Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] "Internal error" while connecting via "geteduroam" on Android 11

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] "Internal error" while connecting via "geteduroam" on Android 11


Chronological Thread 
  • From: Paul Dekkers <paul.dekkers AT surf.nl>
  • To: Arthur Petrosyan <arthur AT sci.am>
  • Cc: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] "Internal error" while connecting via "geteduroam" on Android 11
  • Date: Fri, 1 Oct 2021 15:16:20 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ET2wrEobEfoNmn4EjDZdshtsF18tuKbmRCYUbZ1H7Ag=; b=eqbLFYXXB5hcqP7h/ilNnxmOvnVy9Q9/nvxZ9LdiKpdl36p+OlVnyJiv4ylE47dVgWwYcJBJwQcUD6qpodrnFT9apGtOUgtqvz6A1A5ANYzJSm2soqaOf6RLfU4N9QFG0aTvUZmwWmK7fixPVaWpjza9Jz/9M0QD6lc1CiUX9GvhPJYrLTALSIGG17X8lU78DkYbgGVNcNi3z+SiZjch1sGBkvKuLXHbXupANUheiZja+MJQG16zSkra5M/0zJbuoZH0+vwumEca9rplq+G9PYkWqNekPRaC0U74Pw0Ildj7/d55ZZJfcvIisZe3pCvZ/yZ7S+CZSCfs+aQuK2K8Ow==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F49y6Vq6qz4199zlwUlD8Jj67F/IEMVxSx8gxapBHDpQ2QPKvmW2zDs2XehblaHbvudPrNpbIh8wwR3jtoV/gM1pMRAcyd/uDOaABih9kHikyEEq6sfpyysChXkNT82++E0pYQbkqW2du8Wy8yxTew3ixbXIdkerSusIaJLQCJMq/vHISfLjnMOT4yPOMlKYz8jjXPk7OJJ0HotKyIYcZFj1WeRwLCljGXmEmlXxPuP7m0J9yVZbckWsA2QNJlt5R1vqkFNlysVDfB/uU1tMNRsoPEU4QcXayQqwfdVPE91qzdWoUaY1Rc5xKA5EpubayufyHeSxVY2u18Hb8ISdBw==
  • Authentication-results: sci.am; dkim=none (message not signed) header.d=none;sci.am; dmarc=none action=none header.from=surf.nl;

Hi,

Op 01-10-2021 om 13:27 schreef Arthur Petrosyan:
> Hi all,
>
> On my "Poco X3" smartphone with "Android 11RKQ1.200826.002"
> I can connect to eduroam by downloading the profile for "Fundamental
> Scientific Library NAS RA" from "cat.eduroam.org"
> and installing it using "eduroam CAT" app from Google playstore.
> But when I try to connect using "geteduroam" app, it don't work, and the
> freeradius logs show the following:
>
> Fri Oct  1 14:49:54 2021 : ERROR: (6750) eap_ttls: ERROR: TLS Alert
> read:fatal:internal error
> Fri Oct  1 14:49:54 2021 : Auth: (6750) Login incorrect (eap_ttls: TLS
> Alert read:fatal:internal error): [***@flib.sci.am] (from client ***
> port 0 cli 10-3F-44-FA-80-D7)
>
> I tried to connect with the same account using "geteduroam" on Windows
> and it worked without problem, so I guess the issue is specific for
> Android.
> I remember several discussions here in the list regarding Android issues
> with "geteduroam", but not sure if it's related to this.
>
> Can it be related specifically to our CAT profile (we use only TTLS/PAP
> there)?
> Is there a fix for it ?
>
> I would be very thankful for help !

You seem to be using a private CA (in fact, there is no CA the entire
certificate is self signed). One issue is likely that you have no
subjectAltName DNS: entry with your hostname, and the geteduroam
installer expects that.

By the looks of it, it also doesn't have the server auth purpose, and is
a CA by the constraints flag - that may not be a problem.

You probably noticed the warning about the certificate on Windows when
installing a private CA? Keep in mind your CA needs proper protection.
That's a bit more challenging if this is also your server certificate,
in that you cannot store it offline but it's always online.

A private CA is risky in the sense that it can be abused to sign
certificates for other purposes, other websites too. For instance for
google.com, and thus IF your CA is abused, it can be used for a
man-in-the-middle for any normally by SSL protected traffic.
Using a certificate from a public CA is a bit more on the safer side in
this case, and they tick all the boxes from what is expected in a
certificate.

Regards,
Paul



Archive powered by MHonArc 2.6.19.

Top of Page