The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Paul Menzel <pmenzel AT molgen.mpg.de>]

Dear Lukas,


Thank you for sharing your experiences.


Am 29.11.23 um 11:10 schrieb Lukas Wringer (via cat-users Mailing List):

> as Chromebooks are becomming somewhat more common I sat down to test
> some of our services if and how they work on ChromeOS for example
> eduroam.
>
> A bit of background Info:
>
> Some EAP-Methods require specific settings to be actually secure and
> are protected against fake "Rouge-APs" - For example: EAP-TTLS(PAP)
> should configure both, the Root-CA used to issue the RADIUS-Certificate
> and the (alt-)subject-match with the name of the actual RADIUS to
> match.
>
> CAT makes sure these settings are applied across all supported devices
> especially in cases like (older) Android or (modern) Apple Devices
> where these options are not exposed to the GUI.
>
> ChromeOS in this regard is confusing at best - on some devices and
> versions the required settings are actually available in the GUI on
> some they don't and one some only partially but not consistent.

It’d be great if you could share that table of devices and Chrome OS 
versions.

> CAT provides an ONC-Profile that can be imported via chrome://network
> that **should** configure this values. But at least in my experience
> that is not always the case.
>
> What I have experienced so far is that if the used CA is already known
> to the system, the imported configuration will fail (which is always
> the case when using a known Trusted-CA)
>
> When using a self-signed (or not Trusted) ca-certifcate the import will
> work - if not for the other possible error when on systems that don't
> expose the corresponding values for CA-Verfication and (alt)subject-
> match.
>
> Now comes the ridiculous part - the first problem can be fixed in a
> very weird way which also solves the problem when trying to manually
> configure eduroam:
>
> CA-Certificates can be manually imported via
> chrome://settings/certificates - *but* normally only if they are _not_
> already known (it will just throw an error).
>
> But here comes the trick: if you use the tab for "Server"-certificates
> it will actually import the CA into the correct CA-Tab for roots and
> can now be configured to be trusted for websites.
>
> If an ONC-Profile is already installed it will now be fixed
> automagically and the CA can be specifically selected in manual
> configuration.
>
> The only catch - the CA can not be deleted like other manually imported
> CAs...
>
> Hopefully Googles proposed project Lacros will finaly move these
> settings out of the webbrowser into the system and fix some of this
> weirdness...
To make the Chromium OS folks aware of this, it’d be great if you used 
their feedback feature or their issue/bug tracker [1]. (As it’s FLOSS, 
it is also possible to create patches.)


Kind regards,

Paul


PS: As an exclusive GNU/Linux user, I really came to like Chromebooks 
and -boxes, as Chrome OS is GNU/Linux and the devices ship with coreboot 
based firmware, so are more open than 99 % percent in the commercial 
market. After Android, Google fixed the last 5 % missing on GNU/Linux on 
the desktop. Too bad, the public sector and the education section is 
mostly a parasite in the FLOSS ecosystem and does not spend as much (or 
often anything at all) for its advancement as for proprietary offerings.


[1]: https://crbug.com/