The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tony Skalski <ajs AT stolaf.edu>]

We just completed a similar project, migrating to new RADIUS servers with a new private PKI and certs (from NPS with public certs). I cannot comment directly on your questions, but I did read

https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators#AguidetoeduroamCATforIdPadministrators-ReplacingtheRADIUSserverrootCAcertificate

a few times. Because we had a small window to make the change (~2 months) we used another method. I took the opportunity to add the anonymous outer identity to our new config and used the absence of said identity to proxy the requests (from clients with the old config) to our old RADIUS servers. This worked well for us, updating about 2,000 college-owned devices (via our management tools) and 5,000 or so personally-owned devices (via downloadable .mobileconfigs and geteduroam).

On Fri, Oct 15, 2021 at 4:56 AM Paul Dekkers <paul.dekkers AT surf.nl> wrote:

Hi,

On 15/10/2021 10:40, Guy Halse wrote:

Hi

We have an IdP that wants to roll over the certification authority it uses and deploy on a new RADIUS instance. In this process, both the CA certificate and the CN used for validation will necessarily change.

The CAT web application supports adding both multiple root certs and multiple subject CNs into a profile, which means it's possible to generate a profile that theoretically covers both the old and new infrastructure. This looks to be the way to mimise the end-user impact of rolling over, since users can be asked to re-install from CAT prior to the migration with the assurance then they'll work in both scenarios without interruption.

However, I seem to remember there were platform-specific limitations on how that works in practice. The platforms they're most interested in are Windows 10, Android, and iPhone -- and for some reason I seem to remember this being broken on Android?

That is true for the old eduroam CAT App I believe, but geteduroam supports multiple CAs just fine. So I can myself actually only speak for geteduroam; but there I don't see this as an issue. (Also the Windows geteduroam App installs multiple CAs, and I believe the CAT installer does as well.)

The proof of the pudding, ... ;-) if you have older devices that need the old CAT app, that may be an issue.

Does it help to issue a cert with a SubjectAlternativeName matching the old CN used for validation? (I'm not sure that's actually possible in this case, but it was a thought I had.)

I don't think this is necessary per se, but it's better not to change it too much, for some platforms will fall back to a "matching substring". But that's also the more legacy Android types,

Does anyone have experience with this sort of roll-over who can offer advice one what does and doesn't work? Or better yet, point me at documentation?

I do like Jan-Frederik comments/experiences too. The part I described is only ... well, part of the story. The rest is getting people to migrate. (Of course the tric with anonymous usernames may trigger the anonymous username bugs; it may be safer if you prefix with anon also, so anon2021 may be better, I forgot the entire logic that worked or didn't work.)

Regards,
Paul

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

--

Tony Skalski (he/him/his)

System Administrator | IT

Office: 507-786-3227

1510 St. Olaf Avenue Northfield, MN 55057

stolaf.edu