Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Onboarding/setup ssid

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Onboarding/setup ssid


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Paetow <address@concealed>
  • To: Eleanor Coultish <address@concealed>
  • Cc: "address@concealed" <address@concealed>
  • Subject: Re: [[cat-users]] Onboarding/setup ssid
  • Date: Fri, 26 Aug 2022 15:15:16 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jSPcTborTxXXYFQA6aP/hLJqQBE+IoVAMsNTBGoYX3M=; b=Lc5Avtb1i0Ejk15/Zn4E06RdiKzeJBDFTf0KD59lVt+r3DMPnd0jMHDEAFXfx3YRgqqgUwn9BCsFfwpyJp/XzkXDyBG0STOOAoNg8Ja5vhEZ0uI4JWFu05j95B/OMxHi9pypdb9QK4E61AriWfPoSO+SQbXJJdWqoQ7WEptkpdxI5SPIkoYAv+Onnvp3+eKacKCxQp4SA5QbJEngzTu0AxtlNVs3jQ9Z4rB23q0EqJGxiqiEkBIN/lvZ7j/B2Hx23BdMZIK0f7Nl/jGa1W5xDLQUHyMs7iZK+Y2vnOrgr6QzzRpTe4HRb2kAK29RO5fLA1+cxK0fAcn5Awt/GzhMuQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aqf2DTvhQNXtDT5zjzIq2uOyrf6bnGg6xR3qVE3NQ920I3wqm4kfbCFSQ9OnRL9PWLFOSXBH9CVeJa8ab6zlc1M1okhPBAKccP5SYOLut9oUB+uTU0uioQVjwq2zPWSvVoMkSVJm644FI0JkzKEPZM0jwp5GrQJDNRtls4GNyvRhhi5dwDvEIPUtU4ijB72kB/cN2+pO4g6L6l4bA5Cj1GiBtvCzSmQxKtlIzEluaQ1497t90g8twBP7unDkqeknN3qOq60OvWmgB0+X+xkGJofoz9HAbbak5WPzyVaxtURiClTWRsfXAyAC6yTzTtN9cDLoI/lAVEDTtnRL/dRHNA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jisc.ac.uk;

Hi Eleanor,

 

Thanks for that! For some reason I was not on that list. I’ve added myself. I think your captive portal idea with a limited timespan is a good one. It makes sense to do it that way instead of a walled garden type.

 

With kind regards

 

Stefan Paetow
Federated Roaming Technical Specialist

eduroam(UK), Jisc


e-mail/teams: address@concealed
gpg: 0x3FCE5142

On Mondays and Wednesdays, I am not available between 12:00 noon and 15:00. For eduroam support, please contact us via address@concealed and mark it for the eduroam team’s attention.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

 

 

From: Eleanor Coultish <address@concealed>
Date: Friday, 26 August 2022 at 15:55
To: Stefan Paetow <address@concealed>
Cc: "address@concealed" <address@concealed>
Subject: Re: [[cat-users]] Onboarding/setup ssid

 

Hi Stefan,

 

No worries, it was the address@concealed mailing list that I posted on. We've taken a different approach to this as there was no way to have an allow list and also invoke the Apple captive network assistant or other OS captive assistants. We've created a captive portal ssid that gives users 30 minutes of Internet connectivity (http/https). This also means we don't need to maintain a long list of URLs to allow access to the set up tools.

 

Thanks,

Eleanor Coultish
Network Operations Manager

 

IT Services

Directorate of Technology, Estates and Facilities
University of York | Heslington | York | YO10 5DD
+ 44 (0)1904 328467

EMAIL DISCLAIMER http://www.york.ac.uk/docs/disclaimer/email.htm

 

 

On Wed, 24 Aug 2022 at 16:50, Stefan Paetow <address@concealed> wrote:

Hi Eleanor,

 

Apologies – I just saw this email. You mentioned a Jisc mailing list – can you tell me which list that is? I’m concerned I’ve missed something here. As for the on-boarding SSID, we’ve found that the old traditional CAT site is easy to deal with, but a tool like geteduroam would need somewhat more (given some of its back-end infrastructure is based in the cloud). A year or two ago, we had this query from Uni Cardiff, and I ran a DNS capture to see which hosts would be accessed when attempting to use iOS and Android devices for Google Play, Apple AppStore and subsequently geteduroam. This is what I have from that experiment.

 

query[A] 19-courier.push.apple.com from 192.168.4.11

query[A] 21-courier.push.apple.com from 192.168.4.11

query[A] 44-courier.push.apple.com from 192.168.4.11

query[A] api.smoot.apple.com from 192.168.4.11

query[A] bag.itunes.apple.com from 192.168.4.11

query[A] buy.itunes.apple.com from 192.168.4.11

query[A] captive.apple.com from 192.168.4.11

query[A] cat.eduroam.org from 192.168.4.11

query[A] cf.iadsdk.apple.com from 192.168.4.11

query[A] cl2.apple.com from 192.168.4.11

query[A] cl3.apple.com from 192.168.4.11

query[A] cl4.apple.com from 192.168.4.11

query[A] cl5.apple.com from 192.168.4.11

query[A] configuration.apple.com from 192.168.4.11

query[A] configuration.ls.apple.com from 192.168.4.11

query[A] crt.sectigo.com from 192.168.4.11

query[A] crt.usertrust.com from 192.168.4.11

query[A] d5ymw72datw3x.cloudfront.net from 192.168.4.11

query[A] discovery.eduroam.app from 192.168.4.11

query[A] e10499.dsce9.akamaiedge.net from 192.168.4.11

query[A] e17437.dscb.akamaiedge.net from 192.168.4.11

query[A] e4478.a.akamaiedge.net from 192.168.4.11

query[A] e673.dsce9.akamaiedge.net from 192.168.4.11

query[A] e6858.dscx.akamaiedge.net from 192.168.4.11

query[A] gateway.fe.apple-dns.net from 192.168.4.11

query[A] gateway.icloud.com from 192.168.4.11

query[A] geant.ocsp.sectigo.com from 192.168.4.11

query[A] gs-loc.apple.com from 192.168.4.11

query[A] gsp10-ssl.apple.com from 192.168.4.11

query[A] gsp64-ssl.ls.apple.com from 192.168.4.11

query[A] gsp85-ssl.ls.apple.com from 192.168.4.11

query[A] gspe1-ssl.ls.apple.com from 192.168.4.11

query[A] gspe21-ssl.ls.apple.com from 192.168.4.11

query[A] gspe35-ssl.ls.apple.com from 192.168.4.11

query[A] gsp-ssl.ls.apple.com from 192.168.4.11

query[A] identity.ess.apple.com from 192.168.4.11

query[A] init.ess.apple.com from 192.168.4.11

query[A] init.itunes.apple.com from 192.168.4.11

query[A] init-p01md.apple.com from 192.168.4.11

query[A] init.push.apple.com from 192.168.4.11

query[A] iphone-ld.apple.com from 192.168.4.11

query[A] keyvalueservice.fe.apple-dns.net from 192.168.4.11

query[A] keyvalueservice.icloud.com from 192.168.4.11

query[A] lcdn-locator.apple.com from 192.168.4.11

query[A] mesu.apple.com from 192.168.4.11

query[A] ocsp.apple.com from 192.168.4.11

query[A] ocsp.digicert.com from 192.168.4.11

query[A] ocsp-lb.apple.com.akadns.net from 192.168.4.11

query[A] ocsp.pki.goog from 192.168.4.11

query[A] ocsp.sectigo.com from 192.168.4.11

query[A] ocsp.usertrust.com from 192.168.4.11

query[A] p29-fmip.icloud.com from 192.168.4.11

query[A] p29-keyvalueservice.icloud.com from 192.168.4.11

query[A] partiality.itunes.apple.com from 192.168.4.11

query[A] pd.itunes.apple.com from 192.168.4.11

query[A] play.itunes.apple.com from 192.168.4.11

query[A] safebrowsing.googleapis.com from 192.168.4.11

query[A] setup.icloud.com from 192.168.4.11

query[A] s.mzstatic.com from 192.168.4.11

query[A] static.ess.apple.com from 192.168.4.11

query[A] su.itunes.apple.com from 192.168.4.11

query[A] time-ios.apple.com from 192.168.4.11

query[A] updates.cdn-apple.com from 192.168.4.11

query[A] www.apple.com from 192.168.4.11

query[A] www-cdn.icloud.com.akadns.net from 192.168.4.11

query[A] www.icloud.com from 192.168.4.11

query[A] xp.apple.com from 192.168.4.11

query[A] xp.itunes-apple.com.akadns.net from 192.168.4.11

 

I hope this is somewhat more useful. Note that Google Play and Apple AppStore are also cloud-based, but given we’re likely to be in the same region, the list may fulfil somewhat of your requirements.

 

With kind regards

 

Stefan Paetow
Federated Roaming Technical Specialist

eduroam(UK), Jisc


e-mail/teams: address@concealed
gpg: 0x3FCE5142

On Mondays and Wednesdays, I am not available between 12:00 noon and 15:00. For eduroam support, please contact us via address@concealed and mark it for the eduroam team’s attention.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

 

 

From: <address@concealed> on behalf of Eleanor Coultish <address@concealed>
Reply to: Eleanor Coultish <address@concealed>
Date: Friday, 15 July 2022 at 16:34
To: "address@concealed" <address@concealed>
Subject: [[cat-users]] Onboarding/setup ssid

 

Hi,

 

Apologies for cross posting with one of the Jisc groups but I thought people on here might have some additional feedback. I'm looking at improving the user experience of our onboarding/setup ssid and have hit a few issues so I was wondering how other institutions implement this.

 

I envisaged a user would connect to our setup ssid which most devices automatically detect as a captive portal and redirect the user to a 'sign-in' setup page. This page is an information page of how to connect with a link to the eduroam cat tool so that users can configure their devices to connect to eduroam. The ssid has an allow/white list to various websites to give users access to the tools required to configure their devices. These are the problems I've hit so far with this:

Apple:
Apple devices check for connectivity to captive.apple.com and when they can't reach that they fire up the CNA (Captive Network Assistant). This doesn't have full browser capability and doesn't allow a user to download the mobile config file that's required to configure their device. Has anyone found a way around this? The only solution I've found is that I can bypass CNA on the captive portal (Aruba) which means the user has to open a web browser the navigate to the setup page.

 

Android:

To enable download of the geteduroam app from Google Play I have to whitelist www.google.com. With that url in the whitelist Android thinks it has Internet access so doesn't redirect to the captive portal to display the 'sign-in' setup page. Again the user would have to open a web browser and browse to the setup page.

 

My thinking was that the automatic redirect was a better user experience. Am I fighting a losing battle trying to use the automatic detection of the captive portal to direct users to a setup page for onboarding? Should I just whitelist the url's that detect this and recommend going through the browser? I'm interested in how other institutions have this set up and what the user experience is?

 

Thanks,

Eleanor Coultish
Network Operations Manager

 

IT Services

Directorate of Technology, Estates and Facilities
University of York | Heslington | York | YO10 5DD
+ 44 (0)1904 328467

EMAIL DISCLAIMER http://www.york.ac.uk/docs/disclaimer/email.htm

To unsubscribe, send this message: mailto:address@concealed?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users


Archive powered by MHonArc 2.6.19.

Top of Page