The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[DFN eduroam <eduroam AT dfn.de>]

Dear Alam Nahid /DZNE!

please send an s/mime signed e-mail to eduroam AT dfn.de.
Please use a user certificate from the TCS PKI (GÉANT, Sectigo) in order 
to sign your e-mail.

You will then receive an encrypted e-mail containing the registration token 
for admin access to eduroam CAT. 

Best regards,
Ralf Paffrath

17.01.2024 11:05 - Alam Nahid /DZNE schrieb:

> Dear Support Team,
> 
> We have lost admin access to the eduroam CAT portal DFN [1]. Can you please 
> let us
> know how can we get back admin access to the eduroam CAT admin portal ?
> 
> Is it the correct link to login eduroam CAT admin portal for DZNE ?
> https://idp.dzne.de/idp/profile/SAML2/Redirect/SSO?execution=e1s2
> 
> 
> By going through the below link eduroam CAT admin guide we can find the 
> below step
> to replace new certificate.
> 
> https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators
> 
> 
> Replacing the RADIUS server root CA certificate:
> 
> When your RADIUS server's root CA certificate is about to expire and you 
> need to
> replace it with a new one, the new CA certificate needs to be communicated 
> to all
> your users' devices. The procedure to achieve this is as follows:
> 
> 1. Create a new “migration” eduroam profile in eduroam CAT, containing both 
> the
> current and new root CA certificates. All previous eduroam CAT profiles 
> should be
> deleted to avoid them being used. (Caveat: this new profile will not work as
> intended for Android < 7.1 devices).
> 
> 2. Require all new and existing end-users to download the “migration” 
> profile.
> Their devices, except for Android < 7.1, will then be capable of trusting 
> both the
> current and the new CA, and will accept server certificates from either CA.
> 
> 3. Once you are confident that all end-user devices have the “migration” 
> profile
> installed, apply the new server certificate on the Radius server(s). 
> Ideally, the
> host name in the certificate CN/subjectAltNames should be identical to the 
> old
> server certificate. (Caveat: Android < 7.1 devices configured with the old 
> root CA
> will now no longer be able to authenticate, they will need to install a new
> profile containing just the new root CA).
> 
> 4. Create a new “permanent” eduroam profile in eduroam CAT, containing only 
> the
> new root CA certificate. Delete the “migration” eduroam profile.
> 
> 5. Require all existing Android < 7.1 users, and all new users, to download 
> the
> new profile.
> 
> 
> Thanking you,
> 
> Khandakar Nahid Alam
> Network & Cyber Security Engineer
>  
> Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE)
> Venusberg-Campus 1/99 
> 53127 Bonn 
> Mail: nahid.alam AT dzne.de
> Web: www.dzne.de 
> 
>  
> *********************************
> Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und
> Wissenschaftlicher Vorstand)
> und Dr. Sabine Helling-Moegen, LL.M. (Administrativer Vorstand).
> Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR 9021).
> 
> 
> -----Original Message-----
> From: Martin Stanislav <ms AT uakom.sk> 
> Sent: Wednesday, January 17, 2024 10:26 AM
> To: Alam, Nahid /DZNE <Nahid.Alam AT DZNE.DE>
> Cc: cat-users AT lists.geant.org; Uysal, Cueneyt /DZNE 
> <Cueneyt.Uysal AT dzne.de>; Khan,
> Emrose /DZNE <Emrose.Khan AT dzne.de>; Hakimi, Hasibullah /DZNE
> <Hasibullah.Hakimi AT dzne.de>; eduroam AT dfn.de; Rocha Almeida, Jose /DZNE
> <Jose.Almeida AT dzne.de>; Baracchi, Laura /DZNE <Laura.Baracchi AT dzne.de>
> Subject: Re: [[cat-users]] Eduroam certificate renewal
> 
> CAUTION: This email originated from outside of DZNE. Do not click links or 
> open
> attachments unless you recognize the sender and know the content is safe.
> ACHTUNG: Dies ist eine externe E-Mail, bitte seien Sie vorsichtig beim 
> Anklicken
> von Links oder Öffnen von Anhängen
> 
> 
> Dear Alam,
> 
> Your org. needs to adjust its profile(s) on eduroam CAT portal [1] in case 
> it's
> about to change the root CA used to issue a replacement EAP server 
> certificate.
> Ideally add the new root CA to the published configuration profiles long 
> enough
> before introducing the changes in the AAA infrustucture on your RADIUS 
> server (a
> fair share of client devices accept multipe root CA in their supplicant 
> setup
> nowadays).
> This way the end users get a chance to setup their devices in a way that 
> reflects
> comming changes in the infrastructure.
> 
> Should you have lost admin acceess to the eduroam CAT portal DFN [1] is 
> your most
> likely point of contact to resume the access.
> 
> Kind regards,
> Martin
> 
> [1] A guide to eduroam CAT for IdP administrators 
> https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators
> 
> [2] https://www2.dfn.de/dienstbeschreibungro
> 
> On Tue, Jan 16, 2024 at 05:13:59PM +0000, "Alam, Nahid /DZNE" wrote:
> > Dear Eduroam Support Team,
> >
> > Recently we renewed our ISE certificate and after that our eduroams user 
> > are facing connectivity issue using eduroam CAT Application, we 
> > discovered that the authentication process is being rejected from our 
> > ISE. ISE log is showing Certificate issue TSL error as below.
> >
> > [cid:image005.png AT 01DA48A7.B39A67B0]
> >
> > Possible Resolution Ensure that the ISE server certificate is trusted by 
> > the client, by configuring the supplicant with the CA certificate that 
> > signed the ISE server certificate. It is strongly recommended to not 
> > disable the server certificate validation on the client!
> >
> > Possible Root cause While trying to negotiate a TLS handshake with the 
> > client, ISE received an unexpected TLS alert message. This might be due 
> > to the supplicant not trusting the ISE server certificate for some 
> > reason. ISE treated the unexpected message as a sign that the client 
> > rejected the tunnel establishment.
> >
> > Note that user can connect eduroam service directly using their username 
> > and credential without eduroam CAT application. Upon inspecting the 
> > eduroam CAT application profile, it has come to our attention that a 
> > specific/old root certificate has been hardcoded for end users, and 
> > unfortunately, this certificate has expired. We need to edit this profile 
> > and set the correct updated certificate then end user will able to 
> > connect eduroam service using eduroam CAT application. However, the 
> > process of editing the application profile is currently unknown to us, 
> > and we are seeking your assistance in guiding us through the necessary 
> > steps. Your expertise and support in resolving this matter would be 
> > greatly appreciated.
> >
> >
> > End User eduroam CAT application profile settings which is hardcoded with 
> > old certificate is given below.
> >
> > [cid:image001.jpg AT 01DA4880.995EEDC0]
> >
> >
> >
> > Thanking you,
> >
> > Khandakar Nahid Alam
> > Network & Cyber Security Engineer
> >
> > Deutsches Zentrum für Neurodegenerative Erkrankungen e. V. (DZNE) 
> > Venusberg-Campus 1/99
> > 53127 Bonn
> > Mail: nahid.alam AT dzne.de<mailto:nahid.alam AT dzne.de>
> > Web: www.dzne.de<http://www.dzne.de/>
> >
> > [signature_122933437]
> > *********************************
> > Vorstand: Prof. Pierluigi Nicotera, MD PhD (Vorstandsvorsitzender und 
> > Wissenschaftlicher Vorstand) und Dr. Sabine Helling-Moegen, LL.M. 
> > (Administrativer Vorstand).
> > Das DZNE ist im Vereinsregister des Amtsgerichts Bonn eingetragen (VR 
> > 9021).
> > To unsubscribe, send this message: 
> > mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> > Or use the following link: 
> > https://lists.geant.org/sympa/sigrequest/cat-users
> 
> 
> 
> 
> 


Mit freundlichen Grüßen/Kind regards,
Ralf Paffrath

-- 
eduroam Technischer Support
E-Mail: eduroam AT dfn.de | Fon: +49 30884299-9120 | Fax: +49 30884299-370 
__________________________________________________________________________________

DFN - Deutsches Forschungsnetz | German National Research and Education 
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
https://www.dfn.de/

Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian 
Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729 B | USt.-ID. DE 136623822

Attachment: smime.p7s
Description: S/MIME cryptographic signature