Skip to Content.

cat-users - Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>
  • To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS
  • Date: Tue, 11 May 2021 17:15:30 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GLKCzVPYebqbrmDkW4z43hNm8DUsSaUGzfAEYUQ7JKs=; b=eQA8o9NXsMCpeDjlfba1sGSotew7U9qO7t2LOtPciQXPP+oISyze4HViwhP6jmCP0nO+BWUBFX/iHuZNfPBuDBJYKtthRRTZhuP6LsndpYSjTl6spz46LZexPJMeH5e2+2WTO7uqwmqoZ28G/M2oUUV2brT6ZoVQbQWiORrPrSbKciE9qoycO3RdcWOG2iUimoNh6PU3K3DMlHJXFgEOlZ7cB4vLGFqYUridjm49xW6nLWVM2byEw4v4tFj7PIshO7aHSEzmVICR3886R6Nq1ADd2aDWJaEx+1fvrqq/e7V87js50dEzQ3/uVO7wq80qKYOch1qtKw+OB0npN6Miyg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DagulxgimpQ/U6Fa/BZkTjdQq1SQSHSd3EmKyiPtEECblvC5aRob3ONEIdWwGf/j8gvfcnOEx8zUjT85L3wOCk5VX3aNvkuhEF0YVISXHTYL7k3Ws7jWeRd65CNtrtnzitLxN+rUUabGk1+XsaZOL6AryYuFbopkEFOGkHsaJITN6H+hT5Xt4b8fi6Tpig9aScIbAxLQU57p74UWrYfCVJtiRcEgsU/C3hUyhzel09GMKuPq2xJpfmxHYLNXIzaXorNk4E4WIezgFqaYeEF6Mk4cNAYkT2fVzw1m0rc8JhW+doAAl3w9BHEK2mvFjHoTxlPfn+aqFWO/+MxT1PlErQ==
  • Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=jisc.ac.uk;
> > After googling around I found that In December 2020, the Android 11
> QPR1 security disabled the ability to select “Do not validate” for the “CA
> Certificate” dropdown in network settings for a given SSID and changed the
> supplicant behaviour.
> ... and Samsung re-enabled (or still has) it, at least in a Student's
> Galaxy A51 with Android 11 we set up last week.

Yes, Samsung shoehorned it into the certificate validation option (i.e. 'use
system certs', 'use specific cert', or 'do not validate'). I can only surmise
that this must've come from somewhere for them to include it.

> IMO, the "Do not validate" setting has proven THE most dangerous
> thing in eduroam.

Undoubtedly. As is technically the server cert pinning that iOS uses if you
do not use geteduroam or an MDM profile (as issued by eduroam CAT).

> I do not miss it, but you may need to set up MDM, an onboarding
> network or local means of
> config transfer such aus USB-OTG, which may mean a lot of work.

Yes, many of our universities use an onboarding network, although many of our
colleges and schools don't.

> in most Samsung devices (with the notable exception of the Galaxy
> S21).

Is it possible that the S21 has already received a fix for this issue? I have
a Samsung device here that did display the problem when I upgraded to Android
11. I'll power it up and check whether it's getting any updates.

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp AT jabber.dev.ja.net
skype: stefan.paetow.janet


In line with government advice, at Jisc we’re now working from home and our
offices are currently closed. Read our statement on coronavirus
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.



Archive powered by MHonArc 2.6.19.

Top of Page