Skip to Content.

geteduroam - Re: eap-config format supported by geteduroam

Subject: An open discussion list for topics related to the geteduroam service

List archive


Re: eap-config format supported by geteduroam


Chronological Thread 
    < Chronological >      < Thread >
  • From: Paul Dekkers <paul.dekkers AT surf.nl>
  • To: James Potter <Jim.Potter AT jisc.ac.uk>
  • Cc: "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
  • Subject: Re: eap-config format supported by geteduroam
  • Date: Thu, 20 Jun 2024 10:14:54 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CPqAU0HA3cvpAALkd1KdGkRokltYuWImDeFIzr6YnTI=; b=KuEEorTkpl9rnqjOuSUMNUf6lgCrr/Dx8QSpPGnj/pTUTf1tYGQUZqbrjV6ujFQSO5YJ+pC4DOksMFs1FzWVeTFVw9wbnG+JkRcQrNZkFEEErme+uvC/GsO5IpWtpweQv+kb5Ae/QRu4kTqPPq3sMf2qBj/QQOIXKWkhZfasOf5qmN5Hcm4OBipdCzy3W6ACBf0xMQfHBM1yifVov0ibEYshdKdQlV1SCMX0DAYGLosRyUOZt+BGTQJ6lySJ3KOXWcJzr1mLU41vIOH8975mlUahxeI1KZoZuotVORXn/k2oiCfZSFjrzMI9zXOFnMhPsmzLPbmqPhIovxD5rNENKA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YfQKl8k91sySMz+6OzbfBfgQDT1+UJ0MjFG6wx6Cgc69ekKRzf1Ef48InyQ4pniNK0TIglHgFPYhRN/9THvmW1wvRvluuZiNVnx54N1OrFbT6pQOkG7JGYucOCZmk6P+meBPrIoPjgwvcFVOqw5dgueaRV77d/CfGRPxXFgIYB8nusC7gOraXEL8tyUnEfv17wFmSmvJqhEX8lWnSbUTBTTybs2Ra9G5yp6f6ybiIQQew8XfG5O1KpTOOL1vTW0vYFhV76iYJkioix2LK+06o2DRL+18sJKLMFNUtQKacNc85HLWyJUCk14TDI/EoSTsafbx3gVwInKCJilGtsYORg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=surf.nl;
  • Autocrypt: addr=paul.dekkers AT surf.nl; keydata= xsDNBFzP6HIBDADK8Wn7ods1w4ysf5c/GeUkDm2doxOZRUU3ZSMM0aG9aN2jqpZB11xoTuAv k+J3kOpRY542rbHTxkbdiIYFiKS5ff9bAPfn1MUOy+XErLPUzZ/Z3GO6kCpTkcHYKVN2Iehd QCdn7UbNRRzygiVHiRWi8jkhutBWBHHy7hcVWXtHfxb5Ot7I6Z9F2Aso6sB543UrQVxEl0h1 AuNN2HXVW536LaGh+ZRTPPPj99nR8UvNnJ4Q/Jh9a6/C9TB1vGm/4oTWG2gnFcq9CBQB9+E0 GZ7S9ddyKzXE97wziJdhC4e14s9aSiG9Du98C62ilTzOk4muOV6XU0JZOy3jwIt6bS2m9zGf yUxhKs5mNwrCUeBqt5uKgUXAG0MnQ70lMmiGyMNwUkCXuHiScvzB7rdXM0h2pvfrMMsQ1BA5 +0Zb1hkkq5eYVUE+e9xJID82ShdMOTievgSdc4JP4lJuUAjVf30u5uUe/uxsDxc1zfnZsp30 ezTIhp2SxszZcWjzTnn7tSEAEQEAAc0jUGF1bCBEZWtrZXJzIDxwYXVsLmRla2tlcnNAc3Vy Zi5ubD7CwQ4EEwEIADgWIQQ3Xw/6ofYHVAb73o89O9GpKK14OgUCXM/ocgIbIwULCQgHAgYV CgkICwIEFgIDAQIeAQIXgAAKCRA9O9GpKK14OsHaDACFjL2wGvcSxecAVjShtnOwHgi5iO+r MUQiplP7/dD8awcBxuj1ihv/kZoatI0tSxsXs6OqYqG/ivJfCaXX51dYANDfDI4E8FLN+eCj v3ndVJHEWdixNrVH+sdS4itZt0omQ28dbMpJc7opOw42o5xMmypMMzo4enHZcaYr4fktAu5B 2E3eekw8aXOHPSrTmIAZjhaKCdZ5CtOotgoUGnrQbHIVlPh7PJBCUTlNXDynjLdznhYJjvBN GnT9B+PPfJ0TQMBv0gqWlfJA+GSKl//pz+Jqh1ByyRFXZaG0imE4eLaODSb+3aoD36pWMrdV 31m+qeEzB2V6I40vdBmZEtpX+01l3kuIPa/ZpJ3MCaeVlQ2ADkZwz1DVEV4aasOkKL2hAlMz bSChFnSA6OhOS+2L+7HAtI62OPj0VkXERqeFPpOWFG0OzqJUCBB5x/OdhoMiVjI2KNtMDxoD Y4L+u1MeNwm7fPYrdQn8aDN0Lc5tEdw29mwWwBLjiu+u8jCEyGnOwM0EXM/ocgEMALdymAvx UsfhoNnNR+SaJCUVwmBMjt9spGs1E27yqHMs7jDnZ87uh2B220GmZGKFkf4SbRHUJhPGX+rg Ez2vvlBwZonBKDY1SyCPRI6ffaivoz9hw+GXpQYQwIZ1gJWN7MvhzIbG+b+Y6pRMRsWSjThA ImieLS2+K2oR6XenxKG/dZg8qO/Uv5Qvb66rWtFM9D48iurcUu3ndotJPAkKetUg3dny4nzp D1wT26RcqEh8huJfZK8JdML+9Q1dHoMhtwRzTTWQ4rxwEr2X1ymaF4QaG8LbuT4/Owrp5vGd YI7Wh2Lwjwn6tJE715eePcoahQwgBBwsKBCkRDOQ3dA8bUO/G8p7SRTj/CAymx5unis3H6O/ jQmi3cgVLNg6CYwPGptFRrLxqT/eWsNy/2Dpd8VHajjVKQ6bC0MNz+lHoFkNMc/CaTY8BQix xM4mtm5rbbogX9pBPSUx5vVgd1Vbw8sQT2wFxUI3Q3r4KaKD5MVucDTg3OxcMNQxRTLDdonI owARAQABwsD2BBgBCAAgFiEEN18P+qH2B1QG+96PPTvRqSiteDoFAlzP6HICGwwACgkQPTvR qSiteDqo6gwAqIpD/D4lNkUehSf+U8l9lTpkWNAEfB9PgAMIFrFQ3YUuEmhFlv8uKi6Y7apX 89tmrVUgc5RLglf7e4geYv69wLY4R7jMIUs0g9cv/g71rhfszjDJGe/4ppa+qHTk69Uq556d B9nMtFF2YWvq77Y1WBKv/r3hmJLQYNZBaCBSPI9OpZ0UCw3hp0ip/LUejVXLRkU+ZAb6jeEt gd2zoIiXOHCazaGD6EGvLQxzuwPVPXPLU6kahtJoJAa/OOWyzSnd+Ipio6Vi6tdDVLEXbTVn AjnVOlEnGc6dhh1TOxPv/lHslYxfSTrCoBRIKcXS/5bkxvTOZpgSRyKsksh1fgD1IIPjLqs2 K7KOXgocNG+iIOMcLbSsp8R7GRUMmzeTIPHnW1xC9OIgU16KSxaDWa6tX6NOcY5iHRlRXw5Q 9WVGgnHIbfR/2hoyXzbVMzM2uiTEJ9qG4+GtMUBeLdEo8DsbX+QdP71NgcCcBUtUe9LfDEJ+ yZ0Nj/dbF6RX3MTEJRiy

Hi,

On 20/06/2024 10:07, James Potter (via geteduroam Mailing List) wrote:
PR3PR07MB8289031004CD3EC62CF13777BDC82 AT PR3PR07MB8289.eurprd07.prod.outlook.com"> I’ve created a service which creates customised eap-config files, the plan is that users download them, they open in geteduroam + set up the wifi profile, but I’m having issues with getting geteduroam to accept the config (it says “Not a valid eap-config file” at the moment).

So basically you recreated the geteduroam portal? ;-) (I hope you knew about its existence!)

(That's fine, no judgement, but I hope you also do it via OAUTH to mimic the geteduroam native workflow and have it most secure, and then there's an alternative for admins to choose software and it would make sense and integrate well with the Apps and authentication.)

PR3PR07MB8289031004CD3EC62CF13777BDC82 AT PR3PR07MB8289.eurprd07.prod.outlook.com">I’ve started with a config from eduroam CAT and added custom ClientSideCredential subelements.

 

So I’ve taken inspiration from https://datatracker.ietf.org/doc/html/draft-winter-opsawg-eap-metadata-02#section-2.2.2.3 for what I should be including, but have some queries:

I think a better and more current source is in the CAT repo:

https://github.com/GEANT/CAT/blob/master/devices/eap_config/eap-metadata.xsd

PR3PR07MB8289031004CD3EC62CF13777BDC82 AT PR3PR07MB8289.eurprd07.prod.outlook.com">

  • The config from CAT contains InnerIdentitySuffix and InnerIdentityHint, these aren’t mentioned in the above doc
  • I’ve added the following:

 

                <ClientSideCredential>

                                <AnonymousIdentity>jim AT ti.dev.ja.net</AnonymousIdentity>

                                <UserName>jim AT ti.dev.ja.net</UserName>

                                <allow-save>true</allow-save>

                                <ClientCertificate> SOME BASE64 </ClientCertificate>

                                <Passphrase>asdfqwerqwer</Passphrase>

                </ClientSideCredential>

 

Are these the correct subelements? And what form should the ClientCertificate take? I’ve tried cert pem + encrypted private key (crashes) and Base64 encoded pkcs12 (complains, not a valid eap-config file)

 

I’m having trouble deducing this from the app source code – any hints here would be great.

I think it's easier to test with the .eap-configs that the letswifi-portal produces, or the output from CAT itself. Looking at what letswifi-portal produces, it looks like:

<ClientSideCredential>
<OuterIdentity>pseudo-id AT realm.tld</OuterIdentity>
<ClientCertificate format="PKCS12" encoding="base64">... (base64 here)...</ClientCertificate>
</ClientSideCredential>

Hope this helps,

Regards,
Paul


PR3PR07MB8289031004CD3EC62CF13777BDC82 AT PR3PR07MB8289.eurprd07.prod.outlook.com">

I’ve attached the eap-config I’m working with (cert + passphrase work but are revoked)

 

Thanks,

 

Jim Potter

Jisc

 

 

 

 

 


Archive powered by MHonArc 2.6.24.

Top of Page