The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>]

Hi Thorsten, 

Yes, geteduroam is now the preferred app on Android, because a) Swansea 
University built the 'eduroam CAT' app and no longer actively develops it, 
and b) 'eduroam CAT' on Android uses old API calls that are no longer 
permitted on Android 11, so even if Swansea still supported 'eduroam CAT' on 
Android, it wouldn't be allowed in the Google Play store anymore. 

Also, geteduroam supports EAP-TLS if I remember correctly (through eduGAIN). (

If there are any issues with geteduroam, get in touch with the team!

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp AT jabber.dev.ja.net
skype: stefan.paetow.janet


In line with government advice, at Jisc we’re now working from home and our 
offices are currently closed. Read our statement on coronavirus 
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.
 

On 17/05/2021, 06:41, "Thorsten Fritsch" <thorsten.fritsch AT unibas.ch> wrote:

    Hi All,
    
    thanks for your appreciated feedback. In my case I still had the same 
issue with the geteduroam app (on Android 11) which
    based on our CAT profile still deployed the PEAP config to the client. 
Unfortunately, it would work only after manually changing from PEAP to 
EAP-TTLS with MSCHAPv2.
    
    As I haven't heard of the geteduroam app before I'm wondering if it's 
trustworthy and safe to use it. Is this app commonly used by the 
Swiss/European EDU community ?
    
    Thanks and best,
    Thorsten
    
    
    
    
    
    -----Original Message-----
    From: cat-users-request AT lists.geant.org 
<cat-users-request AT lists.geant.org> On Behalf Of Patrick Oberli
    Sent: Wednesday, 12 May 2021 08:42
    To: Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>; cat-users AT lists.geant.org
    Subject: RE: [[cat-users]] Specific CatInstaller for Android11 with 
EAP-TTLS
    
    Hi All
    
    This is a very interesting discussion.
    I had yesterday a Samsung A52 in the hand, where the owner told me he 
received a system update yesterday morning and since then his eduroam 
(manual) configuration stopped working. We use PEAP MSCHAPv2 here with public 
signed certificates. In his case, it was not anymore possible to add the 
eduroam profile manually and then authenticating. The Windows Radius always 
complained about wrong username/password. 
    Once we used geteduroam to install the profile, it instantly worked.
    
    Kind regards
    
    ICT - IT-Infrastructure
    Netzwerk- und Multimediateam
    Patrick Oberli
    
    Tel direkt: +41 58 257 4958
    Email: patrick.oberli AT ost.ch
    
    OST – Ostschweizer Fachhochschule
    ICT Information & Communication Technology | Oberseestrasse 10 | 8640 
Rapperswil | Switzerland | https://www.ost.ch 
    
    OST – Ostschweizer Fachhochschule ist der Zusammenschluss aus HSR 
Rapperswil, FHS St.Gallen und NTB Buchs.
    
    -----Original Message-----
    From: cat-users-request AT lists.geant.org 
<cat-users-request AT lists.geant.org> On Behalf Of Stefan Paetow
    Sent: Dienstag, 11. Mai 2021 19:16
    To: cat-users AT lists.geant.org
    Subject: Re: [[cat-users]] Specific CatInstaller for Android11 with 
EAP-TTLS
    
    >    > After googling around I found that In December 2020, the  Android 
11 QPR1 security disabled the ability to select “Do not validate” for the “CA 
Certificate” dropdown in network settings for a given SSID and changed the 
supplicant behaviour.
    >    ... and Samsung re-enabled (or still has) it, at least in a 
Student's Galaxy A51 with Android 11 we set up last week.
    
    Yes, Samsung shoehorned it into the certificate validation option (i.e. 
'use system certs', 'use specific cert', or 'do not validate'). I can only 
surmise that this must've come from somewhere for them to include it.
    
    >        IMO, the "Do not validate" setting has proven THE most dangerous 
thing in eduroam.
    
    Undoubtedly. As is technically the server cert pinning that iOS uses if 
you do not use geteduroam or an MDM profile (as issued by eduroam CAT).
    
    >        I do not miss it, but you may need to set up MDM, an onboarding 
network or local means of
    >        config transfer such aus USB-OTG, which may mean a lot of work.
    
    Yes, many of our universities use an onboarding network, although many of 
our colleges and schools don't. 
    
    >        in most Samsung devices (with the notable exception of the 
Galaxy S21).
    
    Is it possible that the S21 has already received a fix for this issue? I 
have a Samsung device here that did display the problem when I upgraded to 
Android 11. I'll power it up and check whether it's getting any updates.
    
    Stefan Paetow
    Federated Roaming Technical Specialist
    
    t: +44 (0)1235 822 125
    gpg: 0x3FCE5142
    xmpp: stefanp AT jabber.dev.ja.net
    skype: stefan.paetow.janet
    
    
    In line with government advice, at Jisc we’re now working from home and 
our offices are currently closed. Read our statement on coronavirus 
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.
    
    jisc.ac.uk
    
    Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.
      
    
    To unsubscribe, send this message: 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
    Or use the following link: 
https://lists.geant.org/sympa/sigrequest/cat-users
    To unsubscribe, send this message: 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
    Or use the following link: 
https://lists.geant.org/sympa/sigrequest/cat-users