An open discussion list for topics related to the geteduroam service

[Ralf Paffrath <paffrath AT dfn.de>]

Hi,

On 26 Feb 2021, at 16:27, Paul Dekkers <paul.dekkers AT surf.nl> wrote:

Hi,

What we did in the beta channel is provide two versions: if you're on Android 10 or lower, you receive 1.0.16, and if you have an Android device that support API 30 or higher (ie. Android >10) you receive version 1.0.18

We *could* release a new version for all, but it means we have to use suggestions on API 29, Android 10 - and that is a really horrible experience.

Google introduced the new WiFi API in a broken state, and deprecated the old at the same time. That's why we're in this mess.

Well, and apparently the OEMs did something so that the suggestions also don't work as expected (or it has to do with certificates, but either way).

Thanks for testing again with your Pixel 3a, good to know it DID work. I understand that's TTLS - could you also try with TLS, maybe just using the geteduroam profile you have for DFN? I would love to know if the Pixel 3a behaves exactly like Pixel 5, ie "it does work". That means the focus can shift to "other vendors".

It is also working with TLS. 

Only realms like @something.de is not working. The new configuration enforces that it must be always a user name as part of the outer identity chosen 

although it is not needed for eduroam routing. BTW: Is that standard?

Regards,

Ralf

Regards,
Paul

On 26/02/2021 13:19, Ralf Paffrath wrote:

Hi,

@Paul: One question: Does geteduroam 1.0.18 if it is not beta some day still support ANDROID < 11?

Best regards,

Ralf

On 26 Feb 2021, at 11:24, Ralf Paffrath (via geteduroam Mailing List) <geteduroam AT lists.geant.org> wrote:

Hi Paul,

thank you for clarification, now I understand.

Using geteduroam 1.0.18 pixel 3a now works fine ;-). My RADIUS Server certificate ist signed by letsencrypt. CAT is complaining (warning: not supported by WINDOWS Phones 8 or so) about letsencrypt certificates because of missing crl distribution point within certificates, but there is a link for OCSP :-) within letsencrypt certificates. 

I tested against our eduroam-Test Labor DFN-Verein IdP with TTLS-MSCHAPv2 as EAP-Type. In the "Network and Internet" configuration you can see a notice eduroam via geteduroam  

 if eduroam is nearby as you mentioned. When you click on the eduroam notice you get a new notice "eduroam connected via geteduroam" and eduroam is working.

The eduroam network is not configurable any more if you try you get "Operation not permitted, please contact your admin. ;-) haha What can I do as an admin when I can’t see anything anymore.

Hard days for ANDROID”s in eduroam coming up ;-)

Changing the EAP-Type to PEAP, no problem pixel 3a still working fine in eduroam. I had to check the RADIUS server log files because on the client I can’t see anything any more.

It is a TLS1.2 based PEAP authentication, so success ;-).

Best regards,

Ralf 

On 26 Feb 2021, at 09:36, Paul Dekkers <paul.dekkers AT surf.nl> wrote:

Hi,

On 26/02/2021 09:22, Ralf Paffrath wrote:

Hi,

On 26 Feb 2021, at 08:18, Paul Dekkers <paul.dekkers AT surf.nl> wrote:

Hi,

Thanks for reporting that. That is worrying, I'll wrap this up in a report to Google.

I forgot to add: with the new Android 11 way of dealing with networks, you don't get a "user network" configured: no way to manage it or see it from there. So you will see you have an eduroam or Passpoint connection when you are in reach only, and it will display the network and a subtext "Connected via geteduroam”.

Is that because of ANDROID 11 or of geteduroam? On my ANDROID 11 pixel 3a I can still see all the configured WLAN SSID’s on 

my pixel and I can manage them.

You can see and manage your own networks. And if "legacy" apps using API 28 still work, you can see those as well. These are called "User Networks".

Android 11 has the concept of "User Networks", "Subscriptions" and "Suggestions".

Only Users can add User Networks, and there is an API to do it from Apps but that is broken for Enterprise networks and consequence is that they can no longer be managed from the Apps either. In Android 10 this wasn't present.

Apps like geteduroam are supposed to configure Suggestions (this is what 1.0.18 does); these were broken in Android 10, and work somewhat in Android 11 - I say somewhat because it worked flawlessly on a Pixel 5, but apparently not so well on your Pixel 3a and on Samsungs.

Subscriptions are not so useful for us. A device doesn't connect to a subscription automatically, only when you click on it. The built-in OpenRoaming in Android uses this mechanism.

If suggestions don't work well, we can try to see if those User Network actions are no longer buggy for Enterprise networks, but I fear that the bugs are still present in some devices.

I will test it again. Ysterday I added a fully functional eduroam SP  to  my home office setting.    Let’s have a look ;-)

If you indeed had no coverage, that is a useful test!

Also; it's interesting to know if a PEAP or TTLS account with a *public* certificate works using 1.0.18 - ie. from eVA, if you wish I send you an account for testing. (There is a half baked hypothesis that TLS doesn't work well on Android 11, because we use self-signed client-certificates. But I'm not sure.)

Many of these things aren't geteduroam specific, but shows a bit how diverse the Android ecosystem is I'm afraid. (Tried to phrase that politely ;-))

Regards,
Paul

Regards,

Ralf

In your case I expect you to have eduroam whereever you test it, but in general this may be relevant in case you wonder "if it did something".

Regards,
Paul

On 25/02/2021 22:28, Ralf Paffrath wrote:

Hi Paul,

on ANDROID 11 model pixel 3a 1.0.18 doesn’t work. No network has been configured. 

1.0.16 still work. 

Greetings,

Ralf

On 25 Feb 2021, at 21:35, Paul Dekkers (via geteduroam Mailing List) <geteduroam AT lists.geant.org> wrote:

Hi,

If you have an Android 11 device, I would love to get some feedback on geteduroam version 1.0.18 that is in the beta channel, which you can join via:
https://play.google.com/store/apps/details?id=app.eduroam.geteduroam from Android, or
https://play.google.com/apps/testing/app.eduroam.geteduroam from the web

If you test, please make sure that geteduroam works for you with the 1.0.16 version, deinstall the App and remove the configured WiFi networks, and try the configuration using 1.0.18. It doesn't matter what kind of profile you use, a psuedo-account or the typical CAT profile.

Any kind of result or feedback is appreciated,

Regards,
Paul

P.S. We are aware of issues with some Samsung Android 11 builds (eg. Galaxy S20); those aren't even geteduroam specific: reports are still welcome, though I already have some guineapigs for that platform.

-- 
Dipl. Inform. Ralf Paffrath

Phone: Tel.: 030 884299-0 (DFN-GS Berlin: Sekretariat)

Mail: paffrath AT dfn.de

Fax: 030 88 42 99 370 | http://www.dfn.de

Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1, D - 10178 Berlin
Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729NZ | USt.-ID. DE 1366/23822

-- 
Dipl. Inform. Ralf Paffrath

                                              Phone: Tel.:
                                                030 884299-0 (DFN-GS
                                                Berlin: Sekretariat)
                                              Mail: paffrath AT dfn.de
                                              Fax: 030 88 42
                                                99 370 | http://www.dfn.de
                                              
                                              
                                              Verein zur
                                                Förderung eines
                                                Deutschen Forschungsnetzes
                                                e.V.
                                                Alexanderplatz 1, D -
                                                10178 Berlin
                                                Vorstand: Prof. Dr. Odej
                                                Kao (Vorsitzender) | Dr.
                                                Rainer Bockholt |
                                                Christian Zens
                                                Geschäftsführung: Dr.
                                                Christian Grimm | Jochem
                                                Pattloch
                                                VR AG Charlottenburg
                                                7729NZ | USt.-ID. DE
                                                1366/23822

-- 
Dipl. Inform. Ralf Paffrath

                                  Phone:
                                    Tel.: 030 884299-0 (DFN-GS
                                    Berlin: Sekretariat)
                                  Mail: paffrath AT dfn.de
                                  Fax:
                                    030 88 42 99 370 | http://www.dfn.de
                                  
                                  
                                  Verein
                                    zur Förderung eines
                                    Deutschen Forschungsnetzes e.V.
                                    Alexanderplatz 1, D - 10178 Berlin
                                    Vorstand: Prof. Dr. Odej Kao
                                    (Vorsitzender) | Dr. Rainer Bockholt
                                    | Christian Zens
                                    Geschäftsführung: Dr. Christian
                                    Grimm | Jochem Pattloch
                                    VR AG Charlottenburg 7729NZ |
                                    USt.-ID. DE 1366/23822

-- 
Dipl. Inform. Ralf Paffrath

Phone: Tel.: 030 884299-0 (DFN-GS Berlin: Sekretariat)

Mail: paffrath AT dfn.de

Fax: 030 88 42 99 370 | http://www.dfn.de

Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1, D - 10178 Berlin
Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729NZ | USt.-ID. DE 1366/23822

-- 
Dipl. Inform. Ralf Paffrath

Phone: Tel.: 030 884299-0 (DFN-GS Berlin: Sekretariat)

Mail: paffrath AT dfn.de

Fax: 030 88 42 99 370 | http://www.dfn.de

Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1, D - 10178 Berlin
Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729NZ | USt.-ID. DE 1366/23822