Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] [DFN#2024011710000984] Eduroam certificate renewal

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] [DFN#2024011710000984] Eduroam certificate renewal


Chronological Thread 
  • From: DFN eduroam <eduroam AT dfn.de>
  • To: "Alam, Nahid /DZNE" <Nahid.Alam AT DZNE.DE>
  • Cc: "Uysal Cueneyt" <cueneyt.uysal AT dzne.de>, "Khan, Emrose /DZNE" <Emrose.Khan AT dzne.de>, "Hakimi, Hasibullah /DZNE" <Hasibullah.Hakimi AT dzne.de>, "Rocha Almeida, Jose /DZNE" <Jose.Almeida AT dzne.de>, "Baracchi, Laura /DZNE" <Laura.Baracchi AT dzne.de>, Martin Stanislav <ms AT uakom.sk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] [DFN#2024011710000984] Eduroam certificate renewal
  • Date: Wed, 17 Jan 2024 13:15:29 +0100
  • Organization: DFN eV

Dear Alam Nahid /DZNE!

please send an s/mime signed e-mail to eduroam AT dfn.de.
Please use a user certificate from the TCS PKI (GÉANT, Sectigo) in order
to sign your e-mail.

You will then receive an encrypted e-mail containing the registration token
for admin access to eduroam CAT.

Best regards,
Ralf Paffrath

17.01.2024 11:05 - Alam Nahid /DZNE schrieb:

> Dear Support Team,
>
> We have lost admin access to the eduroam CAT portal DFN [1]. Can you please
> let us
> know how can we get back admin access to the eduroam CAT admin portal ?
>
> Is it the correct link to login eduroam CAT admin portal for DZNE ?
> https://idp.dzne.de/idp/profile/SAML2/Redirect/SSO?execution=e1s2
>
>
> By going through the below link eduroam CAT admin guide we can find the
> below step
> to replace new certificate.
>
> https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators
>
>
> Replacing the RADIUS server root CA certificate:
>
> When your RADIUS server's root CA certificate is about to expire and you
> need to
> replace it with a new one, the new CA certificate needs to be communicated
> to all
> your users' devices. The procedure to achieve this is as follows:
>
> 1. Create a new “migration” eduroam profile in eduroam CAT, containing both
> the
> current and new root CA certificates. All previous eduroam CAT profiles
> should be
> deleted to avoid them being used. (Caveat: this new profile will not work as
> intended for Android < 7.1 devices).
>
> 2. Require all new and existing end-users to download the “migration”
> profile.
> Their devices, except for Android < 7.1, will then be capable of trusting
> both the
> current and the new CA, and will accept server certificates from either CA.
>
> 3. Once you are confident that all end-user devices have the “migration”
> profile
> installed, apply the new server certificate on the Radius server(s).
> Ideally, the
> host name in the certificate CN/subjectAltNames should be identical to the
> old
> server certificate. (Caveat: Android < 7.1 devices configured with the old
> root CA
> will now no longer be able to authenticate, they will need to install a new
> profile containing just the new root CA).
>
> 4. Create a new “permanent” eduroam profile in eduroam CAT, containing only
> the
> new root CA certificate. Delete the “migration” eduroam profile.
>
> 5. Require all existing Android < 7.1 users, and all new users, to download
> the
> new profile.
>
>
> Thanking you,
>
> Khandakar Nahid Alam
> Network & Cyber Security Engineer
>  
> Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE)
> Venusberg-Campus 1/99 
> 53127 Bonn 
> Mail: nahid.alam AT dzne.de
> Web: www.dzne.de 
>
>  
> *********************************
> Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und
> Wissenschaftlicher Vorstand)
> und Dr. Sabine Helling-Moegen, LL.M. (Administrativer Vorstand).
> Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR 9021).
>
>
> -----Original Message-----
> From: Martin Stanislav <ms AT uakom.sk>
> Sent: Wednesday, January 17, 2024 10:26 AM
> To: Alam, Nahid /DZNE <Nahid.Alam AT DZNE.DE>
> Cc: cat-users AT lists.geant.org; Uysal, Cueneyt /DZNE
> <Cueneyt.Uysal AT dzne.de>; Khan,
> Emrose /DZNE <Emrose.Khan AT dzne.de>; Hakimi, Hasibullah /DZNE
> <Hasibullah.Hakimi AT dzne.de>; eduroam AT dfn.de; Rocha Almeida, Jose /DZNE
> <Jose.Almeida AT dzne.de>; Baracchi, Laura /DZNE <Laura.Baracchi AT dzne.de>
> Subject: Re: [[cat-users]] Eduroam certificate renewal
>
> CAUTION: This email originated from outside of DZNE. Do not click links or
> open
> attachments unless you recognize the sender and know the content is safe.
> ACHTUNG: Dies ist eine externe E-Mail, bitte seien Sie vorsichtig beim
> Anklicken
> von Links oder Öffnen von Anhängen
>
>
> Dear Alam,
>
> Your org. needs to adjust its profile(s) on eduroam CAT portal [1] in case
> it's
> about to change the root CA used to issue a replacement EAP server
> certificate.
> Ideally add the new root CA to the published configuration profiles long
> enough
> before introducing the changes in the AAA infrustucture on your RADIUS
> server (a
> fair share of client devices accept multipe root CA in their supplicant
> setup
> nowadays).
> This way the end users get a chance to setup their devices in a way that
> reflects
> comming changes in the infrastructure.
>
> Should you have lost admin acceess to the eduroam CAT portal DFN [1] is
> your most
> likely point of contact to resume the access.
>
> Kind regards,
> Martin
>
> [1] A guide to eduroam CAT for IdP administrators
> https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators
>
> [2] https://www2.dfn.de/dienstbeschreibungro
>
> On Tue, Jan 16, 2024 at 05:13:59PM +0000, "Alam, Nahid /DZNE" wrote:
> > Dear Eduroam Support Team,
> >
> > Recently we renewed our ISE certificate and after that our eduroams user
> > are facing connectivity issue using eduroam CAT Application, we
> > discovered that the authentication process is being rejected from our
> > ISE. ISE log is showing Certificate issue TSL error as below.
> >
> > [cid:image005.png AT 01DA48A7.B39A67B0]
> >
> > Possible Resolution Ensure that the ISE server certificate is trusted by
> > the client, by configuring the supplicant with the CA certificate that
> > signed the ISE server certificate. It is strongly recommended to not
> > disable the server certificate validation on the client!
> >
> > Possible Root cause While trying to negotiate a TLS handshake with the
> > client, ISE received an unexpected TLS alert message. This might be due
> > to the supplicant not trusting the ISE server certificate for some
> > reason. ISE treated the unexpected message as a sign that the client
> > rejected the tunnel establishment.
> >
> > Note that user can connect eduroam service directly using their username
> > and credential without eduroam CAT application. Upon inspecting the
> > eduroam CAT application profile, it has come to our attention that a
> > specific/old root certificate has been hardcoded for end users, and
> > unfortunately, this certificate has expired. We need to edit this profile
> > and set the correct updated certificate then end user will able to
> > connect eduroam service using eduroam CAT application. However, the
> > process of editing the application profile is currently unknown to us,
> > and we are seeking your assistance in guiding us through the necessary
> > steps. Your expertise and support in resolving this matter would be
> > greatly appreciated.
> >
> >
> > End User eduroam CAT application profile settings which is hardcoded with
> > old certificate is given below.
> >
> > [cid:image001.jpg AT 01DA4880.995EEDC0]
> >
> >
> >
> > Thanking you,
> >
> > Khandakar Nahid Alam
> > Network & Cyber Security Engineer
> >
> > Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE)
> > Venusberg-Campus 1/99
> > 53127 Bonn
> > Mail: nahid.alam AT dzne.de<mailto:nahid.alam AT dzne.de>
> > Web: www.dzne.de<http://www.dzne.de/>
> >
> > [signature_122933437]
> > *********************************
> > Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und
> > Wissenschaftlicher Vorstand) und Dr. Sabine Helling-Moegen, LL.M.
> > (Administrativer Vorstand).
> > Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR
> > 9021).
> > To unsubscribe, send this message:
> > mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> > Or use the following link:
> > https://lists.geant.org/sympa/sigrequest/cat-users
>
>
>
>
>


Mit freundlichen Grüßen/Kind regards,
Ralf Paffrath

--
eduroam Technischer Support
E-Mail: eduroam AT dfn.de | Fon: +49 30884299-9120 | Fax: +49 30884299-370
__________________________________________________________________________________

DFN - Deutsches Forschungsnetz | German National Research and Education
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
https://www.dfn.de/

Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian
Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729 B | USt.-ID. DE 136623822

Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.24.

Top of Page