The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

you are asking an Android archaeology question. I can only give you a partial answer.

We started supporting Android with eduroam CAT only by the time Android 4.3 was released. The reason is that only that version's API level allowed to configure the tuple of (CA; expected server name) and thus was the first version that could do EAP server validation "properly".

I don't know how things were before that. We only started caring about Android with 4.3, and the eduroamCAT app is not even installable on older versions.

But then, Android 4.3 is way older than 4 years (something like 2013, 9 years ago!).

Maybe this other way you are talking about lived side-by-side for a while, and has been finally obsoleted an unknown time ago. But then you were not using anything CAT offers to achieve onboarding with that other way of certificate pinning?

IMHO, the more interesting question is: why do you ask? CA+server name is much more flexible and "proper PKI" compared to pinning a single certificate. Do you need to support Android versions <4.3? If you don't, and care only about 4.3+, the advice would be to instruct users to use the "eduroamCAT" Android app and use that for configuring eduroam. The app will then install the root CA and expected server name, and things should work.

Greetings,

Stefan Winter

Am 04.05.21 um 12:14 schrieb nicolas.velazquez AT uam.es:

Hello all,

 

We have changed our eduroamCAT profiles due to the expiration of the machine certificate of our radius recently.

 

The last time before we carried out this process, four years ago, on Android, it was necessary for the mobile phones to incorporate the machine certificate.

 

Now, it is enough that the devices that want to connect contain only the certificate of the root authority and the name expected in the CN and SAN fields.

 

The question is the following: in which Android version did this change occur?

 

We have problems with old Android phones.

We suspect that the new profile I described above, only CN and not machine certificate itself, does not work well for them.

Is it right?

We want to know the Android version that started this new conf.

 

Thank you very much in advance,

 

Nicolás Velázquez Campoy

Unidad Técnica de Comunicaciones
Tecnologías de la Información
Universidad Autónoma de Madrid • Campus de Cantoblanco
c/ Fco Tomás y Valiente nº 11. Edificio B EPS, despacho TI-205 - 28049, Madrid
Tel.: 914973321 – nicolas.velazquez AT uam.es - www.uam.es

 

Libre de virus. www.avg.com

      To unsubscribe,
        send this message:
        mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
        Or use the following link:
        https://lists.geant.org/sympa/sigrequest/cat-users