Skip to Content.
Sympa Menu

cat-users - RE: [[cat-users]] what does the CAT eduroam tool really do to help

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] what does the CAT eduroam tool really do to help

Chronological Thread  
    < Chronological >       < Thread >
  • From: Paul Hii <Paul.Hii AT aarnet.edu.au>
  • To: ALBRIZIO DANIELE <albrizio AT units.it>
  • Cc: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: RE: [[cat-users]] what does the CAT eduroam tool really do to help
  • Date: Mon, 9 Dec 2024 00:41:06 +0000

HI Albrizio,

 

Thanks for detailed clarification.

 

After all the testing and understanding, it all makes sense and I’m convinced that everyone should use CAT; it is surprisingly easy to use despite the complicated tool name (which is why there’s “geteduroam”).

 

Cheers,

Paul

 

From: ALBRIZIO DANIELE <albrizio AT units.it>
Sent: Friday, 6 December 2024 8:41 PM
To: Paul Hii <Paul.Hii AT aarnet.edu.au>
Subject: Re: [[cat-users]] what does the CAT eduroam tool really do to help

 

Can I reply to you in the cat-users mailing list?

Your asking is correct and the answer may be useful to many silent users out there.

 

The answer will be as follows.

 

You are right, let me further dive in.

 

You upload a complete CA chain (without the server certificate) in the user device and pin the server certificate CN (not the certificate itself).

This means that as long as you keep the same CA and CA certificates, the device will silently accept new (renewed) certificates of the radius server.

P.S. if you have multiple radius servers it's advisable you use the same CA chain and the same CN for all (not necessarily the same certificate and the same private key).

 

Moreover, if your CA changes or CA cetificates expire, as soon as you get to know, you can:

- Renew the server certificate with the old CA granting you at least one year for devices migration

- Emit a new installer with a different anonymous outer identity containing both the CA chain of the old and the new CA

- Monitor radius log for percentage of transition ready devices on your network (analyzing their outer identity) and decide for the best communication towards your users to push them to rerun the new installer

 

 

 

On Fri, 2024-12-06 at 00:01 +0000, Paul Hii wrote:

Thanks Albrizio. You’ve helped clarified my understanding of CAT. I’ve now got CAT working and it’s nice to see I can do anonymous outer identity on Windows device.

 

You said “At the same time this provides a smooth migration for renewed server side certificates without user intervention.”

 

How does this work? Is it because the CAT configured eduroam profile on the device will always check for the expected CNs when presented with the certificate? And so it is a transparent experience for end-user as long as the certificate server name/CN does not change?

 

Regards,

Paul

 

From: ALBRIZIO DANIELE <albrizio AT units.it>
Sent: Thursday, 14 November 2024 7:38 PM
To: twoln AT umk.pl; Kalpesh Gohil <Kalpesh.Gohil AT aarnet.edu.au>; Paul Hii <Paul.Hii AT aarnet.edu.au>
Cc: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] what does the CAT eduroam tool really do to help

 

I can tell you what is my experience, but since CAT is a tool and can be used to fulfill different needs.

 

On Thu, 2024-11-14 at 03:56 +0000, Paul Hii wrote:

Hello,

 

I need help understanding what the eduroam CAT really does to . Maybe you can point me at the documentation that explains fully what CAT really do when installing on devices because I’ve read but I still don’t understand.

 

 

I understand that the CAT tool will install the root and intermediate certificates required to validate the institution’s server certificate.

 

That's one of its features

 

When CAT creates the “eduroam” profile, does it already tell the eduroam profile the name of the server certificate to expect? Is this why the CAT setup requires the signing authority certificate files but only the server certificate name needs to be supplied? I like to understand the purpose of specifying the server certificate name.

 

When a wireless client fresh connects to a network, it does not have connecctivity and thus no means to resolve names or check crl (certificate revocation lists).

Specifying the CN of the certificate (but not onboarding the certificate itself) and the issuing root CA permits a strict verification of the server to which the client is setting up an authentication session thus preventing man in the middle attacks and credential disclosure.

Many root CAs that are used by institutions to secure eduroam can emit certificates to evil third parties that can set up rogue access  point to steal credentials and traffic. 

At the same time this provides a smooth migration for renewed server side certificates without user intervention.

 

Can the CAT configure anonymous outer identity?

 

Yes. And you can also use specially crafted outer identity to loosely track installer type and configuration version!

 

 

--

 

Daniele Albrizio

Ufficio Reti e telefonia | ICT - Phone and Network Management
Università degli Studi di Trieste | University of Trieste
Via Alfonso Valerio 12 - 34127 Trieste (Italy)
daniele.albrizio AT units.it
Tel. | Ph. +39 040 558 3319

Ufficio Reti e telefonia | ICT - Phone and Network Management
Tel. | Ph. +39 040 558 3331

 

--

 

 

Daniele Albrizio

Ufficio Reti e telefonia | ICT - Phone and Network Management
Università degli Studi di Trieste | University of Trieste
Via Alfonso Valerio 12 - 34127 Trieste (Italy)
daniele.albrizio AT units.it
Tel. | Ph. +39 040 558 3319

Ufficio Reti e telefonia | ICT - Phone and Network Management
Tel. | Ph. +39 040 558 3331


  • RE: [[cat-users]] what does the CAT eduroam tool really do to help, Paul Hii, 12/09/2024

Archive powered by MHonArc 2.6.24.

Top of Page