Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] geteduroam Android

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] geteduroam Android


Chronological Thread 
  • From: Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>
  • To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] geteduroam Android
  • Date: Tue, 14 Jun 2022 18:48:57 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VK3ZmdVimivv6AMZpmrWUhL55l8lf6o94nsycNHfEek=; b=HbkW0LblRCfSrMEHyRZyOlP6AUWMnYaqo1E0plRoaJ/jP/b2DOVqPqTk/a8Od5RPcyApPgejktt8FWn6cCo1LVEBthUTKggNDrmsFeZIcFEBH/1Uj7qgm4TpUuz3gniFZXHmLxvLEMq4HAGMqzOKGjF28SekDfeV+dmI3SlIrQWAWxGoN4C60rtb7QVLTfRUxkNU7YimTvbRZnmlACGZ9hxknMTdrgnwVXngz3S7/yCoUkdyMHq/n+jlY88Ni7oTOibVrsDms91WiQGgVX7psSCBCvGHa0TJnKFHTB6pdIFP44swZkrQ3TGR8cIhG3gWf7KxyhDtOhK2tA4XgFurGQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PgGFU7+S380j+wMqg5geOHi4ii5i9g6ffTjKEOSoOZOShFQ5ZqmBeHMAZL27aJFGR7A3wLbtOv/y2c7LxJKNJmDK45HeyJglTBEIt10TwMGr7pmkBKwew8cEYcJAiD6JYVKKgyj2BzlZ1ClDO/aYYefyg+qAs1cU/pD1q4BJZlzLEar37Qp4FP3ec9G+fpJUPTgVm9P+e4qTU7/OPyJo8woo/HaKLN2iHxPus03y+1gdg5wy28EmYbZehyfsVIln/VcNt4rqyrwklE1nIInpccsQsYhvU/R/lx9HEiy8Ta7frp7OS+FSEfwxxStgXqSKiqG6PIG2GrRWGNiwnMHsXw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jisc.ac.uk;

Lukas,

That's not particularly geteduroam's fault. Google has pulled some fast moves
that have messed things up a lot for a lot of people. Google's absolutely
categorically stupid idea of locking API versions is *not* helping anyone
either, because if they didn't do this, geteduroam could fix all the issues
they have on *every* current Android version from 8 onwards. But they can't
because Google does. Not. Let. Them. Do. So.

Right now, we (the UK) find that geteduroam provides the most consistent
experience across the newer versions of Android (i.e. 9 and beyond), compared
to the eduroam CAT app (the app in the Play store, *NOT* the CAT website) or
any other method.

Android 11 requires you to set domain information that Android can use to pin
the CA certificate information with (i.e. "Only certificates that contain
*this* information, and signed by *that* specific CA root certificate, are
allowed"). Geteduroam uses information from the CommonName (i.e. the Subject)
*and* the SubjectAltName attributes to pin that information down. The eduroam
CAT app uses only the CommonName. If your server certificates do not contain
a SubjectAltName, then start setting them because Android will inevitably
follow the CA/B standards and expect that.

Android 12 takes this even further. You cannot skip server certificate
validation (which is good). But Android 12 is also *picky*. It expects the
X.509 certificate standards to be adhered to *precisely*. If you use a
Windows Certificate Authority-issued certificate and you marked the Basic
Constraints extension as critical, the Windows CA adds a 'pathLen=0' into the
certificate, which is not according to the X.509 standard and Android 12
categorically refuses to validate the certificate. What Microsoft fails to
tell you is that if you do not mark that extension as critical, you get the
extension anyway, marked as critical! And yes, here you *also* have to make
sure your subjectAltName and your CN match.

So, as far as this is concerned, be strict with your certificates, how they
are set up and test your CAT setup with Android versions as they come out.
I've invested (much to my management's consternation) my own money into
Android phones from v7 to v13 (the developer preview) by buying them off eBay
or Facebook marketplace. Our eduroam institutions in the UK can, if they
can't make eduroam work, ask me to test their setup, and I do.

So, make sure your profile is correctly set up on the eduroam CAT website,
make sure it is tested from Android 7 to Android 12 (well, Android 13 given
that that's out later this year), and tell your users to follow instructions.

We have a page at
https://community.jisc.ac.uk/library/network-and-technology-service-docs/geteduroam-app
that we tell our members to look at if they have queries, and we find that
our members (and their users) don't ask much. They're happy that we've
checked it out and found it to be ok.

Kind Regards

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
e-mail/teams: stefan.paetow AT jisc.ac.uk
gpg: 0x3FCE5142
On Mondays and Wednesdays, I am not available between 12:00 noon and 15:00.
In line with government advice, at Jisc we’re now working from home and our
offices are currently closed. Read our statement on coronavirus
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.


On 14/06/2022, 13:59, "Lukas Wringer" <Lukas.Wringer AT rz.uni-augsburg.de>
wrote:

Hi,

I am on Android 11 with the beta Version of geteduroam. But that crash
is not really my main point.

My problem is, that for users with Android 11 and up it is a lottery if
they can use eduroam or not (either CAT works or not).

The proposed solution geteduroam' can only be used if the user is
willing to enroll as a beta tester, because the live version breaks
protocoll and MIME-type settings and may not even work with Android 12
because Google messed up the API again.

And on top of all that there are the quirks that come with the "Wi-Fi
suggestion API" that hasn't even been fully implemented as per
https://github.com/geteduroam/ionic-app/issues/91 which is lying
dormant sind Nov. 2020

Greetings,

Lukas

Am Dienstag, dem 14.06.2022 um 11:46 +0000 schrieb Stefan Paetow:
> Lukas,
>
> Which version of Android are you on? Knowing that will help the
> geteduroam team answer your question more accurately.
>
> With kind regards
>
> Stefan Paetow
> Federated Roaming Technical Specialist
>
> t: +44 (0)1235 822 125
> e-mail/teams: stefan.paetow AT jisc.ac.uk
> gpg: 0x3FCE5142
> On Mondays and Wednesdays, I am not available between 12:00 noon and
> 15:00.
> In line with government advice, at Jisc we’re now working from home
> and our offices are currently closed. Read our statement on
> coronavirus
> <https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited
> by guarantee which is registered in England under Company No.
> 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One
> Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
>
> On 09/06/2022, 15:20, "Lukas Wringer"
> <cat-users-request AT lists.geant.org on behalf of
> Lukas.Wringer AT rz.uni-augsburg.de> wrote:
>
> Hi,
>
> just wanted to ask about the current status of geteduroam on
> Android.
> It has been rather quiet... The pretty broken "non beta" state
> last
> updated November 2020 is still the default, so we can not really
> recommend it to end users. Allthough newer devices need it
> because CAT
> stops working (right?)
>
> The latest beta which propably fixes some issues but just plain
> crashes
> on my device after entering credentials...
>
> Especially not having
> https://github.com/geteduroam/ionic-app/issues/91
> looks like a blocker to me.
>
> But looking through github I found
> https://github.com/geteduroam/mobile-app which looks like a
> complete
> rebuild. Is this the active route for geteduroam? Should we wait
> for
> this, or ist this a project intended to be far away in the
> future?
>
> Greetings,
>
> Lukas
>
> --
> Lukas Wringer
>
> Universität Augsburg
> Rechenzentrum
> Service & Support
> 86135 Augsburg
>
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users

--
Lukas Wringer

Universität Augsburg
Rechenzentrum
Service & Support
86135 Augsburg




Archive powered by MHonArc 2.6.19.

Top of Page