The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Eleanor Coultish <eleanor.coultish AT york.ac.uk>]

Thanks all for the replies.

Yes we are seeing the same issue as Bob. I did further testing yesterday and the radius logs show the username being sent is the outer identity rather than the inner. I tried different variations on the device including removing the outer id, but I didn't try anonymous AT york.ac.uk. I'll arrange to get the device back in for further testing and also try with TTLS.

Another thing that I spotted on Android 11 with both the cat tool and Cloudpath is that it populates the domain with radius.york.ac.uk which is the CN of our certificate rather than york.ac.uk. Is this expected? On the Pixel it works with either option but I don't want to change anything in case it breaks other OS's.

Glad we've managed to sort out the certs with the correct intermediate at either end. It did cause a bit of pain as our authentication specialist retired just before Christmas and we are still in the process of recruiting their replacement.

Finally, we already whitelisted cat.eduroam.org so I will try adding discovery.eduroam.app to the list.

Thanks again,

Eleanor Coultish
Network Operations Manager

IT Services
Information Services
University of York
Heslington, York YO10 5DD
+44 (0)1904 328467

EMAIL DISCLAIMER http://www.york.ac.uk/docs/disclaimer/email.htm

On Wed, 17 Mar 2021 at 13:45, Jethro Binks <jethro.binks AT strath.ac.uk> wrote:

Thanks Paul, sounds like this answers my question:

> We host our discovery data on a CDN; for the App to work, you'd
> basically need to whitelist both cat.eduroam.org addresses as well as
> discovery.eduroam.app - and that being rather dynamic, I'm not sure this
> works well.

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 

Jethro R Binks, Network Manager, 

Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.

---

From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> on behalf of Paul Dekkers <paul.dekkers AT surf.nl>
Sent: 17 March 2021 12:46
To: Eleanor Coultish <eleanor.coultish AT york.ac.uk>; cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] Android 11 Samsung Galaxy Note 20

 

Hi,

On 16/03/2021 15:17, Eleanor Coultish wrote:
> When using either the geteduroam app or Ruckus Cloudpath to configure
> a Samsung Galaxy Note 20 the device is unable to connect to eduroam
> when the certificate is set to be validated. The particular Android
> build on this phone (11 with Feb security patch) still has the option
> for 'do not validate certificate' and it will connect to eduroam when
> it's set to this but obviously we'd prefer it to be validated. We've
> had a handful of these over the last few weeks, all Samsungs and
> mostly different flavours of the Note. I know it's not particular to
> the cat tool but I just wondered if anyone else has come across this
> issue and if there is a workaround?

I see you have your anonymous outer identity to "@york.ac.uk" in CAT;
can you try to either remove the outer identity enforcement alltogether?
(Or making that "anonymous AT york.ac.uk", but removing the requirement is
more certain.)

> One thing with the app though is that we have a restricted ssid that
> allows access to the Playstore to enable users to download the
> geteduroam app. When running the app though we get an error message to
> say we need a network connection to load the list of institutions. Is
> there something else we need to whitelist so that the app will work
> properly?

We host our discovery data on a CDN; for the App to work, you'd
basically need to whitelist both cat.eduroam.org addresses as well as
discovery.eduroam.app - and that being rather dynamic, I'm not sure this
works well.

Paul


To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users