The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Patrick Oberli <patrick.oberli AT ost.ch>]

Thanks for all your answer. I just did some additional testing, as I was 
curious what will happen.

Test client is Windows 10 build 20H2 with an Intel adapter. I created a new 
SSID with a brand-new radius server. Onto that server I installed the 
certificate which I use on other servers. The contents of the certificate do 
not match anything of the new server. So neither matches the CN nor the 
subject-alternative-names in any way with the new server (besides the general 
domain). When clicking on this new SSID on Windows, entering 
username+password I was presented, as usual, with the thumbprint of the 
certificate, which I (as every user probably would) accepted and clicked on 
connect. Windows connected and Wi-Fi is working. 
So it seems that Windows doesn't validate anything (for a correctly signed 
and not outdated certificate) on the first connect, as long as the end-user 
clicks on the connect button. I assume this is different if the profile has 
been pre-provisioned in any way through an MDM or similar.

In the case of Android 11, which was already connected to this SSID with the 
previous valid certificate, my phone didn't complain at all about the new 
"valid" certificate (although even the Root CA switched). Probably because 
the new one was still signed for the same domain (CN = radius.ost.ch) and I 
entered ost.ch in the Wi-Fi profile properties.

I wonder now why I did all the fuss about a certificate for all servers in 
the past, as long as all servers have the same certificate, regardless of the 
CN and Subj-Alt-Names. 
I haven't tested if Windows would complain if the thumbprint of the 
certificate now would change, but I hope it does. 

I hope this information helps somebody :)

Regards
Patrick

ICT - IT-Infrastructure
Netzwerk- und Multimediateam
Patrick Oberli

Tel direkt: +41 58 257 4958
Email: patrick.oberli AT ost.ch

OST - Ostschweizer Fachhochschule
ICT Information & Communication Technology | Oberseestrasse 10 | 8640 
Rapperswil | Switzerland | https://www.ost.ch 

OST - Ostschweizer Fachhochschule ist der Zusammenschluss aus HSR Rapperswil, 
FHS St.Gallen und NTB Buchs.

-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> 
On Behalf Of Martin Pauly
Sent: Montag, 16. August 2021 17:40
To: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] eduroam and certificates

Hi,

Am 14.08.21 um 16:07 schrieb Jan-Frederik Rieckers:
> I don't really know what the problem of the CA is.
> (I am not that familiar with current CA policies, but it seems like a 
> perfectly valid use case to me)
> 
> One possible solution would be to issue Certificates with different 
> CNs, but a shared SubjectAltName (SAN).

I wrote:
>> BTW: Not all commenters have seen that we are _only_ talking about layer 2 
>> auth, no DNS involved in the process, and no radsec. 
Sorry, I think Janfred did see very well what were are talking about.
But no workaround should be necessary. One cert from the CA should suffice 
for all layer 2 auth servers sharing the same logical identity.

Regards, Martin

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
   D-35032 Marburg
To unsubscribe, send this message: 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users