Skip to Content.
Sympa Menu

geteduroam - Re: eap-config format supported by geteduroam

Subject: An open discussion list for topics related to the geteduroam service

List archive

Re: eap-config format supported by geteduroam


Chronological Thread 
    < Chronological >      < Thread >
  • From: Paul Dekkers <paul.dekkers AT surf.nl>
  • To: James Potter <Jim.Potter AT jisc.ac.uk>
  • Cc: "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
  • Subject: Re: eap-config format supported by geteduroam
  • Date: Thu, 20 Jun 2024 08:34:24 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ck+rlDkKpQZKssF2nhAHBFdjTVEhdy8FkvR1SpPTPrE=; b=hG/GAdPD5PDZ2hemgYPaSch8eoURwDpVw//4hZ15FMaZD31C5lLOtey/qzDn21AkLPDPv9Gf1jL5JbR20B/qpBh6G/UWLlcE00e5etCrkjQLcQoHfx5QaUIWm09Zbws4YNaPN7ecjJ0Cqm7+w0CHYhJ18xgYjDos0tseeV62oypQY/siWFyis/Oe0JioW0Fn5jPbcrXI9dtCIryZojXruWpB4MnjTfDUkhhBgKR6Gf7oj93lhLwiRmmzYvKX2oeIbONDds19nFMnzk0REoXtDg1pZFKRNeoEz5mQJA8mzZT15wNTrKMM6KvtlLHvLHHAtpem36+cjKLzoPotzwvbeQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YeL0KgxpIUp6Hto6JBEwXxP9dSfsE4YZTGBUGkm6q73LrSeO4nFS9Q4G+ro1zoK7k26gmbC/18NFjp0X5VbDr1HNuoUaD330qxsJK7OMO/M9m57j2Xb+cs7tPvZokHQ+8wBbpaTCk+Y0cmrBVjlcf19duEs2bONWcagMjoa1MeZhuIeeia06SCpgiLBHJhpug73CCOGD/OCleMZUigrBTWv92im1i//Que8azSlxDyPNP0XaiCJ+SFK1bbCXgROTjdq15xp+N0L1UaFNJV/ZoYN4DNaS5P5HQhzsHyWiV3GXW6U5WL9bG/btRZibjxvTjWhdTIiEZeiBrprtx2iJpg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=surf.nl;
  • Msip_labels: MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Enabled=True;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SiteId=48f9394d-8a14-4d27-82a6-f35f12361205;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SetDate=2024-06-20T08:29:57.0000000Z;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Name=Confidential - External;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_ContentBits=0;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Method=Privileged

Hi,

 

You could in fact also use Shibboleth in the letswifi-portal, but most of that work is in a non-committed branch. It’s not the best approach, Shibboleth has more limitations than SimpleSAMLphp, in particular if you want to run the service on multiple hosts.

Either way I would advise you to look at the OAUTH path, it really has advantages.

And I’ll get in touch off-list, of course I’m interested to hear more 😊

 

Paul

 

 

From: James Potter <Jim.Potter AT jisc.ac.uk>
Date: Thursday, 20 June 2024 at 10:30
To: Paul Dekkers <paul.dekkers AT surf.nl>
Cc: geteduroam AT lists.geant.org <geteduroam AT lists.geant.org>
Subject: RE: eap-config format supported by geteduroam

Hi Paul,

 

Thanks for quick answers!

 

OK – I’ll give that a go from the xsd file. And base64 PKCS12, spot on.

 

I’d found the LetsWifi portal after I’d written a chunk of my service… I’ve not used OAuth, I used SAML (we do shibboleth support, I’ve stuck to what I know here), not sure how well that will integrate with geteduroam, we’ll find out. It works nicely on windows…

 

I’ve built my service to be multi tenant, HSM backed + have an OCSP responder, happy to do a show + tell if you’re interested.

 

Thanks,

 

Jim

Jisc

 

From: Paul Dekkers <paul.dekkers AT surf.nl>
Sent: Thursday, June 20, 2024 9:15 AM
To: James Potter <Jim.Potter AT jisc.ac.uk>
Cc: geteduroam AT lists.geant.org
Subject: Re: eap-config format supported by geteduroam

 

Hi,

On 20/06/2024 10:07, James Potter (via geteduroam Mailing List) wrote:

I’ve created a service which creates customised eap-config files, the plan is that users download them, they open in geteduroam + set up the wifi profile, but I’m having issues with getting geteduroam to accept the config (it says “Not a valid eap-config file” at the moment).

So basically you recreated the geteduroam portal? ;-) (I hope you knew about its existence!)

(That's fine, no judgement, but I hope you also do it via OAUTH to mimic the geteduroam native workflow and have it most secure, and then there's an alternative for admins to choose software and it would make sense and integrate well with the Apps and authentication.)

I’ve started with a config from eduroam CAT and added custom ClientSideCredential subelements.

 

So I’ve taken inspiration from https://datatracker.ietf.org/doc/html/draft-winter-opsawg-eap-metadata-02#section-2.2.2.3 for what I should be including, but have some queries:

I think a better and more current source is in the CAT repo:

https://github.com/GEANT/CAT/blob/master/devices/eap_config/eap-metadata.xsd

  1. The config from CAT contains InnerIdentitySuffix and InnerIdentityHint, these aren’t mentioned in the above doc
  2. I’ve added the following:

 

                <ClientSideCredential>

                                <AnonymousIdentity>jim AT ti.dev.ja.net</AnonymousIdentity>

                                <UserName>jim AT ti.dev.ja.net</UserName>

                                <allow-save>true</allow-save>

                                <ClientCertificate> SOME BASE64 </ClientCertificate>

                                <Passphrase>asdfqwerqwer</Passphrase>

                </ClientSideCredential>

 

Are these the correct subelements? And what form should the ClientCertificate take? I’ve tried cert pem + encrypted private key (crashes) and Base64 encoded pkcs12 (complains, not a valid eap-config file)

 

I’m having trouble deducing this from the app source code – any hints here would be great.

I think it's easier to test with the .eap-configs that the letswifi-portal produces, or the output from CAT itself. Looking at what letswifi-portal produces, it looks like:

<ClientSideCredential>
<OuterIdentity>pseudo-id AT realm.tld</OuterIdentity>
<ClientCertificate format="PKCS12" encoding="base64">... (base64 here)...</ClientCertificate>
</ClientSideCredential>

Hope this helps,

Regards,
Paul

 

I’ve attached the eap-config I’m working with (cert + passphrase work but are revoked)

 

Thanks,

 

Jim Potter

Jisc

 

 

 

 

 


Archive powered by MHonArc 2.6.24.

Top of Page