The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Patrick Oberli <patrick.oberli AT ost.ch>]

Hi All

This is a very interesting discussion.
I had yesterday a Samsung A52 in the hand, where the owner told me he 
received a system update yesterday morning and since then his eduroam 
(manual) configuration stopped working. We use PEAP MSCHAPv2 here with public 
signed certificates. In his case, it was not anymore possible to add the 
eduroam profile manually and then authenticating. The Windows Radius always 
complained about wrong username/password. 
Once we used geteduroam to install the profile, it instantly worked.

Kind regards

ICT - IT-Infrastructure
Netzwerk- und Multimediateam
Patrick Oberli

Tel direkt: +41 58 257 4958
Email: patrick.oberli AT ost.ch

OST – Ostschweizer Fachhochschule
ICT Information & Communication Technology | Oberseestrasse 10 | 8640 
Rapperswil | Switzerland | https://www.ost.ch 

OST – Ostschweizer Fachhochschule ist der Zusammenschluss aus HSR Rapperswil, 
FHS St.Gallen und NTB Buchs.

-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> 
On Behalf Of Stefan Paetow
Sent: Dienstag, 11. Mai 2021 19:16
To: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS

>    > After googling around I found that In December 2020, the  Android 11 
> QPR1 security disabled the ability to select “Do not validate” for the “CA 
> Certificate” dropdown in network settings for a given SSID and changed the 
> supplicant behaviour.
>    ... and Samsung re-enabled (or still has) it, at least in a Student's 
> Galaxy A51 with Android 11 we set up last week.

Yes, Samsung shoehorned it into the certificate validation option (i.e. 'use 
system certs', 'use specific cert', or 'do not validate'). I can only surmise 
that this must've come from somewhere for them to include it.

>        IMO, the "Do not validate" setting has proven THE most dangerous 
> thing in eduroam.

Undoubtedly. As is technically the server cert pinning that iOS uses if you 
do not use geteduroam or an MDM profile (as issued by eduroam CAT).

>        I do not miss it, but you may need to set up MDM, an onboarding 
> network or local means of
>        config transfer such aus USB-OTG, which may mean a lot of work.

Yes, many of our universities use an onboarding network, although many of our 
colleges and schools don't. 

>        in most Samsung devices (with the notable exception of the Galaxy 
> S21).

Is it possible that the S21 has already received a fix for this issue? I have 
a Samsung device here that did display the problem when I upgraded to Android 
11. I'll power it up and check whether it's getting any updates.

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp AT jabber.dev.ja.net
skype: stefan.paetow.janet


In line with government advice, at Jisc we’re now working from home and our 
offices are currently closed. Read our statement on coronavirus 
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.
  

To unsubscribe, send this message: 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users