cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Jethro Binks <jethro.binks AT strath.ac.uk>
- To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>, Paul Dekkers <paul.dekkers AT surf.nl>
- Subject: Re: [[cat-users]] eduroam on ChromeOS ist very, very weird....
- Date: Wed, 29 Nov 2023 10:35:35 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=strath.ac.uk; dmarc=pass action=none header.from=strath.ac.uk; dkim=pass header.d=strath.ac.uk; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DrFPfSDPcWLbtUAmvV9du/+mKU39LbWHOcPouX+KreY=; b=SJ0C8Kl37ozBAJLCtRnPYe+KSBVMa/4uozVUGYANdyuY9PaERKK2NsfHXeh7eG0eExoLFQ7rV/mYOeiTyoPJcNuHjHQu2edkw9AOV2vD+qf4S4pDNgtWGKItMPMijHw2JOKOhrx6+Y/j2Bh1+PiVcw87soXpjbEdFRMQl7Mu66w+vXI/VSFG2M8femJMreFKW0MvNFTgKNuH8nsWz+Fx2KO5d+jr5T4wr/wS7UX5Va+C3LwE1pce1xqxnK51sBWWspQE5gLUdCu9DS0AR+zntkbetQugDlosDuF2HwVy6iA9GnTJWuPN55JtD4HsviD/y3ULrlNBk5yMsYVXUD1AAQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZqJSKvbiZeSbrCafuvvLaYimGz9Ew18G9wjBKwMCc+i6RXfdMzGPUVjGQfD4I7cDJMlk3qvS/Azk5xA0QhSnT3Ld7Zcl0m0+/+KgvsttFLgj02eubVk7Xlv8ct02khosc0BIkSynB314Suso5yzpqnCZ9DpBzPg/+/3CpfXN6gX23WwmWz660cYlKzDKV20s/dfdk/Suv232JIbiyFN0i81tm3+NJrCHgb+nO/9rzq/lklsj+9CX1niiQt8RsSOW1CGF0cltFfZMS/zu0qq6zUK73Ahrb6/+qdfIQQchoqF53yB/ayaLL8G0JGjbeijf+vZiks54rDnjcbMApuj6IQ==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=strath.ac.uk;
- Msip_labels:
Paul said:
"P.S. I can go in a bit more detail about the challenges we still have
for the geteduroam version, maybe I'll share in a separate post, but
that would be a lengthy mail ;-)"
The holidays are coming, we will have time 🙂.
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK
The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> on behalf of Paul Dekkers <cat-users AT lists.geant.org>
Sent: 29 November 2023 10:24
To: Lukas Wringer <Lukas.Wringer AT rz.uni-augsburg.de>; cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] eduroam on ChromeOS ist very, very weird....
Sent: 29 November 2023 10:24
To: Lukas Wringer <Lukas.Wringer AT rz.uni-augsburg.de>; cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] eduroam on ChromeOS ist very, very weird....
Hi,
Worth sharing is that we are very close to having a geteduroam version
available for ChromeOS. It's part of the redeveloped version for Android.
We already released it for getgovroam, we need to do some more tests and
make some more and maybe different choices for geteduroam, but I think
we'll try to release it soon, maybe even before the end of the year.
For ChromeOS there's two (outside of ONC) ways to install the profiles,
and both have caveats, but I kind of like it a lot we'll be able to do
this with geteduroam, as it appears more friendly to me compared to ONC
or a manual config.
Regards,
Paul
P.S. I can go in a bit more detail about the challenges we still have
for the geteduroam version, maybe I'll share in a separate post, but
that would be a lengthy mail ;-)
On 29/11/2023 11:10, Lukas Wringer (via cat-users Mailing List) wrote:
> Hi,
>
> as Chromebooks are becomming somewhat more common I sat down to test
> some of our services if and how they work on ChromeOS for example
> eduroam.
>
> A bit of background Info:
>
> Some EAP-Methods require specific settings to be actually secure and
> are protected against fake "Rouge-APs" - For example: EAP-TTLS(PAP)
> should configure both, the Root-CA used to issue the RADIUS-Certificate
> and the (alt-)subject-match with the name of the actual RADIUS to
> match.
>
> CAT makes sure these settings are applied across all supported devices
> especially in cases like (older) Android or (modern) Apple Devices
> where these options are not exposed to the GUI.
>
> ChromeOS in this regard is confusing at best - on some devices and
> versions the required settings are actually available in the GUI on
> some they don't and one some only partially but not consistent.
>
> CAT provides an ONC-Profile that can be imported via chrome://network
> that **should** configure this values. But at least in my experience
> that is not always the case.
>
> What I have experienced so far is that if the used CA is already known
> to the system, the imported configuration will fail (which is always
> the case when using a known Trusted-CA)
>
> When using a self-signed (or not Trusted) ca-certifcate the import will
> work - if not for the other possible error when on systems that don't
> expose the corresponding values for CA-Verfication and (alt)subject-
> match.
>
> Now comes the ridiculous part - the first problem can be fixed in a
> very weird way which also solves the problem when trying to manually
> configure eduroam:
>
> CA-Certificates can be manually imported via
> chrome://settings/certificates - *but* normally only if they are _not_
> already known (it will just throw an error).
>
> But here comes the trick: if you use the tab for "Server"-certificates
> it will actually import the CA into the correct CA-Tab for roots and
> can now be configured to be trusted for websites.
>
> If an ONC-Profile is already installed it will now be fixed
> automagically and the CA can be specifically selected in manual
> configuration.
>
> The only catch - the CA can not be deleted like other manually imported
> CAs...
>
> Hopefully Googles proposed project Lacros will finaly move these
> settings out of the webbrowser into the system and fix some of this
> weirdness...
>
> Greetings, Lukas
>
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
Worth sharing is that we are very close to having a geteduroam version
available for ChromeOS. It's part of the redeveloped version for Android.
We already released it for getgovroam, we need to do some more tests and
make some more and maybe different choices for geteduroam, but I think
we'll try to release it soon, maybe even before the end of the year.
For ChromeOS there's two (outside of ONC) ways to install the profiles,
and both have caveats, but I kind of like it a lot we'll be able to do
this with geteduroam, as it appears more friendly to me compared to ONC
or a manual config.
Regards,
Paul
P.S. I can go in a bit more detail about the challenges we still have
for the geteduroam version, maybe I'll share in a separate post, but
that would be a lengthy mail ;-)
On 29/11/2023 11:10, Lukas Wringer (via cat-users Mailing List) wrote:
> Hi,
>
> as Chromebooks are becomming somewhat more common I sat down to test
> some of our services if and how they work on ChromeOS for example
> eduroam.
>
> A bit of background Info:
>
> Some EAP-Methods require specific settings to be actually secure and
> are protected against fake "Rouge-APs" - For example: EAP-TTLS(PAP)
> should configure both, the Root-CA used to issue the RADIUS-Certificate
> and the (alt-)subject-match with the name of the actual RADIUS to
> match.
>
> CAT makes sure these settings are applied across all supported devices
> especially in cases like (older) Android or (modern) Apple Devices
> where these options are not exposed to the GUI.
>
> ChromeOS in this regard is confusing at best - on some devices and
> versions the required settings are actually available in the GUI on
> some they don't and one some only partially but not consistent.
>
> CAT provides an ONC-Profile that can be imported via chrome://network
> that **should** configure this values. But at least in my experience
> that is not always the case.
>
> What I have experienced so far is that if the used CA is already known
> to the system, the imported configuration will fail (which is always
> the case when using a known Trusted-CA)
>
> When using a self-signed (or not Trusted) ca-certifcate the import will
> work - if not for the other possible error when on systems that don't
> expose the corresponding values for CA-Verfication and (alt)subject-
> match.
>
> Now comes the ridiculous part - the first problem can be fixed in a
> very weird way which also solves the problem when trying to manually
> configure eduroam:
>
> CA-Certificates can be manually imported via
> chrome://settings/certificates - *but* normally only if they are _not_
> already known (it will just throw an error).
>
> But here comes the trick: if you use the tab for "Server"-certificates
> it will actually import the CA into the correct CA-Tab for roots and
> can now be configured to be trusted for websites.
>
> If an ONC-Profile is already installed it will now be fixed
> automagically and the CA can be specifically selected in manual
> configuration.
>
> The only catch - the CA can not be deleted like other manually imported
> CAs...
>
> Hopefully Googles proposed project Lacros will finaly move these
> settings out of the webbrowser into the system and fix some of this
> weirdness...
>
> Greetings, Lukas
>
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
- [[cat-users]] eduroam on ChromeOS ist very, very weird...., Lukas Wringer, 11/29/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Paul Dekkers, 11/29/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Jethro Binks, 11/29/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Paul Dekkers, 11/30/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Lukas Wringer, 11/30/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Paul Dekkers, 11/30/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Martin Pauly, 11/30/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Paul Dekkers, 11/30/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Martin Pauly, 11/30/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Paul Dekkers, 11/30/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Paul Menzel, 11/30/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Jethro Binks, 11/29/2023
- Re: [[cat-users]] eduroam on ChromeOS is very, very weird...., Paul Menzel, 11/29/2023
- Re: [[cat-users]] eduroam on ChromeOS ist very, very weird...., Paul Dekkers, 11/29/2023
Archive powered by MHonArc 2.6.24.