cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] issues with EAP-TLS profile on Android

From: Paul Dekkers <paul.dekkers AT surf.nl>
To: James Potter <Jim.Potter AT jisc.ac.uk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] issues with EAP-TLS profile on Android
Date: Fri, 5 Apr 2024 18:05:12 +0200
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LY4xskZskpvyA2css7hdchlaUOb0ncxijLc8h/A+gno=; b=Wic4QHahc1eZMbXWocOu0R76faOIPRDySTMFrtjEiRi68Yw3U9RJUJem3KZmW9cQrVp7u9+CjajhYbCw8GkZ5eRFA91FH8BxYUvys0mPdM+2tVR8AcwmFlnM0sIg08RmMgMj020uRj+SIopN7xTY426h90aPhONsLoClhWBu8LnpVlmPEIJD75UuYEMa4YEIwRXeAhE6+8ZPIIcPJaxx28d5fYSI6QhdvlmkXced8D5KDT3rsuZqcPyOiLiaedb8xserNSvhVJfZqah/WpcBYRql6ln+AXLjUqcQxZuHGl+Ddvbpt8mCUAFY04vt0k0gEQpcdTrUkXBO10GmPhWYAw==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=el6XX+wZY2JET5jf3B8GPWSyenjNm/eR86pJTQgr+I/LNIwqa6H6MLPuI6x7KDQ4+6uV289f9R/vyN4IR5eHHCO3oLYwCIk61ybzgKiWhRLjtNOzQLb8gT9dhw6rFgAkTuaNFPqP6KLDP+Ea//UAbzSal2WqrZVc3uK0x27h/i3zzmUL61obq00RtUyaInyC3O4S8gVlFJcJZth9UByLjE/Jvm3scYW1MsViB98+0YJ1Syv1CF5uClHFnsCcw4F5I4qiPlzKgkQWtxHfl/+KnGUBOjw0Vu9a8R9aZImF6lKXa0hhJPXwtqgL2smpUvkWgZXam6B2acTsWFKZS1uWmg==
Autocrypt: addr=paul.dekkers AT surf.nl; keydata= xsDNBFzP6HIBDADK8Wn7ods1w4ysf5c/GeUkDm2doxOZRUU3ZSMM0aG9aN2jqpZB11xoTuAv k+J3kOpRY542rbHTxkbdiIYFiKS5ff9bAPfn1MUOy+XErLPUzZ/Z3GO6kCpTkcHYKVN2Iehd QCdn7UbNRRzygiVHiRWi8jkhutBWBHHy7hcVWXtHfxb5Ot7I6Z9F2Aso6sB543UrQVxEl0h1 AuNN2HXVW536LaGh+ZRTPPPj99nR8UvNnJ4Q/Jh9a6/C9TB1vGm/4oTWG2gnFcq9CBQB9+E0 GZ7S9ddyKzXE97wziJdhC4e14s9aSiG9Du98C62ilTzOk4muOV6XU0JZOy3jwIt6bS2m9zGf yUxhKs5mNwrCUeBqt5uKgUXAG0MnQ70lMmiGyMNwUkCXuHiScvzB7rdXM0h2pvfrMMsQ1BA5 +0Zb1hkkq5eYVUE+e9xJID82ShdMOTievgSdc4JP4lJuUAjVf30u5uUe/uxsDxc1zfnZsp30 ezTIhp2SxszZcWjzTnn7tSEAEQEAAc0jUGF1bCBEZWtrZXJzIDxwYXVsLmRla2tlcnNAc3Vy Zi5ubD7CwQ4EEwEIADgWIQQ3Xw/6ofYHVAb73o89O9GpKK14OgUCXM/ocgIbIwULCQgHAgYV CgkICwIEFgIDAQIeAQIXgAAKCRA9O9GpKK14OsHaDACFjL2wGvcSxecAVjShtnOwHgi5iO+r MUQiplP7/dD8awcBxuj1ihv/kZoatI0tSxsXs6OqYqG/ivJfCaXX51dYANDfDI4E8FLN+eCj v3ndVJHEWdixNrVH+sdS4itZt0omQ28dbMpJc7opOw42o5xMmypMMzo4enHZcaYr4fktAu5B 2E3eekw8aXOHPSrTmIAZjhaKCdZ5CtOotgoUGnrQbHIVlPh7PJBCUTlNXDynjLdznhYJjvBN GnT9B+PPfJ0TQMBv0gqWlfJA+GSKl//pz+Jqh1ByyRFXZaG0imE4eLaODSb+3aoD36pWMrdV 31m+qeEzB2V6I40vdBmZEtpX+01l3kuIPa/ZpJ3MCaeVlQ2ADkZwz1DVEV4aasOkKL2hAlMz bSChFnSA6OhOS+2L+7HAtI62OPj0VkXERqeFPpOWFG0OzqJUCBB5x/OdhoMiVjI2KNtMDxoD Y4L+u1MeNwm7fPYrdQn8aDN0Lc5tEdw29mwWwBLjiu+u8jCEyGnOwM0EXM/ocgEMALdymAvx UsfhoNnNR+SaJCUVwmBMjt9spGs1E27yqHMs7jDnZ87uh2B220GmZGKFkf4SbRHUJhPGX+rg Ez2vvlBwZonBKDY1SyCPRI6ffaivoz9hw+GXpQYQwIZ1gJWN7MvhzIbG+b+Y6pRMRsWSjThA ImieLS2+K2oR6XenxKG/dZg8qO/Uv5Qvb66rWtFM9D48iurcUu3ndotJPAkKetUg3dny4nzp D1wT26RcqEh8huJfZK8JdML+9Q1dHoMhtwRzTTWQ4rxwEr2X1ymaF4QaG8LbuT4/Owrp5vGd YI7Wh2Lwjwn6tJE715eePcoahQwgBBwsKBCkRDOQ3dA8bUO/G8p7SRTj/CAymx5unis3H6O/ jQmi3cgVLNg6CYwPGptFRrLxqT/eWsNy/2Dpd8VHajjVKQ6bC0MNz+lHoFkNMc/CaTY8BQix xM4mtm5rbbogX9pBPSUx5vVgd1Vbw8sQT2wFxUI3Q3r4KaKD5MVucDTg3OxcMNQxRTLDdonI owARAQABwsD2BBgBCAAgFiEEN18P+qH2B1QG+96PPTvRqSiteDoFAlzP6HICGwwACgkQPTvR qSiteDqo6gwAqIpD/D4lNkUehSf+U8l9lTpkWNAEfB9PgAMIFrFQ3YUuEmhFlv8uKi6Y7apX 89tmrVUgc5RLglf7e4geYv69wLY4R7jMIUs0g9cv/g71rhfszjDJGe/4ppa+qHTk69Uq556d B9nMtFF2YWvq77Y1WBKv/r3hmJLQYNZBaCBSPI9OpZ0UCw3hp0ip/LUejVXLRkU+ZAb6jeEt gd2zoIiXOHCazaGD6EGvLQxzuwPVPXPLU6kahtJoJAa/OOWyzSnd+Ipio6Vi6tdDVLEXbTVn AjnVOlEnGc6dhh1TOxPv/lHslYxfSTrCoBRIKcXS/5bkxvTOZpgSRyKsksh1fgD1IIPjLqs2 K7KOXgocNG+iIOMcLbSsp8R7GRUMmzeTIPHnW1xC9OIgU16KSxaDWa6tX6NOcY5iHRlRXw5Q 9WVGgnHIbfR/2hoyXzbVMzM2uiTEJ9qG4+GtMUBeLdEo8DsbX+QdP71NgcCcBUtUe9LfDEJ+ yZ0Nj/dbF6RX3MTEJRiy

Hi,

I'm not sure why your Android profiles crash (is that the two profiles you refer to?) but you can create debug information for us via the procedure listed at https://developer.android.com/studio/debug/bug-report and submit that (not via the mailing list!) to me directly, or geteduroam AT eduroam.org if you prefer.

If you're installing profiles for EAP-TLS, did you consider doing this with the letswifi-portal (like, geteduroam's native way to do certificates) instead? (We offer this as a hosted service also, but it's fine if you want to run your own.)

It may be something specific in your settings, however the App surely shouldn't crash.

If you have your own CA, it may be because of missing attributes/elements in your certificates? I'm not 100% sure.

Regards,
Paul

On 05/04/2024 15:42, James Potter (via cat-users Mailing List) wrote:

PR3PR07MB82897BBD0CECFE03490BA5B3BD032 AT PR3PR07MB8289.eurprd07.prod.outlook.com">

Hi all,

I’m trying to get CAT working with eap-tls + client certs. I’ve got a pretty straightforward way of getting client certs installed into the cert store on BYOD devices, I’m just struggling to get the SSID profile to apply nicely.

My home service will take the SAN UPN of the certificate as the username, so ideally the user will be asked to install the CA, pick a client certificate from a list and that’s it – no need to enter a username.

I’ve got this working (connecting to eduroam with all the correct settings) if I set it up manually on Windows and Android; GetEduroam on windows is mostly right but Android just crashes when I select the CAT profile.

Here are sample profiles:

Ti.dev EAP-TLS with specific outer: https://cat.eduroam.org/?idp=2492&profile="12193

Ti.dev.ja.net TLS (no set outer): https://cat.eduroam.org/?idp=2492&profile="12320

(And various others under UK Federation tenancy)

Configs of the above are:

Realm = ti.dev.ja.net

CA file + SubjectCN both set correctly

EAP-TLS only

Enforce realm suffix + exact realm suffix both ticked

Profile ‘..with specific outer’ has an additional enable anonymous outer identity ticked, value = tls

Testing (GetEduroam):

With specific outer:

Windows: Works (outer identity is from SAN UPN rather than prespecified outer I think?)

Android: Crashes when I select profile

Without specific outer:

Windows: works very nicely (gets username from SAN UPN?)

Android: Crashes when I select profile

(I haven’t got a Mac or IOS to test here)

So – any top tips why Android is crashing (app just closes)? I’ve tried a bunch of variations in settings but get the same crash every time.

Any pointers here would be great

Thanks,

Jim

Jisc

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

[[cat-users]] issues with EAP-TLS profile on Android, James Potter, 04/05/2024
- Re: [[cat-users]] issues with EAP-TLS profile on Android, Paul Dekkers, 04/05/2024
  - RE: [[cat-users]] issues with EAP-TLS profile on Android, James Potter, 04/16/2024