cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Patrick Oberli <patrick.oberli AT ost.ch>
- To: Martin Pauly <pauly AT hrz.uni-marburg.de>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: RE: [[cat-users]] eduroam and certificates
- Date: Tue, 17 Aug 2021 12:46:57 +0000
- Accept-language: en-CH, de-CH, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ost.ch; dmarc=pass action=none header.from=ost.ch; dkim=pass header.d=ost.ch; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nPFuC1N4BPbKxfzTKIEm4Zyqvoa0Ne+mWGnmwPF4Suk=; b=oUq7X4RUvDXFrK3IvyOcwtT7hL4VFZODb3CzdlXYZV522PAjCqM4C6WSLsd6xfS/rb83cdjdY33EpkcRHrDNGDSLjkoRMxe7faS7TPz0Slt4hoiOhp2igqNTLq5CrURSxZAcNiVxoM/41fQj16JLM1uA5OQdp5pc94U9vHTFyJs5sLWDQAEhDMokeyEOjyNF32qxGx/1S/Z8MCsg+ihvl7q8u5UlZ0AHgcru1mTqgY3TGreOzlP7O0cdJbOkQZp68evVAGQpAHcO6PlKs7t90TpmZpPMR9mnhIIFnHeT9PXeeERemv/IdNQGW43rtypWHGbzlLcSD4WvucUQnmHB/Q==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=livAu/dvbEqmqCprnd9JdaMgFaJLTnxFfDSZyzfRwpoUMBNVrcNLG/7hGMu43CPZ+LDrwcfZbYcJWVXP5xj9sHnGiPmToL8ePgh5i7gnuh6QPGiGT1e3cRQ4ivrehgEEWM8mXZywI4e82wkF8ZG2UE8f+0C/JC4ItZvd8RFh4Qnx2ZtkD9jfdJ2WO5sKV0DQIuR7fTaVWhd+lK2FDCamoDfyxCmAfCQggFgksz1vfXemTWxsNvHXZ21QlIcfhDgfZ1oZ3XmD1eox9U0CmaCPPcHBpmzKu5MDylzowrLja3pBoBlpP6ijfWgW2u96CtLJGatIaPVgtg0rQdd7NRdM4w==
- Authentication-results: hrz.uni-marburg.de; dkim=none (message not signed) header.d=none;hrz.uni-marburg.de; dmarc=none action=none header.from=ost.ch;
Thanks for all your answer. I just did some additional testing, as I was
curious what will happen.
Test client is Windows 10 build 20H2 with an Intel adapter. I created a new
SSID with a brand-new radius server. Onto that server I installed the
certificate which I use on other servers. The contents of the certificate do
not match anything of the new server. So neither matches the CN nor the
subject-alternative-names in any way with the new server (besides the general
domain). When clicking on this new SSID on Windows, entering
username+password I was presented, as usual, with the thumbprint of the
certificate, which I (as every user probably would) accepted and clicked on
connect. Windows connected and Wi-Fi is working.
So it seems that Windows doesn't validate anything (for a correctly signed
and not outdated certificate) on the first connect, as long as the end-user
clicks on the connect button. I assume this is different if the profile has
been pre-provisioned in any way through an MDM or similar.
In the case of Android 11, which was already connected to this SSID with the
previous valid certificate, my phone didn't complain at all about the new
"valid" certificate (although even the Root CA switched). Probably because
the new one was still signed for the same domain (CN = radius.ost.ch) and I
entered ost.ch in the Wi-Fi profile properties.
I wonder now why I did all the fuss about a certificate for all servers in
the past, as long as all servers have the same certificate, regardless of the
CN and Subj-Alt-Names.
I haven't tested if Windows would complain if the thumbprint of the
certificate now would change, but I hope it does.
I hope this information helps somebody :)
Regards
Patrick
ICT - IT-Infrastructure
Netzwerk- und Multimediateam
Patrick Oberli
Tel direkt: +41 58 257 4958
Email: patrick.oberli AT ost.ch
OST - Ostschweizer Fachhochschule
ICT Information & Communication Technology | Oberseestrasse 10 | 8640
Rapperswil | Switzerland | https://www.ost.ch
OST - Ostschweizer Fachhochschule ist der Zusammenschluss aus HSR Rapperswil,
FHS St.Gallen und NTB Buchs.
-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org>
On Behalf Of Martin Pauly
Sent: Montag, 16. August 2021 17:40
To: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] eduroam and certificates
Hi,
Am 14.08.21 um 16:07 schrieb Jan-Frederik Rieckers:
> I don't really know what the problem of the CA is.
> (I am not that familiar with current CA policies, but it seems like a
> perfectly valid use case to me)
>
> One possible solution would be to issue Certificates with different
> CNs, but a shared SubjectAltName (SAN).
I wrote:
>> BTW: Not all commenters have seen that we are _only_ talking about layer 2
>> auth, no DNS involved in the process, and no radsec.
Sorry, I think Janfred did see very well what were are talking about.
But no workaround should be necessary. One cert from the CA should suffice
for all layer 2 auth servers sharing the same logical identity.
Regards, Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly AT HRZ.Uni-Marburg.DE
D-35032 Marburg
To unsubscribe, send this message:
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
- [[cat-users]] eduroam and certificates, Patrick Oberli, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Lukas Wringer, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Alan Buxey, 08/13/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Jan-Frederik Rieckers, 08/14/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/16/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/17/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/17/2021
- Re: [[cat-users]] eduroam and certificates, Vlad Mencl, 08/18/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/18/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/18/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/17/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/17/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/16/2021
- Re: [[cat-users]] eduroam and certificates, Jan-Frederik Rieckers, 08/14/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/16/2021
Archive powered by MHonArc 2.6.19.