The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>]

Lukas, 

That's not particularly geteduroam's fault. Google has pulled some fast moves 
that have messed things up a lot for a lot of people. Google's absolutely 
categorically stupid idea of locking API versions is *not* helping anyone 
either, because if they didn't do this, geteduroam could fix all the issues 
they have on *every* current Android version from 8 onwards. But they can't 
because Google does. Not. Let. Them. Do. So. 

Right now, we (the UK) find that geteduroam provides the most consistent 
experience across the newer versions of Android (i.e. 9 and beyond), compared 
to the eduroam CAT app (the app in the Play store, *NOT* the CAT website) or 
any other method. 

Android 11 requires you to set domain information that Android can use to pin 
the CA certificate information with (i.e. "Only certificates that contain 
*this* information, and signed by *that* specific CA root certificate, are 
allowed"). Geteduroam uses information from the CommonName (i.e. the Subject) 
*and* the SubjectAltName attributes to pin that information down. The eduroam 
CAT app uses only the CommonName. If your server certificates do not contain 
a SubjectAltName, then start setting them because Android will inevitably 
follow the CA/B standards and expect that.

Android 12 takes this even further. You cannot skip server certificate 
validation (which is good). But Android 12 is also *picky*. It expects the 
X.509 certificate standards to be adhered to *precisely*. If you use a 
Windows Certificate Authority-issued certificate and you marked the Basic 
Constraints extension as critical, the Windows CA adds a 'pathLen=0' into the 
certificate, which is not according to the X.509 standard and Android 12 
categorically refuses to validate the certificate. What Microsoft fails to 
tell you is that if you do not mark that extension as critical, you get the 
extension anyway, marked as critical! And yes, here you *also* have to make 
sure your subjectAltName and your CN match. 

So, as far as this is concerned, be strict with your certificates, how they 
are set up and test your CAT setup with Android versions as they come out. 
I've invested (much to my management's consternation) my own money into 
Android phones from v7 to v13 (the developer preview) by buying them off eBay 
or Facebook marketplace. Our eduroam institutions in the UK can, if they 
can't make eduroam work, ask me to test their setup, and I do.

So, make sure your profile is correctly set up on the eduroam CAT website, 
make sure it is tested from Android 7 to Android 12 (well, Android 13 given 
that that's out later this year), and tell your users to follow instructions. 

We have a page at 
https://community.jisc.ac.uk/library/network-and-technology-service-docs/geteduroam-app
 that we tell our members to look at if they have queries, and we find that 
our members (and their users) don't ask much. They're happy that we've 
checked it out and found it to be ok. 

Kind Regards

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
e-mail/teams: stefan.paetow AT jisc.ac.uk
gpg: 0x3FCE5142
On Mondays and Wednesdays, I am not available between 12:00 noon and 15:00.
In line with government advice, at Jisc we’re now working from home and our 
offices are currently closed. Read our statement on coronavirus 
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.
 

On 14/06/2022, 13:59, "Lukas Wringer" <Lukas.Wringer AT rz.uni-augsburg.de> 
wrote:

    Hi,

    I am on Android 11 with the beta Version of geteduroam. But that crash
    is not really my main point. 

    My problem is, that for users with Android 11 and up it is a lottery if
    they can use eduroam or not (either CAT works or not).

    The proposed solution geteduroam' can only be used if the user is
    willing to enroll as a beta tester, because the live version breaks
    protocoll and MIME-type settings and may not even work with Android 12
    because Google messed up the API again.

    And on top of all that there are the quirks that come with the "Wi-Fi
    suggestion API" that hasn't even been fully implemented as per
    https://github.com/geteduroam/ionic-app/issues/91 which is lying
    dormant sind Nov. 2020

    Greetings, 

    Lukas

    Am Dienstag, dem 14.06.2022 um 11:46 +0000 schrieb Stefan Paetow:
    > Lukas, 
    > 
    > Which version of Android are you on? Knowing that will help the
    > geteduroam team answer your question more accurately. 
    > 
    > With kind regards
    > 
    > Stefan Paetow
    > Federated Roaming Technical Specialist
    > 
    > t: +44 (0)1235 822 125
    > e-mail/teams: stefan.paetow AT jisc.ac.uk
    > gpg: 0x3FCE5142
    > On Mondays and Wednesdays, I am not available between 12:00 noon and
    > 15:00.
    > In line with government advice, at Jisc we’re now working from home
    > and our offices are currently closed. Read our statement on
    > coronavirus
    > <https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.
    > 
    > jisc.ac.uk
    > 
    > Jisc is a registered charity (number 1149740) and a company limited
    > by guarantee which is registered in England under Company No.
    > 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One
    > Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
    >  
    > 
    > On 09/06/2022, 15:20, "Lukas Wringer"
    > <cat-users-request AT lists.geant.org on behalf of
    > Lukas.Wringer AT rz.uni-augsburg.de> wrote:
    > 
    >     Hi,
    > 
    >     just wanted to ask about the current status of geteduroam on
    > Android.
    >     It has been rather quiet... The pretty broken "non beta" state
    > last
    >     updated November 2020 is still the default, so we can not really
    >     recommend it to end users. Allthough newer devices need it
    > because CAT
    >     stops working (right?) 
    > 
    >     The latest beta which propably fixes some issues but just plain
    > crashes
    >     on my device after entering credentials...
    > 
    >     Especially not having
    > https://github.com/geteduroam/ionic-app/issues/91
    >     looks like a blocker to me. 
    > 
    >     But looking through github I found
    >     https://github.com/geteduroam/mobile-app which looks like a
    > complete
    >     rebuild. Is this the active route for geteduroam? Should we wait
    > for
    >     this, or ist this a project intended to be far away in the
    > future?
    > 
    >     Greetings,
    > 
    >     Lukas
    > 
    >     -- 
    >     Lukas Wringer
    > 
    >     Universität Augsburg
    >     Rechenzentrum
    >     Service & Support
    >     86135 Augsburg
    > 
    > 
    > To unsubscribe, send this message:
    > mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
    > Or use the following link:
    > https://lists.geant.org/sympa/sigrequest/cat-users

    -- 
    Lukas Wringer

    Universität Augsburg
    Rechenzentrum
    Service & Support
    86135 Augsburg