cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] what does the CAT eduroam tool really do to help

From: ALBRIZIO DANIELE <albrizio AT units.it>
To: "twoln AT umk.pl" <twoln AT umk.pl>, "Kalpesh.Gohil AT aarnet.edu.au" <Kalpesh.Gohil AT aarnet.edu.au>, "Paul.Hii AT aarnet.edu.au" <Paul.Hii AT aarnet.edu.au>
Cc: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] what does the CAT eduroam tool really do to help
Date: Thu, 14 Nov 2024 08:37:43 +0000

I can tell you what is my experience, but since CAT is a tool and can be used to fulfill different needs.

On Thu, 2024-11-14 at 03:56 +0000, Paul Hii wrote:

Hello,

I need help understanding what the eduroam CAT really does to . Maybe you can point me at the documentation that explains fully what CAT really do when installing on devices because I’ve read but I still don’t understand.

https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+IdP+administrators

I understand that the CAT tool will install the root and intermediate certificates required to validate the institution’s server certificate.

That's one of its features

When CAT creates the “eduroam” profile, does it already tell the eduroam profile the name of the server certificate to expect? Is this why the CAT setup requires the signing authority certificate files but only the server certificate name needs to be supplied? I like to understand the purpose of specifying the server certificate name.

When a wireless client fresh connects to a network, it does not have connecctivity and thus no means to resolve names or check crl (certificate revocation lists).

Specifying the CN of the certificate (but not onboarding the certificate itself) and the issuing root CA permits a strict verification of the server to which the client is setting up an authentication session thus preventing man in the middle attacks and credential disclosure.

Many root CAs that are used by institutions to secure eduroam can emit certificates to evil third parties that can set up rogue access point to steal credentials and traffic.

At the same time this provides a smooth migration for renewed server side certificates without user intervention.

Can the CAT configure anonymous outer identity?

Yes. And you can also use specially crafted outer identity to loosely track installer type and configuration version!

--

Daniele Albrizio

Ufficio Reti e telefonia | ICT - Phone and Network Management
Università degli Studi di Trieste | University of Trieste
Via Alfonso Valerio 12 - 34127 Trieste (Italy)
daniele.albrizio AT units.it
Tel. | Ph. +39 040 558 3319

Ufficio Reti e telefonia | ICT - Phone and Network Management
Tel. | Ph. +39 040 558 3331

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[[cat-users]] Invitation not received - adding admin - eduroam Configuration Assistant Tool, Kalpesh Gohil, 11/08/2024
- Re: [[cat-users]] Invitation not received - adding admin - eduroam Configuration Assistant Tool, UMK, 11/08/2024
  - Re: [[cat-users]] Invitation not received - adding admin - eduroam Configuration Assistant Tool, Tomasz Wolniewicz, 11/11/2024
    - RE: [[cat-users]] Invitation not received - adding admin - eduroam Configuration Assistant Tool, Paul Hii, 11/11/2024
      - Re: [[cat-users]] Invitation not received - adding admin - eduroam Configuration Assistant Tool, Tomasz Wolniewicz, 11/12/2024
        
        RE: [[cat-users]] Invitation not received - adding admin - eduroam Configuration Assistant Tool, Paul Hii, 11/12/2024
        
        Re: [[cat-users]] Invitation not received - adding admin - eduroam Configuration Assistant Tool, Tomasz Wolniewicz, 11/12/2024
        
        [[cat-users]] what does the CAT eduroam tool really do to help, Paul Hii, 11/14/2024
        Re: [[cat-users]] what does the CAT eduroam tool really do to help, ALBRIZIO DANIELE, 11/14/2024