cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] issues with EAP-TLS profile on Android

From: James Potter <Jim.Potter AT jisc.ac.uk>
To: Paul Dekkers <paul.dekkers AT surf.nl>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: RE: [[cat-users]] issues with EAP-TLS profile on Android
Date: Tue, 16 Apr 2024 09:14:54 +0000
Accept-language: en-GB, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=s0R6BjBP8ATrDykncLpH4NZ8fehmrlZucuNpsqjugls=; b=ejjQEXCKgR1OPs/s1H+g3xDGdUic59S9fe8kafdXe8Y6vlT8A10Dl/n9ej9J2iWn1QuLnlFQVj9t8Yuwij+beHWJjTkiymhOx5M8lGVDozCo1fP14vfy8kIC2PPlzbngNBdGuH8k8RX8OQXx9vY/HNNd3OMeLEG632gNmkk2dXuOo64AvspSN7srHbCuovQyCidU008F7CuV46kszYhclr4QDgwzlNX12nxwzx54gXjChh3Pfdkj52hfuSRJ0R8LOGTeMCHUDYzm6Zjm89XEIeJgaxK+xxJsjsVdm3y+gK/hvzGCTFTTWGwwnjisItSJc7zSjwVF+29JxOC+YngU+g==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jnNNlUga/GPBzrLqWpwcNFx0i8aHurbVydDmkxlOxDqHpHtfCD4TeYGsa72nScRxRcddsBC+8Gy4NoFBLItgbwtQOkoG3P/fgAkXJ7mpb6VocClTFKzOKWowBPbD6LtOiuanA5+M9mc60kUWVXr5RiEmHF/XbgIu9KSh5YOHVJF1VE0EeDU308CqivlY/8b5sr0x7QRQ594Drba/tFOQ006Bidk3xjzI2/QqRu0BBHqyWAMBZbz2mjn+IojAiqSc9tIawtSJxtZQDwurIRDAAGL2cEh5iRL+SAeTNzsM+gQe2rBvrtON1jdWLnnKPB8wlU1qz7JgvIZ3hkZevFf2sg==
Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jisc.ac.uk;
Msip_labels: MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_ActionId=a9ec2bad-ac8b-4103-b8d5-7e2665547f37;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_ContentBits=0;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Enabled=true;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Method=Privileged;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Name=Confidential - External;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SetDate=2024-04-16T09:14:50Z;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SiteId=48f9394d-8a14-4d27-82a6-f35f12361205;

Hi Paul,

Sorry for slow reply… (I’ll get a debug log from android over to you presently).

So I’ve tried a few more things/had a think about this… I don’t think this has anything to do with the actual client certificates – it doesn’t get that far, its more likely the CA or config specifics its taking offence at (unless it expects to find client certs issued by the same CA as the server cert in the cert store?)

Things I’ve tried:

Set up a PEAP profile with the same CA (works/doesn’t crash)
EAP profile with redirect to web page (goes to web page)
Pinched jisc’s CA, set up an EAP-TLS profile (also crashes)
Tweaked the CA - specifically, added keyUsage = cert signing, set serial = 01 rather than a random long (made no difference, still crashes)

Can you point me at a CAT EAP-TLS profile that works for you on android I can download and test/compare?

Jim

Jisc

From: Paul Dekkers <paul.dekkers AT surf.nl>
Sent: Friday, April 5, 2024 5:05 PM
To: James Potter <Jim.Potter AT jisc.ac.uk>; cat-users AT lists.geant.org
Subject: Re: [[cat-users]] issues with EAP-TLS profile on Android

You don't often get email from paul.dekkers AT surf.nl. Learn why this is important

Hi,

I'm not sure why your Android profiles crash (is that the two profiles you refer to?) but you can create debug information for us via the procedure listed at https://developer.android.com/studio/debug/bug-report and submit that (not via the mailing list!) to me directly, or geteduroam AT eduroam.org if you prefer.

If you're installing profiles for EAP-TLS, did you consider doing this with the letswifi-portal (like, geteduroam's native way to do certificates) instead? (We offer this as a hosted service also, but it's fine if you want to run your own.)

It may be something specific in your settings, however the App surely shouldn't crash.

If you have your own CA, it may be because of missing attributes/elements in your certificates? I'm not 100% sure.

Regards,
Paul

On 05/04/2024 15:42, James Potter (via cat-users Mailing List) wrote:

Hi all,

I’m trying to get CAT working with eap-tls + client certs. I’ve got a pretty straightforward way of getting client certs installed into the cert store on BYOD devices, I’m just struggling to get the SSID profile to apply nicely.

My home service will take the SAN UPN of the certificate as the username, so ideally the user will be asked to install the CA, pick a client certificate from a list and that’s it – no need to enter a username.

I’ve got this working (connecting to eduroam with all the correct settings) if I set it up manually on Windows and Android; GetEduroam on windows is mostly right but Android just crashes when I select the CAT profile.

Here are sample profiles:

Ti.dev EAP-TLS with specific outer: https://cat.eduroam.org/?idp=2492&profile="12193
Ti.dev.ja.net TLS (no set outer): https://cat.eduroam.org/?idp=2492&profile="12320

(And various others under UK Federation tenancy)

Configs of the above are:

Realm = ti.dev.ja.net
CA file + SubjectCN both set correctly
EAP-TLS only
Enforce realm suffix + exact realm suffix both ticked

Profile ‘..with specific outer’ has an additional enable anonymous outer identity ticked, value = tls

Testing (GetEduroam):

With specific outer:

Windows: Works (outer identity is from SAN UPN rather than prespecified outer I think?)
Android: Crashes when I select profile

Without specific outer:

Windows: works very nicely (gets username from SAN UPN?)
Android: Crashes when I select profile

(I haven’t got a Mac or IOS to test here)

So – any top tips why Android is crashing (app just closes)? I’ve tried a bunch of variations in settings but get the same crash every time.

Any pointers here would be great

Thanks,

Jim

Jisc

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

[[cat-users]] issues with EAP-TLS profile on Android, James Potter, 04/05/2024
- Re: [[cat-users]] issues with EAP-TLS profile on Android, Paul Dekkers, 04/05/2024
  - RE: [[cat-users]] issues with EAP-TLS profile on Android, James Potter, 04/16/2024