The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Paul Dekkers <paul.dekkers AT surf.nl>]

Hi,

On 17/03/2021 21:58, Eleanor Coultish wrote:

CANzyGJtRcdNS2E6etbG3k5m4biVGi5ud_njXFHZ4APxwyvjbaA AT mail.gmail.com">

Thanks all for the replies.

Yes we are seeing the same issue as Bob. I did further testing yesterday and the radius logs show the username being sent is the outer identity rather than the inner. I tried different variations on the device including removing the outer id, but I didn't try anonymous AT york.ac.uk. I'll arrange to get the device back in for further testing and also try with TTLS.

That's indeed the issue we're looking at with the outer IDs. So far I can't confirm it happens with TTLS.

CANzyGJtRcdNS2E6etbG3k5m4biVGi5ud_njXFHZ4APxwyvjbaA AT mail.gmail.com">

Another thing that I spotted on Android 11 with both the cat tool and Cloudpath is that it populates the domain with radius.york.ac.uk which is the CN of our certificate rather than york.ac.uk. Is this expected? On the Pixel it works with either option but I don't want to change anything in case it breaks other OS's.

Both should work; as soon as you enter multiple hostnames we may need to take a part of the fqdn: the geteduroam Apps take that into account. If you have radius1.york.ac.uk and radius2.york.ac.uk we configure york.ac.uk. I myself think it's still preferable to configure the same certificate on all of your RADIUS servers so this is not a part of the hostname. (But the feature can be important for a transition, like we take multiple CAs into account.)

The geteduroam Apps not only pin the domain that is visible in the UI as well, but also the subjectAltName DNS (only available via the Android API), according to the TLS and TTLS specs, the deprecation notes of the normal Subject matching, the eduroam Wiki and the CAT compatibility checks.

CANzyGJtRcdNS2E6etbG3k5m4biVGi5ud_njXFHZ4APxwyvjbaA AT mail.gmail.com">

Glad we've managed to sort out the certs with the correct intermediate at either end. It did cause a bit of pain as our authentication specialist retired just before Christmas and we are still in the process of recruiting their replacement.

Finally, we already whitelisted cat.eduroam.org so I will try adding discovery.eduroam.app to the list.

Can you whitelist on domain basis and not on IP? If that's the case I think this should work.

Regards,
Paul

CANzyGJtRcdNS2E6etbG3k5m4biVGi5ud_njXFHZ4APxwyvjbaA AT mail.gmail.com">

Thanks again,

Eleanor Coultish
Network Operations Manager

IT Services
Information Services
University of York
Heslington, York YO10 5DD
+44 (0)1904 328467

EMAIL DISCLAIMER http://www.york.ac.uk/docs/disclaimer/email.htm

On Wed, 17 Mar 2021 at 13:45, Jethro Binks <jethro.binks AT strath.ac.uk> wrote:

Thanks Paul, sounds like this answers my question:

> We host our discovery data on a CDN; for the App to work, you'd
> basically need to whitelist both cat.eduroam.org addresses as well as
> discovery.eduroam.app - and that being rather dynamic, I'm not sure this
> works well.

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 

Jethro R Binks, Network Manager, 

Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.

---

From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> on behalf of Paul Dekkers <paul.dekkers AT surf.nl>
Sent: 17 March 2021 12:46
To: Eleanor Coultish <eleanor.coultish AT york.ac.uk>; cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] Android 11 Samsung Galaxy Note 20

 

Hi,

On 16/03/2021 15:17, Eleanor Coultish wrote:
> When using either the geteduroam app or Ruckus Cloudpath to configure
> a Samsung Galaxy Note 20 the device is unable to connect to eduroam
> when the certificate is set to be validated. The particular Android
> build on this phone (11 with Feb security patch) still has the option
> for 'do not validate certificate' and it will connect to eduroam when
> it's set to this but obviously we'd prefer it to be validated. We've
> had a handful of these over the last few weeks, all Samsungs and
> mostly different flavours of the Note. I know it's not particular to
> the cat tool but I just wondered if anyone else has come across this
> issue and if there is a workaround?

I see you have your anonymous outer identity to "@york.ac.uk" in CAT;
can you try to either remove the outer identity enforcement alltogether?
(Or making that "anonymous AT york.ac.uk", but removing the requirement is
more certain.)

> One thing with the app though is that we have a restricted ssid that
> allows access to the Playstore to enable users to download the
> geteduroam app. When running the app though we get an error message to
> say we need a network connection to load the list of institutions. Is
> there something else we need to whitelist so that the app will work
> properly?

We host our discovery data on a CDN; for the App to work, you'd
basically need to whitelist both cat.eduroam.org addresses as well as
discovery.eduroam.app - and that being rather dynamic, I'm not sure this
works well.

Paul


To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

      To unsubscribe,
        send this message:
        mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
        Or use the following link:
        https://lists.geant.org/sympa/sigrequest/cat-users