The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Robert Franklin <rcf34 AT cam.ac.uk>]

Hello,


> On 16 Mar 2021, at 14:17, Eleanor Coultish <eleanor.coultish AT YORK.AC.UK> 
> wrote:
> 
> When using either the geteduroam app or Ruckus Cloudpath to configure a 
> Samsung Galaxy Note 20 the device is unable to connect to eduroam when the 
> certificate is set to be validated. The particular Android build on this 
> phone (11 with Feb security patch) still has the option for 'do not 
> validate certificate' and it will connect to eduroam when it's set to this 
> but obviously we'd prefer it to be validated. We've had a handful of these 
> over the last few weeks, all Samsungs and mostly different flavours of the 
> Note. I know it's not particular to the cat tool but I just wondered if 
> anyone else has come across this issue and if there is a workaround?
> 
> One thing with the app though is that we have a restricted ssid that allows 
> access to the Playstore to enable users to download the geteduroam app. 
> When running the app though we get an error message to say we need a 
> network connection to load the list of institutions. Is there something 
> else we need to whitelist so that the app will work properly?

Our wireless team have spent some time over the past few days looking at 
problems with Samsung Note 20s, S10s and S20s running Android 11.

There appears to be a problem with PEAP authentication where the inner 
identity is not being used but the outer identity is being resent as the 
inner (which breaks using anonymous outer IDs).  After some more digging, the 
found a university in Germany (gwdg.de) which had a special profile for 
Android 11 on Samsung:

https://info.gwdg.de/dokuwiki/doku.php?id=en:services:network_services:eduroam:android

... after contacting them, they confirmed that they'd also spent some time 
investigating this and found the same bug.  After speaking to Samsung, they 
confirmed that the issue was that, if the outer ID was anything other than 
'anonymous' (the literal string, not a blank username, or something else) or 
'samsung-test' (!) the outer ID was re-used as the user.  Apparently this 
only affects EAP-PEAP and not EAP-TTLS, so the GWDG special profile uses that 
instead.  Samsung said this would be fixed with an update in 2021 Q2.

In our case, we use the outer ID to select the certificate we send back to 
the supplicant (allowing them to choose between a local CA one and a public 
CA one) and this broke the use of the local CA one as that requires that the 
outer ID is '_token AT cam.ac.uk'.

We're working on a solution, probably to switch to EAP-TTLS for these 
devices, but it does make the workflow a bit messy for the user.


I don't know if this is the same problem you're getting but, if it is, you'll 
see it in your RADIUS server logs.

Interestingly, this doesn't Samsung Galaxy A51s (not Google Pixel 4s) running 
Android 11.

  - Bob


-- 
Robert Franklin <rcf34 AT cam.ac.uk> / (+44 1223 7) 48479
Network Systems, University Information Services, University of Cambridge