The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Louis Twomey <louis.twomey AT heanet.ie>]

Hi Guy,
Apologies, my mail was far too simplistic, and therefore misleading/wrong. 

As already mentioned by others, you can do creative things on the Radius 
server to continue to authenticate Android < 7.1 users against the old 
certificate, giving you the means of migrating those users over time rather 
than cutting them all off immediately.

Regards,
Louis
-------
Louis Twomey
Technical Architect
PGP key: C77D9256
HEAnet CLG, Ireland’s National Education and Research Network
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
+353 (0)1 6609040   louis.twomey AT heanet.ie  www.heanet.ie
Registered in Ireland, No. 275301.  CRA No. 20036270







> On 15 Oct 2021, at 11:04, Louis Twomey <louis.twomey AT heanet.ie> wrote:
> 
> Hi Guy,
> Android < 7.1 does not allow more than one CA to be installed with a 
> profile, so with those devices you have no way to cleanly migrate and you 
> basically cut them off when you switch to the new server cert.
> 
> Regards,
> Louis
> -------
> Louis Twomey
> Technical Architect
> PGP key: C77D9256
> HEAnet CLG, Ireland’s National Education and Research Network
> 1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
> +353 (0)1 6609040   louis.twomey AT heanet.ie  www.heanet.ie
> Registered in Ireland, No. 275301.  CRA No. 20036270
> 
> 
> 
> 
> 
> 
> 
>> On 15 Oct 2021, at 10:55, Paul Dekkers <paul.dekkers AT surf.nl> wrote:
>> 
>> 
>> CAUTION[External]: This email originated from outside of the organisation. 
>> Do not click on links or open the attachments unless you recognise the 
>> sender and know the content is safe.
>> 
>> 
>> Hi,
>> 
>> On 15/10/2021 10:40, Guy Halse wrote:
>>> Hi
>>> 
>>> We have an IdP that wants to roll over the certification authority it 
>>> uses and deploy on a new RADIUS instance. In this process, both the CA 
>>> certificate and the CN used for validation will necessarily change.
>>> 
>>> The CAT web application supports adding both multiple root certs and 
>>> multiple subject CNs into a profile, which means it's possible to 
>>> generate a profile that theoretically covers both the old and new 
>>> infrastructure. This looks to be the way to mimise the end-user impact of 
>>> rolling over, since users can be asked to re-install from CAT prior to 
>>> the migration with the assurance then they'll work in both scenarios 
>>> without interruption.
>>> 
>>> However, I seem to remember there were platform-specific limitations on 
>>> how that works in practice. The platforms they're most interested in are 
>>> Windows 10, Android, and iPhone -- and for some reason I seem to remember 
>>> this being broken on Android?
>> That is true for the old eduroam CAT App I believe, but geteduroam 
>> supports multiple CAs just fine. So I can myself actually only speak for 
>> geteduroam; but there I don't see this as an issue. (Also the Windows 
>> geteduroam App installs multiple CAs, and I believe the CAT installer does 
>> as well.)
>> 
>> The proof of the pudding, ... ;-) if you have older devices that need the 
>> old CAT app, that may be an issue.
>> 
>>> Does it help to issue a cert with a SubjectAlternativeName matching the 
>>> old CN used for validation? (I'm not sure that's actually possible in 
>>> this case, but it was a thought I had.)
>> I don't think this is necessary per se, but it's better not to change it 
>> too much, for some platforms will fall back to a "matching substring". But 
>> that's also the more legacy Android types,
>>> Does anyone have experience with this sort of roll-over who can offer 
>>> advice one what does and doesn't work? Or better yet, point me at 
>>> documentation?
>> I do like Jan-Frederik comments/experiences too. The part I described is 
>> only ... well, part of the story. The rest is getting people to migrate. 
>> (Of course the tric with anonymous usernames may trigger the anonymous 
>> username bugs; it may be safer if you prefix with anon also, so anon2021 
>> may be better, I forgot the entire logic that worked or didn't work.)
>> 
>> Regards,
>> Paul
>> 
>> 
>>> 
>>> 
>> To unsubscribe, send this message: 
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link: 
>> https://lists.geant.org/sympa/sigrequest/cat-users
>