An open discussion list for topics related to the geteduroam service

[Paul Dekkers <paul.dekkers AT surf.nl>]

Hi,

On 12/11/2021 10:32, Ralf Paffrath wrote:
> Hi,
>
> > On 12. Nov 2021, at 09:44, Paul Dekkers (via geteduroam Mailing List) 
> > <geteduroam AT lists.geant.org> wrote:
> >
> > Hi,
> >
> > Ah, maybe I wasn't clear about the API; it doesn't affect the way the Apps 
> > work on the profile side, it uses a different Android API to install the WiFi 
> > networks. This was non-existant in Android 10, it caused a crash in the first 
> > release of Android 11, but it works well on A11+ now, but we have some 
> > remaining issues that we're still working on.
> >
> > So it will continue to use .eap-config files, which is an answer to your 
> > second question also: all current Apps read .eap-config files, also iOS, and 
> > not .mobileconfig. (In fact I think that wouldn't even be possible.) We may 
> > have a different strategy on a macOS version, but that's for later.
> >
> > Hope this clarifies things,
>
> We use GETEDUROAM for our brand new pilot project EasyRoam4Edu (a managed 
> eduroam IdP inspired by eduVPN) what is part off a bachelor thesis.
>
> On iOS we recommend our pilot users not to use the GETEDUROAM app but use the 
> mobileconfig which the pilot user can download directly from our EasyRoam4Edu 
> server.
>
> On iOS 14 the EasyRoam4Edu world was ok, we used the GETEDUROAM App 
> successfully. But then iOS 15 came up and the GETEDUROAM App on iOS 15 
> announced an internal error when reading the eap_config so we were forced to 
> switch to mobileconfig ant the EasyRoam4Edu world was ok again.
>
> In fact downloading the mobileconfig for MacOSX/iOS  is not a problem, it 
> works stable. In EasyRoam4Edu we support EAP-TLS authentication only in a 
> hybrid ca environment based on a public ca (server site) and a privat ca 
> (client site).

Yes, this is exactly what we do with the geteduroam pseudo accounts, 
server-side? So you made another implementation for the server I guess, 
also with OAUTH from the Apps?

For the iOS 15.0 and 15.1 we had two mitigation options, either after 
the OAUTH phase do a mobileconfig download, but that clearly doesn't 
come as natural to users. Or provide a profile with a username/password, 
which is also secure. With either approach iOS 15 continued to work with 
geteduroam,

Regards,
Paul


> Best regards,
> Ralf
> > Regards,
> > Paul
> >
> >
> > On 12/11/2021 09:03, Ralf Paffrath wrote:
> > > Hi Paul,
> > > is there any documentation for the new API?
> > > Will the new GETEDUROAM App read in the .mobileconfig on iOS?
> > > Best regards,
> > > Ralf
> > > > On 11. Nov 2021, at 12:44, Paul Dekkers (via geteduroam Mailing List) 
> > > > <geteduroam AT lists.geant.org> wrote:
> > > >
> > > > Hi geteduroam-list,
> > > >
> > > > We wrote earlier about the bug in iOS 15 that made it impossible to install 
> > > > certificates (both client and CA) from the iOS geteduroam App. Fortunately, 
> > > > this bug is resolved in the upcoming iOS 15.2 release; we have confirmation 
> > > > from Apple and verified with the past 2 beta builds. Now hope iOS 15.2 is 
> > > > released soon ;-)
> > > >
> > > > Little news on the Android App; we continue to work on a new version, and now 
> > > > have one that uses a different API compared to the current published beta: 
> > > > it's behavior is more natural for the users, but there are a few issues still 
> > > > to resolve before we could release it. (If it doesn't work out, we could 
> > > > still use the version as published in beta now: it is stable.)
> > > >
> > > > I'll also take the opportunity to also highlight a new release of the 
> > > > geteduroam Windows client; there was a bug where we didn't use the 
> > > > (anonymous) outer identity for EAP-PEAP accounts (just EAP-TTLS). This is 
> > > > fixed in version 3.2.6, via 
> > > > https://github.com/geteduroam/windows-app/releases or the downloads on 
> > > > https://geteduroam.app/ (Thanks to Guy Halse for finding it and creating an 
> > > > issue for this.)
> > > >
> > > > Regards,
> > > > Paul
> > > --
> > > Security, Trust & Identity Services
> > > E-Mail: eduroam AT dfn.de, eduvpn AT dfn.de, easyroam4edu AT dfn.de | Fon: +49 30 
> > > 884299-9121/9120 | Fax: 030 88 42 99 370
> > > __________________________________________________________________________________
> > > DFN - Deutsches Forschungsnetz | German National Research and Education 
> > > Network
> > > Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
> > > Alexanderplatz 1 | 10178 Berlin
> > > https://www.dfn.de
> > > Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | Christian 
> > > Zens
> > > Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
> > > VR AG Charlottenburg 7729NZ | USt.-ID. DE 136623822
>
> --
> Security, Trust & Identity Services
>
> E-Mail: eduroam AT dfn.de, eduvpn AT dfn.de, easyroam4edu AT dfn.de | Fon: +49 30 
> 884299-9121/9120 | Fax: 030 88 42 99 370
> __________________________________________________________________________________
>
> DFN - Deutsches Forschungsnetz | German National Research and Education 
> Network
> Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
> Alexanderplatz 1 | 10178 Berlin
> https://www.dfn.de
>
> Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | Christian 
> Zens
> Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
> VR AG Charlottenburg 7729NZ | USt.-ID. DE 136623822