Skip to Content.

cat-users - RE: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


RE: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS


Chronological Thread 
    < Chronological >      < Thread >
  • From: Thorsten Fritsch <thorsten.fritsch AT unibas.ch>
  • To: Patrick Oberli <patrick.oberli AT ost.ch>, Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Cc: Beate Deiss <beate.deiss AT unibas.ch>, Philipp Petermann <philipp.petermann AT unibas.ch>
  • Subject: RE: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS
  • Date: Mon, 17 May 2021 05:41:52 +0000
  • Accept-language: en-US
  • Ironport-hdrordr: A9a23:kePCbKzRF/NCF9y460miKrPwCL1zdoMgy1knxilNoERuA6ulf8 DHppsmPGzP+VAssRYb6K290ci7MAnhHPFOkOos1NuZMTUO/VHYSL2KjrGSvwEIeReOlNK1vJ 0IG8MVNDSzNykesS+Q2meF+qMboOVvh5rIuQ6x9RtQpEpRGthdBk9Ce36m+2NNNXJ7OaY=
  • Ironport-phdr: A9a23:1+9MVh2N/tCk2/34smDOQQIyDhhOgF0UFjAc5pdvsb9SaKPrp82kY BWOo68z0BSXAc3y0LFts6LuqafuWGgNs96qkUspV9hybSIDktgchAc6AcSIWgXRJf/uaDEmT owZDAc2t360PlJIF8ngelbcvmO97SIIGhX4KAF5Ovn5FpTdgsiq0+2+4YPfbgRHiTayYL5/I wi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjT bxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s8 7lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvd1Y6HTcs4ARWdZXshfSTFPAp+yY YUMAeoOP+dYoJXyqVQBtha+GRKjBOHzxjNUmnP736s32PkhHwHc2wwgGsoDvmrUrNXyLqcSS vy1w7fOzT7eb/1Wwzb96JTTch89ofGHQLV9cdbRyUkoDQPFlUmQppLjPz+P2OQNqWmb7/Z7V e2zi24qsBxxoj6uxsg3kIbJnZgZxUzE9Shgxos+ONK3RlJhb9G+DJtQqz+VN5FwQs46XW1lu yg0x6EbtJOnfiUHyJopyh/QZfCZc4aG7BzuWfiMLTtkinxrd7ayiwu2/ES9xePxSNW43llEo ydZndTBuXYA3AHd5MiAT/ty5Eah2TCX2gDU8eFEPVo4mrbbK5I5wL4wl4ETvljZEiDshEr6l rKWdkY89uin9evoeLPmpoOGO49zkAH+PaIjkdG8D+QgKgUCQmaW9fmm2LH+/UD1Xq9Gg/4sn qXEsp3XJtwXqrO3DgNIyIov9hayAym83NgGg3UKL0hJdAyJgoT0I13CPf71Aeqlj1ixkDpn2 erKM777DpnQLHXOnrHsdqtn5UFG0go819Vf6opRCrEGPf38RFf8tMfdDh8lKwy0xPvnCMll2 oMeR22PBqiZPbvTsV+U/eIjOveDZYAJtzb9MvQo5OTijX4lmV8GZ6WpwJ0XaHGjEft8OEWVe 2bjgtcZHWcLuAoxUvDqhUWfXTNdenq+Rb8w6zElBI68DorPXJ2hjb6C0SujG51ZfGFGClSCE XfycIWEXu8BaD6SIs9miDwETqShRJEn1R20ug/60btnLvbP+iIEtZLuz8V15+vSlR4p7zN0F N6R3H2NT21shGMHWyc23LxjoUx60lqDybJ3g+BCFdxS+/xJUR02NZnHwONkEdDyXgPBc8yOS Fa9XtWqGy0+TtIpyd8Uf0l9A8mijgzE3yeyHrEVi6KEBJIu/aLaxXT/PdxyxGja1KkmgVgrW clPNWy9hqFj7QTcHZLGn1+El6apba4cxjLC9H+fzWqSu0FVSBJ/Xr/ZXXwGe0vWtsr25lnZT 7K1DbQnMxBBydKZKqdQZd3mk09JRPH/ONjEZGKxgWiwVl61wKiRZt/qZ3kFx3eaT0wFiBwIu 3mLPA4iQCC7rCXFHTl2HBX0Ykz2/PBjpWinCUQ900SXdEB7zOmI/AUIj8CRW+9G3q4YoDxz7 HJwHU2hxJTZBtOGu0xmZqobesI4+F4AzmPWrQFkI5G7M+dpj0Jbbh96pVi96xIiMoxci8khr zsNxgdoLaPQhEtIaymZ1pO2PbfaMG3z1Be0d+jd2geamO2K96kG7rwAolj/ux7hQnE+/ntu1 Z9t2naA4YriDgsJWtT4WQAq9E4+7/vRazV4+pjZz2ZENaivriSE1N8gAvdjzQyvNZ8LO6qYU RLpHtcBL8yvM/Ax3VekZxQYeudI+/hnEdmhcq662KmxJ/ptmnqIl2Vb+4t9mhaQ9y1mUfLF2 dAL2fCExQCHfyr6jV2oqYb8mdYXNnkpAmOjxH28V8ZqbapocNNOUD/2S/A=
  • Ironport-sdr: 0jhahQzlofxm55W1HMTcZo/28r452PeKc/c8p2fba4LkoJCRpTm+K+B6RNsBpLcfEoVyDUZ9J4 HqHp/hO+juMzvxaTORv9yKUOwJkH+gwyceJnFclxFFFWhZ8ZYNeeq2AVKU/yS/AnDhKMkPvyQl X8zu68vVKdrREF5SW8g2wyxelg8GPFQ7yK6VM5CToTGFf+YDiBBmui6dOwXL71VutwNrFaueGZ PfP2fIHTGUBLvfVVGQPdccMp7Zdik43mgVRLmRe3GhfcFED6oRz7XZfmef5hmKx5JZoqYvGQ2f feg=
Hi All,

thanks for your appreciated feedback. In my case I still had the same issue
with the geteduroam app (on Android 11) which
based on our CAT profile still deployed the PEAP config to the client.
Unfortunately, it would work only after manually changing from PEAP to
EAP-TTLS with MSCHAPv2.

As I haven't heard of the geteduroam app before I'm wondering if it's
trustworthy and safe to use it. Is this app commonly used by the
Swiss/European EDU community ?

Thanks and best,
Thorsten





-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org>
On Behalf Of Patrick Oberli
Sent: Wednesday, 12 May 2021 08:42
To: Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>; cat-users AT lists.geant.org
Subject: RE: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS

Hi All

This is a very interesting discussion.
I had yesterday a Samsung A52 in the hand, where the owner told me he
received a system update yesterday morning and since then his eduroam
(manual) configuration stopped working. We use PEAP MSCHAPv2 here with public
signed certificates. In his case, it was not anymore possible to add the
eduroam profile manually and then authenticating. The Windows Radius always
complained about wrong username/password.
Once we used geteduroam to install the profile, it instantly worked.

Kind regards

ICT - IT-Infrastructure
Netzwerk- und Multimediateam
Patrick Oberli

Tel direkt: +41 58 257 4958
Email: patrick.oberli AT ost.ch

OST – Ostschweizer Fachhochschule
ICT Information & Communication Technology | Oberseestrasse 10 | 8640
Rapperswil | Switzerland | https://www.ost.ch

OST – Ostschweizer Fachhochschule ist der Zusammenschluss aus HSR Rapperswil,
FHS St.Gallen und NTB Buchs.

-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org>
On Behalf Of Stefan Paetow
Sent: Dienstag, 11. Mai 2021 19:16
To: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS

> > After googling around I found that In December 2020, the Android 11
> QPR1 security disabled the ability to select “Do not validate” for the “CA
> Certificate” dropdown in network settings for a given SSID and changed the
> supplicant behaviour.
> ... and Samsung re-enabled (or still has) it, at least in a Student's
> Galaxy A51 with Android 11 we set up last week.

Yes, Samsung shoehorned it into the certificate validation option (i.e. 'use
system certs', 'use specific cert', or 'do not validate'). I can only surmise
that this must've come from somewhere for them to include it.

> IMO, the "Do not validate" setting has proven THE most dangerous
> thing in eduroam.

Undoubtedly. As is technically the server cert pinning that iOS uses if you
do not use geteduroam or an MDM profile (as issued by eduroam CAT).

> I do not miss it, but you may need to set up MDM, an onboarding
> network or local means of
> config transfer such aus USB-OTG, which may mean a lot of work.

Yes, many of our universities use an onboarding network, although many of our
colleges and schools don't.

> in most Samsung devices (with the notable exception of the Galaxy
> S21).

Is it possible that the S21 has already received a fix for this issue? I have
a Samsung device here that did display the problem when I upgraded to Android
11. I'll power it up and check whether it's getting any updates.

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp AT jabber.dev.ja.net
skype: stefan.paetow.janet


In line with government advice, at Jisc we’re now working from home and our
offices are currently closed. Read our statement on coronavirus
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.


To unsubscribe, send this message:
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
To unsubscribe, send this message:
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

Archive powered by MHonArc 2.6.19.

Top of Page