The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Arthur Petrosyan <arthur AT sci.am>]

Hi All !

We use the freeradius-provided "cert" folder to generate self-signed cert.
And it worked/works with "eduroam CAT".

The page we took into consideration when making a decision was:
https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations

Here we read:
"certificates from a commercial CA are as valid for EAP authentications as are self-made certificates or certificates from a small, special-purpose CA."
So we found self-made ones more fitting our situation for now.
I thought many are using them. Am I wrong?
If yes I would be happy to get more info to maybe improve our approach.

Regarding "subjectAltName DNS:" entry I didn't find any example in freeradius "cert" folder to confugure that.

Can anyone using freeradius's "cert" self-signed certificates share example of configuring "subjectAltName DNS:" entry there?

Is it possible to add that entry to the existing certificate ?
What will such change mean to current users of realm and their end-user device configuration?

Thanks in advance for all, who might assist us.
Arthur Petrosyan

2021-10-01 17:16, Paul Dekkers пишет:

Hi,

Op 01-10-2021 om 13:27 schreef Arthur Petrosyan:
> Hi all,
>
> On my "Poco X3" smartphone with "Android 11RKQ1.200826.002"
> I can connect to eduroam by downloading the profile for "Fundamental
> Scientific Library NAS RA" from "cat.eduroam.org"
> and installing it using "eduroam CAT" app from Google playstore.
> But when I try to connect using "geteduroam" app, it don't work, and the
> freeradius logs show the following:
>
> Fri Oct  1 14:49:54 2021 : ERROR: (6750) eap_ttls: ERROR: TLS Alert
> read:fatal:internal error
> Fri Oct  1 14:49:54 2021 : Auth: (6750) Login incorrect (eap_ttls: TLS
> Alert read:fatal:internal error): [***@flib.sci.am] (from client ***
> port 0 cli 10-3F-44-FA-80-D7)
>
> I tried to connect with the same account using "geteduroam" on Windows
> and it worked without problem, so I guess the issue is specific for
> Android.
> I remember several discussions here in the list regarding Android issues
> with "geteduroam", but not sure if it's related to this.
>
> Can it be related specifically to our CAT profile (we use only TTLS/PAP
> there)?
> Is there a fix for it ?
>
> I would be very thankful for help !
>       
You seem to be using a private CA (in fact, there is no CA the entire
certificate is self signed). One issue is likely that you have no
subjectAltName DNS: entry with your hostname, and the geteduroam
installer expects that.

By the looks of it, it also doesn't have the server auth purpose, and is
a CA by the constraints flag - that may not be a problem.

You probably noticed the warning about the certificate on Windows when
installing a private CA? Keep in mind your CA needs proper protection.
That's a bit more challenging if this is also your server certificate,
in that you cannot store it offline but it's always online.

A private CA is risky in the sense that it can be abused to sign
certificates for other purposes, other websites too. For instance for
google.com, and thus IF your CA is abused, it can be used for a
man-in-the-middle for any normally by SSL protected traffic.
Using a certificate from a public CA is a bit more on the safer side in
this case, and they tick all the boxes from what is expected in a
certificate.

Regards,
Paul
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users