cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

[[cat-users]] eduroam and certificates

From: Patrick Oberli <patrick.oberli AT ost.ch>
To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: [[cat-users]] eduroam and certificates
Date: Fri, 13 Aug 2021 13:29:03 +0000
Accept-language: en-CH, de-CH, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ost.ch; dmarc=pass action=none header.from=ost.ch; dkim=pass header.d=ost.ch; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=64SF6/SbNC4oqC8xqpre9NzLohkXJFD9OyBTInRmIn0=; b=d3j3rUICN9oTaE6N2mzoSqeHOKf+jbT1ptDO/BrLaLgGKmWpY3OU7pMIUAqEWRQSEOc/99f1V3MhuOAl4Qch8Um0ZZOfsZvU10DOzVcfP6reF93XQFglCspMql3E3NW7+Cgow80krVzrB+eqgeta4+Fwp9cewPigM2kK6hrV6AQtKA/xkdtQuDn41QRABnOSMBRk+vjCWK4bnGTGrJECpehywBEcqLC+o61Y9dyiB6uGaYeKmFKo1FLbFBxtsIjJ0/T6fsHl4wwpuQ7Nua+noGoaqDZfvD4BASuArIIH8pDKtqRjHym9OPQm1c7hzk6SyNRBcV4kOs1MRLZCYXT4GQ==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kt38pOrk4ZbqKnM2TETbj+kmYI5GfFxMK4295Pa2TNNpbxafiyxf086UItPPvMPto8/50TJ6YmNmpb3B2P5bKXYtZAqgXDyJHKPFuqJhhFT7SXZ2AzSiiEbh6X/50pVd2WLjB02kU1McjRIS01Qk9eQsy85EAoOUpXejNAccCYQXYirf7KdqqzlydqHKkzPDJ3dora+ebgCXqIlXZ96xsSoW+yDqiRLE3K1ABCU2c3/Tpt4I8uBU7xNgMciFMPI9CB8ir7uxKuiHq7cdBaB4iYJe2tphMba/2mbd6viMDjsJkRDVB5vSZv+F94Tt2SKclvn5G8m1qU1KY+Nj2H+KVw==
Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=ost.ch;

Hello all

I’m currently wondering something about eduroam, PEAP and several radius servers. Our CA really doesn’t like to provide one certificate with multiple hostnames, destined for several radius servers.

I think I once tested this in the past, but I’m not sure. Assuming each radius server has a separate certificate only with its own hostname in the CN and Subj-Alt-Name, will the clients need to accept each single certificate, depending to which radius server the request is sent by the Wi-Fi controller?

This is assuming the user connected by selecting the right SSID on his device and entering his username/password and then accept the shown certificate. My assumption is yes, but I’m not anymore entirely sure. Or does the operating system only check the domain and root CA (I think android does that) if it’s the same today? So various certificates with the same domain from the same CA would not cause a certificate accept pop-up?

Kind regards

ICT - IT-Infrastructure

Netzwerk- und Multimediateam

Patrick Oberli

Tel direkt: +41 58 257 4958

Email: patrick.oberli AT ost.ch

OST – Ostschweizer Fachhochschule

ICT Information & Communication Technology | Oberseestrasse 10 | 8640 Rapperswil | Switzerland | https://www.ost.ch

OST – Ostschweizer Fachhochschule ist der Zusammenschluss aus HSR Rapperswil, FHS St.Gallen und NTB Buchs.

[[cat-users]] eduroam and certificates, Patrick Oberli, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Lukas Wringer, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/13/2021
  - Re: [[cat-users]] eduroam and certificates, Alan Buxey, 08/13/2021
  - RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/13/2021
    - Re: [[cat-users]] eduroam and certificates, Jan-Frederik Rieckers, 08/14/2021
      - Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/16/2021
        
        RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/17/2021
        
        Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/17/2021
        
        Re: [[cat-users]] eduroam and certificates, Vlad Mencl, 08/18/2021
        RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/18/2021