The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Alam, Nahid /DZNE" <Nahid.Alam AT DZNE.DE>]

Dear Support Team,

We have lost admin access to the eduroam CAT portal DFN [1]. Can you please 
let us know how can we get back admin access to the eduroam CAT admin portal ?

Is it the correct link to login eduroam CAT admin portal for DZNE ?
https://idp.dzne.de/idp/profile/SAML2/Redirect/SSO?execution=e1s2


By going through the below link eduroam CAT admin guide we can find the below 
step to replace new certificate.

https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators


Replacing the RADIUS server root CA certificate:

When your RADIUS server's root CA certificate is about to expire and you need 
to replace it with a new one, the new CA certificate needs to be communicated 
to all your users' devices. The procedure to achieve this is as follows:

1. Create a new “migration” eduroam profile in eduroam CAT, containing both 
the current and new root CA certificates. All previous eduroam CAT profiles 
should be deleted to avoid them being used. (Caveat: this new profile will 
not work as intended for Android < 7.1 devices).

2. Require all new and existing end-users to download the “migration” 
profile. Their devices, except for Android < 7.1, will then be capable of 
trusting both the current and the new CA, and will accept server certificates 
from either CA.

3. Once you are confident that all end-user devices have the “migration” 
profile installed, apply the new server certificate on the Radius server(s). 
Ideally, the host name in the certificate CN/subjectAltNames should be 
identical to the old server certificate. (Caveat: Android < 7.1 devices 
configured with the old root CA will now no longer be able to authenticate, 
they will need to install a new profile containing just the new root CA).

4. Create a new “permanent” eduroam profile in eduroam CAT, containing only 
the new root CA certificate. Delete the “migration” eduroam profile.

5. Require all existing Android < 7.1 users, and all new users, to download 
the new profile.


Thanking you,

Khandakar Nahid Alam
Network & Cyber Security Engineer
 
Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE)
Venusberg-Campus 1/99 
53127 Bonn 
Mail: nahid.alam AT dzne.de
Web: www.dzne.de 

 
*********************************
Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und 
Wissenschaftlicher Vorstand)
und Dr. Sabine Helling-Moegen, LL.M. (Administrativer Vorstand).
Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR 9021).


-----Original Message-----
From: Martin Stanislav <ms AT uakom.sk> 
Sent: Wednesday, January 17, 2024 10:26 AM
To: Alam, Nahid /DZNE <Nahid.Alam AT DZNE.DE>
Cc: cat-users AT lists.geant.org; Uysal, Cueneyt /DZNE <Cueneyt.Uysal AT dzne.de>; 
Khan, Emrose /DZNE <Emrose.Khan AT dzne.de>; Hakimi, Hasibullah /DZNE 
<Hasibullah.Hakimi AT dzne.de>; eduroam AT dfn.de; Rocha Almeida, Jose /DZNE 
<Jose.Almeida AT dzne.de>; Baracchi, Laura /DZNE <Laura.Baracchi AT dzne.de>
Subject: Re: [[cat-users]] Eduroam certificate renewal

CAUTION: This email originated from outside of DZNE. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.
ACHTUNG: Dies ist eine externe E-Mail, bitte seien Sie vorsichtig beim 
Anklicken von Links oder Öffnen von Anhängen


Dear Alam,

Your org. needs to adjust its profile(s) on eduroam CAT portal [1] in case 
it's about to change the root CA used to issue a replacement EAP server 
certificate. Ideally add the new root CA to the published configuration 
profiles long enough before introducing the changes in the AAA infrustucture 
on your RADIUS server (a fair share of client devices accept multipe root CA 
in their supplicant setup nowadays).
This way the end users get a chance to setup their devices in a way that 
reflects comming changes in the infrastructure.

Should you have lost admin acceess to the eduroam CAT portal DFN [1] is your 
most likely point of contact to resume the access.

Kind regards,
Martin

[1] A guide to eduroam CAT for IdP administrators  
https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators

[2] https://www2.dfn.de/dienstbeschreibungro

On Tue, Jan 16, 2024 at 05:13:59PM +0000, "Alam, Nahid /DZNE" wrote:
> Dear Eduroam Support Team,
>
> Recently we renewed our ISE certificate and after that our eduroams user 
> are facing connectivity issue using eduroam CAT Application, we discovered 
> that the authentication process is being rejected from our ISE. ISE log is 
> showing Certificate issue TSL error as below.
>
> [cid:image005.png AT 01DA48A7.B39A67B0]
>
> Possible Resolution Ensure that the ISE server certificate is trusted by 
> the client, by configuring the supplicant with the CA certificate that 
> signed the ISE server certificate. It is strongly recommended to not 
> disable the server certificate validation on the client!
>
> Possible Root cause While trying to negotiate a TLS handshake with the 
> client, ISE received an unexpected TLS alert message. This might be due to 
> the supplicant not trusting the ISE server certificate for some reason. ISE 
> treated the unexpected message as a sign that the client rejected the 
> tunnel establishment.
>
> Note that user can connect eduroam service directly using their username 
> and credential without eduroam CAT application. Upon inspecting the eduroam 
> CAT application profile, it has come to our attention that a specific/old 
> root certificate has been hardcoded for end users, and unfortunately, this 
> certificate has expired. We need to edit this profile and set the correct 
> updated certificate then end user will able to connect eduroam service 
> using eduroam CAT application. However, the process of editing the 
> application profile is currently unknown to us, and we are seeking your 
> assistance in guiding us through the necessary steps. Your expertise and 
> support in resolving this matter would be greatly appreciated.
>
>
> End User eduroam CAT application profile settings which is hardcoded with 
> old certificate is given below.
>
> [cid:image001.jpg AT 01DA4880.995EEDC0]
>
>
>
> Thanking you,
>
> Khandakar Nahid Alam
> Network & Cyber Security Engineer
>
> Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE) 
> Venusberg-Campus 1/99
> 53127 Bonn
> Mail: nahid.alam AT dzne.de<mailto:nahid.alam AT dzne.de>
> Web: www.dzne.de<http://www.dzne.de/>
>
> [signature_122933437]
> *********************************
> Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und 
> Wissenschaftlicher Vorstand) und Dr. Sabine Helling-Moegen, LL.M. 
> (Administrativer Vorstand).
> Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR 9021).
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users