Skip to Content.
Sympa Menu

geteduroam - Re: Question about geteduroam on an 'on boarding' VLAN

Subject: An open discussion list for topics related to the geteduroam service

List archive

Re: Question about geteduroam on an 'on boarding' VLAN


Chronological Thread 
  • From: Jethro Binks <jethro.binks AT strath.ac.uk>
  • To: "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
  • Subject: Re: Question about geteduroam on an 'on boarding' VLAN
  • Date: Wed, 24 Mar 2021 14:43:29 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=strath.ac.uk; dmarc=pass action=none header.from=strath.ac.uk; dkim=pass header.d=strath.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AYxNQcv3tSr0NC68++PfTcjaMjIZyI3yvtZ2mXVjaJI=; b=jBEPP5ZWfZR6SZRSIwJaW+wpmSWCcKfEr0WLWenPmS1aYP7aqMAXtDBY+6fr//fGhcDG1jsq/G7HPoEZNMaW3Gzc46qdKJGiSJX1ODOk0JxEHaP/WwsZYfFzHoX/E+dqr9w3Z5bDO03rCozuUzmXzfnNa8Vc0CXk81lAuygpHzt8HAYVW7zio+suYhr9i1tf0mLklh0k0zUBddDE2mHkiMs405SAVEZ3U9IjqC7eB+SWF3OTzGt11JjVMtx6K77MO6pPQftnJ8S2/2x3Dw5F/349o8US4zz9kmf2o4EeuLfrO35YpKZQT+zgrPPpqMCAX6VykT62+LCw0IiyLjbm7A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fv+6I6KD/pMMOr2VZk1d4qN1iosdicU3sCAyDgPJQcXA8aUUqjCndfcXzLmn8BsIZQU+Ov6hAIe7nq15ksTsSFDY5QTkAXF5AzAGLxpHSPAIX7UUIPinbelj4EQqjKFk3WmS2pd0J1rYmIPgA57YzCeBkg22CSh8cs4E0YixMqcxNFXtlDW6bvxH8LiDhmKYjhPpoyL9rRHH6HV8/CpnKtSQvwG2Gho87iqkfFlHxQtXhZMoZ5hihfa2qVIhxyG2x4ZB0S9xzPKmBHp2FOIiyLsaD5Kvh4rkyKguLGDb7CPpoLNpaADKkz7TCBEG6xDsVP5AfU9hviqzS95OJCv1Bg==
  • Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=strath.ac.uk;

Been looking more into this.  Tried the Windows app, as it was easier to snoop what it was doing, but then also consulted the code:

https://github.com/geteduroam/windows-app/blob/main/EduroamConfigure/IdentityProviderDownloader.cs

So, to be clear, you need to whitelist these two domains:

  geo.geteduroam.app
  discovery.eduroam.app

Note that one is 'geteduroam' and the other isn't.

Also in debugging mode, "discovery.geteduroam.app" is also used, but I guess that won't apply to the average user.

Unclear if the geo one is the one Paul refers to "Ah, I now realize I forgot another host that is still in the path".

It would be good to get a definitive and final answer for what is required here, but maybe the above will help some people in a captive portal environment.

I didn't look in the ios/android code base, but whitelisting the above two (carefully) and it worked fine on iOS for me and configured me up.

Now back to bloody Android 11 problems ...

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 

Jethro R Binks, Network Manager, 

Information Services Directorate, University Of Strathclyde, Glasgow, UK


The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.



From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org> on behalf of eduroamUK <geteduroam AT lists.geant.org>
Sent: 21 March 2021 16:21
To: geteduroam AT lists.geant.org <geteduroam AT lists.geant.org>
Subject: Re: Question about geteduroam on an 'on boarding' VLAN
 

Done.

 

Will report back if whatever you did fixes the issue.

 

Stefan Paetow

Federated Roaming Technical Specialist

eduroam(UK), Jisc

 

t: +44 (0)1235 822 125

https://community.ja.net/library/janet-services-documentation/eduroam

www.eduroam.ac.uk

Twitter @eduroamuk – for news, information, pictures and fun

Have you heard about eduroam Visitor Access? https://www.jisc.ac.uk/eduroam-visitor-access

 

In line with government advice, at Jisc we’re now working from home and our offices are currently closed. Read our statement on coronavirus.

 

When replying to this e-mail is it essential to preserve the (Ref:IN:xxxxxxxx) text in the subject line and to always use 'Reply All'

 

jisc.ac.uk

 

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

 

 

From: Paul Dekkers <paul.dekkers AT surf.nl>
Date: Sunday, 21 March 2021 at 16:18
To: eduroamUK <eduroamuk AT jisc.ac.uk>
Cc: "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
Subject: Re: Question about geteduroam on an 'on boarding' VLAN

 

Hi,

This is because one more hostname was missing from a temporary proxy to fix profiles, but we removed it (since that's no longer necessary with CAT 2.0.4).

Can you (have them) try again?

Regards,
Paul

 

On 18/03/2021 16:41, eduroamUK wrote:

Hi Paul et al,

 

Our member at Cardiff has added the discovery.eduroam.app CNAME to his allow list and gets a bit further. The screenshot attached happens next. They only have one profile, so it can’t be a question of multiple profiles.

 

It looks to me like an unhandled exception in the app. So... any thoughts/suggestions on possibly getting you a debug log?

 

With Kind Regards

 

Stefan Paetow

Federated Roaming Technical Specialist

eduroam(UK), Jisc

 

t: +44 (0)1235 822 125

https://community.ja.net/library/janet-services-documentation/eduroam

www.eduroam.ac.uk

Twitter @eduroamuk – for news, information, pictures and fun

Have you heard about eduroam Visitor Access? https://www.jisc.ac.uk/eduroam-visitor-access

 

In line with government advice, at Jisc we’re now working from home and our offices are currently closed. Read our statement on coronavirus.

 

When replying to this e-mail is it essential to preserve the (Ref:IN:xxxxxxxx) text in the subject line and to always use 'Reply All'

 

jisc.ac.uk

 

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

 

 

From: Paul Dekkers <paul.dekkers AT surf.nl>
Date: Thursday, 18 March 2021 at 14:12
To: eduroamUK <eduroamuk AT jisc.ac.uk>
Cc: "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
Subject: Re: Question about geteduroam on an 'on boarding' VLAN

 

Hi,

Currently cloudfront (the CNAME lookup will tell you that) but I'd rather keep the ability to change this over time.

If their DNS whitelisting would require whitelisting of what the CNAME points to, I'd create "alias" records instead on a different record.

If they do lookups for IP-addresses and whitelist those in the firewall instead of DNS, I'm not sure that would be sustainable.

Regards,
Paul

 

On 18/03/2021 14:53, eduroamUK wrote:

Hi Paul,

 

Knowing which CDN you’re using for discovery.eduroam.app could certainly be useful, but yeah... I don’t know if CNAME entries will work or not.

 

I since also noticed the thread between yourselves, Cambridge, York and Strathclyde. You can add Cardiff to the list of those universities that use an on-boarding network.

 

With Kind Regards

 

Stefan Paetow

Federated Roaming Technical Specialist

eduroam(UK), Jisc

 

t: +44 (0)1235 822 125

https://community.ja.net/library/janet-services-documentation/eduroam

www.eduroam.ac.uk

Twitter @eduroamuk – for news, information, pictures and fun

Have you heard about eduroam Visitor Access? https://www.jisc.ac.uk/eduroam-visitor-access

 

In line with government advice, at Jisc we’re now working from home and our offices are currently closed. Read our statement on coronavirus.

 

When replying to this e-mail is it essential to preserve the (Ref:IN:xxxxxxxx) text in the subject line and to always use 'Reply All'

 

jisc.ac.uk

 

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

 

 

From: <geteduroam-request AT lists.geant.org> on behalf of "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
Reply to: Paul Dekkers <paul.dekkers AT surf.nl>
Date: Thursday, 18 March 2021 at 13:37
To: eduroamUK <eduroamuk AT jisc.ac.uk>
Cc: "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
Subject: Re: Question about geteduroam on an 'on boarding' VLAN

 

Hi,

Ah, this question came up recently on cat-users too:

On 18/03/2021 13:58, eduroamUK wrote:

Hi,

 

One of our members is attempting to use geteduroam, but they find that the setup fails half-way through. The network they are using is a DNS-restricted VLAN, i.e. it is there purely to on-board their students and staff and as such limits access to only Google Play and eduroam CAT (and probably geteduroam).

 

They’ve attempted to add as many locations as possible they can think of, but it fails.

 

Is there any way to get debug logging for geteduroam (which we’ll be happy to get the member to provide), and do you know whether geteduroam uses a CDN per chance, and if so, which subnets of it should be allowed?

 

If you could let us know, that’d be fab!

Of course!

The geteduroam Apps use the 'discovery.eduroam.app' hostname for the CDN/discovery files.

This is a CNAME actually; does that work with the whitelisting in DNS?

Besides this, 'cat.eduroam.org' is required for the CAT profiles.

Ah, I now realize I forgot another host that is still in the path. We should think about making that a prettier one than it currently is (a serverless endpoint, that I wouldn't want people to whitelist), but I'd need to know whether CNAMES work or not. And, well, we fixed some things on the CAT profiles that are no longer required actually since the last CAT 2.0.4 update.

I really didn't think about this way of onboarding/whitelisting, but I understand it's purpose. I thought I remember Stefan (W) wrote at some point that it wasn't the best thing to do with CAT either, but I fully understand why people do this, and don't want to make it impossible either.

Regards,
Paul








Archive powered by MHonArc 2.6.19.

Top of Page