduroam when it's set to this but obviously we'd prefer it to be validated. We've had a handful of these over the last few weeks, all Samsungs and mostly different flavours of the Note. I know it's not particular to the cat tool but I just wondered if anyone else has come across this issue and if there is a workaround?

One thing with the app though is that we have a restricted ssid that allows access to the Playstore to enable users to download the geteduroam app. When running the app though we get an error message to say we need a network connection to load the list of institutions. Is there something else we need to whitelist so that the app will work properly?

Thanks,

Eleanor Coultish
Network Operations Manager

IT Services
Information Services
University of York
Heslington, York YO10 5DD
+44 (0)1904 328467

EMAIL DISCLAIMER http://www.york.ac.uk/docs/disclaimer/email.htm

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users