An open discussion list for topics related to the geteduroam service

[Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>]

From the information I was provided, it appears to be a Huawei phone with 
Android 10. 

We've chased for a valid account since the test user we're meant to have 
access to is either disabled or no longer exists. :-/

However, that said, I did not test *connecting* with the emulator, just 
purely the installation of the profile, and discovered that it doesn't show 
which certificate it should validate with. Given this is Android and I don't 
use Android, is this normal (i.e. it will not show which certificate it 
validates against), or should it be showing that? 

Also, my question of whether geteduroam installed the 'eduroam_WPA_*' 
certificates or not is yet unanswered. 

With Regards

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp AT jabber.dev.ja.net
skype: stefan.paetow.janet


In line with government advice, at Jisc we’re now working from home and our 
offices are currently closed. Read our statement on coronavirus 
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.
 

On 08/12/2020, 20:59, "paul.dekkers AT surf.nl on behalf of Paul Dekkers" 
<paul.dekkers AT surf.nl> wrote:

    Hi,
    
    I just started an Android 10 phone (Samsung Galaxy S10) in the debugger 
to see if I spot anything with the installation of Bath Spa University - but 
for me it just seems to work. Obviously, I didn’t have a correct username and 
password.
    
    What brand of Android 10 phone is this, do you know? Is it possible for 
me to test with valid credentials?
    
    BTW, testing with the emulator doesn’t really work well, as Android 
doesn’t emulate Wi-Fi hardware properly.
    
    Not relevant, I think, but:
    
    I see this institution actually also sends the root certificate over the 
EAP conversation - not necessary. Shouldn’t be a trigger for these issues 
either.
    
    It also appears to be an EV certificate. That can also be a reason for 
problems at least on ChromeOS. So unlikely to affect Android ;-)
    
    Regards,
    Paul
    
    
    > On 8 Dec 2020, at 21:04, Stefan Paetow <geteduroam AT lists.geant.org> 
wrote:
    > 
    > The entire chain is shipped with the EAP handshake (I know, not ideal), 
but the ultimate root *should* suffice.
    > 
    > I refer to this part in the IdP guide (verbatim): 
    > 
    > "For most EAP methods, the required EAP details are
    > The Certification Authority (CA) certificate(s) which signed your EAP 
server certificate
    > always include the root CA (root CAs are indicated with a blue circled 
"R" besides the certificate details after upload)
    > optionally include intermediate CAs (intermediate or server 
certificates are indicated with a blue circled ("I") besides the certficate 
after upload)
    > The name of your server as specified in the Common Name (CN) of your 
EAP server certificate"
    > 
    > I've done a check and yes, the CA root cert on the server and the CA 
root cert on CAT match (as per Martin), and openssl verifies the chain ok:
    > 
    > [support:~] openssl verify -CAfile bspa-root.crt -untrusted 
bspa-interm.crt bspa-srv.crt
    > bspa-srv.crt: OK
    > 
    > So no, it's not the chain, because actual authentications would have 
failed.
    > 
    > With Regards
    > 
    > Stefan Paetow
    > Federated Roaming Technical Specialist
    > 
    > t: +44 (0)1235 822 125
    > gpg: 0x3FCE5142
    > xmpp: stefanp AT jabber.dev.ja.net
    > skype: stefan.paetow.janet
    > 
    > 
    > In line with government advice, at Jisc we’re now working from home and 
our offices are currently closed. Read our statement on coronavirus 
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.
    > 
    > jisc.ac.uk
    > 
    > Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.
    > 
    > 
    > On 08/12/2020, 15:39, "geteduroam-request AT lists.geant.org on behalf of 
Paul Dekkers" <geteduroam-request AT lists.geant.org on behalf of 
geteduroam AT lists.geant.org> wrote:
    > 
    >    Hi,
    > 
    >    Ah, in that case it looks like the intermediate certificate is 
missing? This contains just the/a QuoVadis root.
    > 
    >    Thanks for checking on the profile, I didn’t get to that yet,
    > 
    >    (I doubt this profile works well in CAT?)
    > 
    >    Regards,
    >    Paul
    > 
    > 
    >> On 8 Dec 2020, at 16:24, Martin Pauly <geteduroam AT lists.geant.org> 
wrote:
    >> 
    >> Am 08.12.20 um 16:07 schrieb Stefan Paetow (via geteduroam Mailing 
List):
    >>> The profile is correct. They use a root certificate.
    >> 
    >> This one?
    >> 
    >> ...
    >> 
    >> -- 
    >> Dr. Martin Pauly     Phone:  +49-6421-28-23527
    >> HRZ Univ. Marburg    Fax:    +49-6421-28-26994
    >> Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
    >> D-35032 Marburg
    >> 
    > 
    > 
    >