Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] eduroam on ChromeOS ist very, very weird....

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] eduroam on ChromeOS ist very, very weird....


Chronological Thread 
  • From: Paul Dekkers <paul.dekkers AT surf.nl>
  • To: Lukas Wringer <Lukas.Wringer AT rz.uni-augsburg.de>, cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] eduroam on ChromeOS ist very, very weird....
  • Date: Wed, 29 Nov 2023 11:24:02 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iZvqwZl+aoRii5qIGQ3uy1703g4fo8LPPvL7Btn35hA=; b=K1I9rKB7Xb8vKU23WW0R7JFellXE05xMdsnfOXh1DQN/lmQhUNDGA/GJzoPrEzSob++ACVWUm1eGuZIcayyo0bLm+v2RoVZ/GAOq39lssqcMlpbYr1/TfokZCg3qr+g2UQDFJL+/KAu/H++Oqxo5lINZOL8lSHxBS287mVWmV2THK89eUsyezWpcClrng9QGQ57zCYxhtRrIZTLL5uLwy+2bzp4YoCuxyTNpg5JHdNc09Nyzg89QYnoUbCAwwFntY95AT7LcLc4DfKZl2tgVAuFYGplgrMyoHG3l8PqwmKs0hGxNkctnPfhxhtVh5cVyX8gNhWKxHnd7gD3xj9qRqA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Bui1PC/qa/Smp6v+9O/NPJPeepVdtHuAEYuWQmzpg0SxAkaaL+oOMl8g2HEK0Qkks59CZpsfv2mbU4iIzVHOFJrpL/eeTxn/VKlydSLsMiTTqSjtynKqyqNyKGp/bWM4gU2J4eszZHMAAY3vvebgqwemU+V1aB1sz0iYY1Lp9gtDKmu+yRgRPHeGfgsGWzTLOeZDI94QIiCtlVrUhT+DV0rdVVVgOYtwYfRzdZaS99O495WclnAh3boWmWYccnApzuJWHssWiJhY6a3wZOEseq6PUvsEYyHcxpSvT9QAun8OVKi7eWuFBTcm7DP9YVlfgD56n1VcApvgRUNkHHiW6g==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=surf.nl;
  • Autocrypt: addr=paul.dekkers AT surf.nl; keydata= xsDNBFzP6HIBDADK8Wn7ods1w4ysf5c/GeUkDm2doxOZRUU3ZSMM0aG9aN2jqpZB11xoTuAv k+J3kOpRY542rbHTxkbdiIYFiKS5ff9bAPfn1MUOy+XErLPUzZ/Z3GO6kCpTkcHYKVN2Iehd QCdn7UbNRRzygiVHiRWi8jkhutBWBHHy7hcVWXtHfxb5Ot7I6Z9F2Aso6sB543UrQVxEl0h1 AuNN2HXVW536LaGh+ZRTPPPj99nR8UvNnJ4Q/Jh9a6/C9TB1vGm/4oTWG2gnFcq9CBQB9+E0 GZ7S9ddyKzXE97wziJdhC4e14s9aSiG9Du98C62ilTzOk4muOV6XU0JZOy3jwIt6bS2m9zGf yUxhKs5mNwrCUeBqt5uKgUXAG0MnQ70lMmiGyMNwUkCXuHiScvzB7rdXM0h2pvfrMMsQ1BA5 +0Zb1hkkq5eYVUE+e9xJID82ShdMOTievgSdc4JP4lJuUAjVf30u5uUe/uxsDxc1zfnZsp30 ezTIhp2SxszZcWjzTnn7tSEAEQEAAc0jUGF1bCBEZWtrZXJzIDxwYXVsLmRla2tlcnNAc3Vy Zi5ubD7CwQ4EEwEIADgWIQQ3Xw/6ofYHVAb73o89O9GpKK14OgUCXM/ocgIbIwULCQgHAgYV CgkICwIEFgIDAQIeAQIXgAAKCRA9O9GpKK14OsHaDACFjL2wGvcSxecAVjShtnOwHgi5iO+r MUQiplP7/dD8awcBxuj1ihv/kZoatI0tSxsXs6OqYqG/ivJfCaXX51dYANDfDI4E8FLN+eCj v3ndVJHEWdixNrVH+sdS4itZt0omQ28dbMpJc7opOw42o5xMmypMMzo4enHZcaYr4fktAu5B 2E3eekw8aXOHPSrTmIAZjhaKCdZ5CtOotgoUGnrQbHIVlPh7PJBCUTlNXDynjLdznhYJjvBN GnT9B+PPfJ0TQMBv0gqWlfJA+GSKl//pz+Jqh1ByyRFXZaG0imE4eLaODSb+3aoD36pWMrdV 31m+qeEzB2V6I40vdBmZEtpX+01l3kuIPa/ZpJ3MCaeVlQ2ADkZwz1DVEV4aasOkKL2hAlMz bSChFnSA6OhOS+2L+7HAtI62OPj0VkXERqeFPpOWFG0OzqJUCBB5x/OdhoMiVjI2KNtMDxoD Y4L+u1MeNwm7fPYrdQn8aDN0Lc5tEdw29mwWwBLjiu+u8jCEyGnOwM0EXM/ocgEMALdymAvx UsfhoNnNR+SaJCUVwmBMjt9spGs1E27yqHMs7jDnZ87uh2B220GmZGKFkf4SbRHUJhPGX+rg Ez2vvlBwZonBKDY1SyCPRI6ffaivoz9hw+GXpQYQwIZ1gJWN7MvhzIbG+b+Y6pRMRsWSjThA ImieLS2+K2oR6XenxKG/dZg8qO/Uv5Qvb66rWtFM9D48iurcUu3ndotJPAkKetUg3dny4nzp D1wT26RcqEh8huJfZK8JdML+9Q1dHoMhtwRzTTWQ4rxwEr2X1ymaF4QaG8LbuT4/Owrp5vGd YI7Wh2Lwjwn6tJE715eePcoahQwgBBwsKBCkRDOQ3dA8bUO/G8p7SRTj/CAymx5unis3H6O/ jQmi3cgVLNg6CYwPGptFRrLxqT/eWsNy/2Dpd8VHajjVKQ6bC0MNz+lHoFkNMc/CaTY8BQix xM4mtm5rbbogX9pBPSUx5vVgd1Vbw8sQT2wFxUI3Q3r4KaKD5MVucDTg3OxcMNQxRTLDdonI owARAQABwsD2BBgBCAAgFiEEN18P+qH2B1QG+96PPTvRqSiteDoFAlzP6HICGwwACgkQPTvR qSiteDqo6gwAqIpD/D4lNkUehSf+U8l9lTpkWNAEfB9PgAMIFrFQ3YUuEmhFlv8uKi6Y7apX 89tmrVUgc5RLglf7e4geYv69wLY4R7jMIUs0g9cv/g71rhfszjDJGe/4ppa+qHTk69Uq556d B9nMtFF2YWvq77Y1WBKv/r3hmJLQYNZBaCBSPI9OpZ0UCw3hp0ip/LUejVXLRkU+ZAb6jeEt gd2zoIiXOHCazaGD6EGvLQxzuwPVPXPLU6kahtJoJAa/OOWyzSnd+Ipio6Vi6tdDVLEXbTVn AjnVOlEnGc6dhh1TOxPv/lHslYxfSTrCoBRIKcXS/5bkxvTOZpgSRyKsksh1fgD1IIPjLqs2 K7KOXgocNG+iIOMcLbSsp8R7GRUMmzeTIPHnW1xC9OIgU16KSxaDWa6tX6NOcY5iHRlRXw5Q 9WVGgnHIbfR/2hoyXzbVMzM2uiTEJ9qG4+GtMUBeLdEo8DsbX+QdP71NgcCcBUtUe9LfDEJ+ yZ0Nj/dbF6RX3MTEJRiy

Hi,

Worth sharing is that we are very close to having a geteduroam version available for ChromeOS. It's part of the redeveloped version for Android.

We already released it for getgovroam, we need to do some more tests and make some more and maybe different choices for geteduroam, but I think we'll try to release it soon, maybe even before the end of the year.

For ChromeOS there's two (outside of ONC) ways to install the profiles, and both have caveats, but I kind of like it a lot we'll be able to do this with geteduroam, as it appears more friendly to me compared to ONC or a manual config.

Regards,
Paul

P.S. I can go in a bit more detail about the challenges we still have for the geteduroam version, maybe I'll share in a separate post, but that would be a lengthy mail ;-)


On 29/11/2023 11:10, Lukas Wringer (via cat-users Mailing List) wrote:
Hi,

as Chromebooks are becomming somewhat more common I sat down to test
some of our services if and how they work on ChromeOS for example
eduroam.

A bit of background Info:

Some EAP-Methods require specific settings to be actually secure and
are protected against fake "Rouge-APs" - For example: EAP-TTLS(PAP)
should configure both, the Root-CA used to issue the RADIUS-Certificate
and the (alt-)subject-match with the name of the actual RADIUS to
match.

CAT makes sure these settings are applied across all supported devices
especially in cases like (older) Android or (modern) Apple Devices
where these options are not exposed to the GUI.

ChromeOS in this regard is confusing at best - on some devices and
versions the required settings are actually available in the GUI on
some they don't and one some only partially but not consistent.

CAT provides an ONC-Profile that can be imported via chrome://network
that **should** configure this values. But at least in my experience
that is not always the case.

What I have experienced so far is that if the used CA is already known
to the system, the imported configuration will fail (which is always
the case when using a known Trusted-CA)

When using a self-signed (or not Trusted) ca-certifcate the import will
work - if not for the other possible error when on systems that don't
expose the corresponding values for CA-Verfication and (alt)subject-
match.

Now comes the ridiculous part - the first problem can be fixed in a
very weird way which also solves the problem when trying to manually
configure eduroam:

CA-Certificates can be manually imported via
chrome://settings/certificates - *but* normally only if they are _not_
already known (it will just throw an error).

But here comes the trick: if you use the tab for "Server"-certificates
it will actually import the CA into the correct CA-Tab for roots and
can now be configured to be trusted for websites.

If an ONC-Profile is already installed it will now be fixed
automagically and the CA can be specifically selected in manual
configuration.

The only catch - the CA can not be deleted like other manually imported
CAs...

Hopefully Googles proposed project Lacros will finaly move these
settings out of the webbrowser into the system and fix some of this
weirdness...

Greetings, Lukas




Archive powered by MHonArc 2.6.24.

Top of Page