Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Android 11 Samsung Galaxy Note 20

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Android 11 Samsung Galaxy Note 20


Chronological Thread 
  • From: Robert Franklin <rcf34 AT cam.ac.uk>
  • To: Eleanor Coultish <eleanor.coultish AT york.ac.uk>
  • Cc: eduroam CAT Users list <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Android 11 Samsung Galaxy Note 20
  • Date: Wed, 17 Mar 2021 12:44:12 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cam.ac.uk; dmarc=pass action=none header.from=cam.ac.uk; dkim=pass header.d=cam.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PP40K/XqPgqJswV/i0Z/zxeZ2ZEIIqqrkvyLFoVQwf4=; b=nspPEOX5051TBy8mp8ngk4UipChjbswGso0tpxHIDBaTPu6xTh5GvIwrhGf0V2kAHyeMbEbFpza6UC9eLSUCoYOW+LZj7rze+yZ9QSjagPLd5JHbsDmTTF46uHFuoYw11bp6cWZapT2q5TSNijSA+BgNBnuiWXy+DcUzSBcqpGMaxRNTqPnGJHXrJK1Ut5Gxr9vpbsZLHftf1qCYgDhGSuIY/YDYU0HvEdX8HfKAKqaUbpkLDifKcWHHHsZG4fBASlZySXHIj31ivbqcULMf95uO6lFhGbEpTl9OCz7G3f1MSqIRDXzf58blEabwOjgWEVfeS++gmCjOUC2eVANthQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KoqY3owQiOHGsq3c5F65R2YGrXLH34TH5aIqz+0SIObpzwdDPUUUEe3UZfHh1P9usvSYYVOL8Y86aCbKcWCUhYvgMwpQTKi8I043voBfC/PP5yUQeXsJ7HPOHqNked2P+YXWcujHqfkvi4jqN2oGyMDFktX3cOLnzh2hS8JnejayGrUJv/MsyX3iyUR6sfM0qK1QrQjvTt3ASG+JFdFoCiZ9MoZnenMGqN2AqeOaimfJ3sBIOJOQSi+JTfx5kWe2jfqdJ4u6mROKz4JmXhA4XDk5ETizvSVOYZBf98HbinVx6ka3XLaJZ7Z+DE+hYlVw+bQkC3LwDQbSU+BqxJBPMg==
  • Authentication-results: york.ac.uk; dkim=none (message not signed) header.d=none;york.ac.uk; dmarc=none action=none header.from=cam.ac.uk;

Hello,


> On 16 Mar 2021, at 14:17, Eleanor Coultish <eleanor.coultish AT YORK.AC.UK>
> wrote:
>
> When using either the geteduroam app or Ruckus Cloudpath to configure a
> Samsung Galaxy Note 20 the device is unable to connect to eduroam when the
> certificate is set to be validated. The particular Android build on this
> phone (11 with Feb security patch) still has the option for 'do not
> validate certificate' and it will connect to eduroam when it's set to this
> but obviously we'd prefer it to be validated. We've had a handful of these
> over the last few weeks, all Samsungs and mostly different flavours of the
> Note. I know it's not particular to the cat tool but I just wondered if
> anyone else has come across this issue and if there is a workaround?
>
> One thing with the app though is that we have a restricted ssid that allows
> access to the Playstore to enable users to download the geteduroam app.
> When running the app though we get an error message to say we need a
> network connection to load the list of institutions. Is there something
> else we need to whitelist so that the app will work properly?

Our wireless team have spent some time over the past few days looking at
problems with Samsung Note 20s, S10s and S20s running Android 11.

There appears to be a problem with PEAP authentication where the inner
identity is not being used but the outer identity is being resent as the
inner (which breaks using anonymous outer IDs). After some more digging, the
found a university in Germany (gwdg.de) which had a special profile for
Android 11 on Samsung:

https://info.gwdg.de/dokuwiki/doku.php?id=en:services:network_services:eduroam:android

... after contacting them, they confirmed that they'd also spent some time
investigating this and found the same bug. After speaking to Samsung, they
confirmed that the issue was that, if the outer ID was anything other than
'anonymous' (the literal string, not a blank username, or something else) or
'samsung-test' (!) the outer ID was re-used as the user. Apparently this
only affects EAP-PEAP and not EAP-TTLS, so the GWDG special profile uses that
instead. Samsung said this would be fixed with an update in 2021 Q2.

In our case, we use the outer ID to select the certificate we send back to
the supplicant (allowing them to choose between a local CA one and a public
CA one) and this broke the use of the local CA one as that requires that the
outer ID is '_token AT cam.ac.uk'.

We're working on a solution, probably to switch to EAP-TTLS for these
devices, but it does make the workflow a bit messy for the user.


I don't know if this is the same problem you're getting but, if it is, you'll
see it in your RADIUS server logs.

Interestingly, this doesn't Samsung Galaxy A51s (not Google Pixel 4s) running
Android 11.

- Bob


--
Robert Franklin <rcf34 AT cam.ac.uk> / (+44 1223 7) 48479
Network Systems, University Information Services, University of Cambridge




Archive powered by MHonArc 2.6.19.

Top of Page