Skip to Content.

geteduroam - Re: eap-config format supported by geteduroam

Subject: An open discussion list for topics related to the geteduroam service

List archive


Re: eap-config format supported by geteduroam


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>
  • To: James Potter <Jim.Potter AT jisc.ac.uk>, Paul Dekkers <paul.dekkers AT surf.nl>
  • Cc: "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
  • Subject: Re: eap-config format supported by geteduroam
  • Date: Thu, 20 Jun 2024 16:21:44 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1b6LMcZZxcxDb+uwSRCarNIPAptQPn4MIO2cIYuf6l4=; b=fwN2loxa0R7W4a8ykR2LBFxa2klJF35gUd+1FQtWLOCrYq7uuln4aTZRVIdQo37A2GHK2Wf2LjnNoz/7y4a2RJajPWyit4H/17DSVbE22osDDmy+YMp4kwlCnS/mGUn7DbqaxkZ0XbBIUKohc5GJYvpVFOrDoJzfPWgRxCBKk+QAQVosDtxdKcE3WYpxjIskAQV2QyBiT1XpoKUqZhNtiaOsIyOHpt2Gjf91fj9qOhaEJjGppfmjDiBDLl72zY19emoPIEYz9ggoutOyTrZjhG49SR2AxM/ab5BiuCbE8v1UVCLqyXu4D5+EfXzt3VHCgdaRDgHW0E9ranzNV6IC4Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Kd6o2ODmvKWkOHYw+e/mWuo2edrU4FDrx3Xi52/I5GdTsGghCj6HrV2nE2V9w2Ab4KD7xV9AYBkrIxPNLYQCUo6Eq6rgyRH97mnVQNqYYBGCIj+o4PDWjp9uqHFb3CdxfdCkr2YY5W8nMyWpCeXq+B5rqyvhymF0TqLzy+Wenj0W+3BTWtFM3XcEJcjskiVbHhpGxT/u8CvrMHonvew2GVQJvYmdRfoZCfzSXCpaYW/Bp1nA3KU/iS4/UvPmUvkUPW4vQ35f6nRR9qQQlCZiP4ndrN4eTSPyQv0p5Na6jo0xssarMnqo5nxTB9Pzx35uZbx9uAWkf09/4Obq5qu4wg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jisc.ac.uk;
  • Msip_labels: MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_ActionId=33db4fb5-d460-4380-89e1-c7438bbbbf84;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_ContentBits=0;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Enabled=true;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Method=Privileged;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Name=Confidential - External;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SetDate=2024-06-20T12:08:46Z;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SiteId=48f9394d-8a14-4d27-82a6-f35f12361205;

Hi,

 

Just FYI – Paul, if the XSD on GitHub has changes in it that are not part of the eap-metadata-02, then the draft needs to be updated… We'll need to ask Stefan W to do that.

 

:-/

 

Stefan Paetow

Federated Roaming Technical Specialist

eduroam(UK), Jisc

 

email/teams: stefan.paetow AT jisc.ac.uk

gpg: 0x3FCE5142

 

For eduroam support, please contact the eduroam team via help AT jisc.ac.uk and mark it for eduroam’s attention.

On Wednesdays and Fridays, I am not available between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer).

 

jisc.ac.uk

 

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB Tel: 020 3697 5800.

 

 

From: <geteduroam-request AT lists.geant.org> on behalf of "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
Reply to: James Potter <Jim.Potter AT jisc.ac.uk>
Date: Thursday 20 June 2024 at 13:09
To: Paul Dekkers <paul.dekkers AT surf.nl>
Cc: "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
Subject: RE: eap-config format supported by geteduroam

 

Hi Paul,

 

OK, that has worked absolutely beautifully – it connects straight away with all the correct settings.

 

(You don’t have the xsd or similar for the Apple wifi config file do you? That’s next on the list…)

 

Thanks again for your help,

 

Jim

 

From: Paul Dekkers <paul.dekkers AT surf.nl>
Sent: Thursday, June 20, 2024 9:15 AM
To: James Potter <Jim.Potter AT jisc.ac.uk>
Cc: geteduroam AT lists.geant.org
Subject: Re: eap-config format supported by geteduroam

 

Hi,

On 20/06/2024 10:07, James Potter (via geteduroam Mailing List) wrote:

I’ve created a service which creates customised eap-config files, the plan is that users download them, they open in geteduroam + set up the wifi profile, but I’m having issues with getting geteduroam to accept the config (it says “Not a valid eap-config file” at the moment).

So basically you recreated the geteduroam portal? ;-) (I hope you knew about its existence!)

(That's fine, no judgement, but I hope you also do it via OAUTH to mimic the geteduroam native workflow and have it most secure, and then there's an alternative for admins to choose software and it would make sense and integrate well with the Apps and authentication.)

I’ve started with a config from eduroam CAT and added custom ClientSideCredential subelements.

 

So I’ve taken inspiration from https://datatracker.ietf.org/doc/html/draft-winter-opsawg-eap-metadata-02#section-2.2.2.3 for what I should be including, but have some queries:

I think a better and more current source is in the CAT repo:

https://github.com/GEANT/CAT/blob/master/devices/eap_config/eap-metadata.xsd

  1. The config from CAT contains InnerIdentitySuffix and InnerIdentityHint, these aren’t mentioned in the above doc
  2. I’ve added the following:

 

                <ClientSideCredential>

                                <AnonymousIdentity>jim AT ti.dev.ja.net</AnonymousIdentity>

                                <UserName>jim AT ti.dev.ja.net</UserName>

                                <allow-save>true</allow-save>

                                <ClientCertificate> SOME BASE64 </ClientCertificate>

                                <Passphrase>asdfqwerqwer</Passphrase>

                </ClientSideCredential>

 

Are these the correct subelements? And what form should the ClientCertificate take? I’ve tried cert pem + encrypted private key (crashes) and Base64 encoded pkcs12 (complains, not a valid eap-config file)

 

I’m having trouble deducing this from the app source code – any hints here would be great.

I think it's easier to test with the .eap-configs that the letswifi-portal produces, or the output from CAT itself. Looking at what letswifi-portal produces, it looks like:

<ClientSideCredential>
<OuterIdentity>pseudo-id AT realm.tld</OuterIdentity>
<ClientCertificate format="PKCS12" encoding="base64">... (base64 here)...</ClientCertificate>
</ClientSideCredential>

Hope this helps,

Regards,
Paul

 

I’ve attached the eap-config I’m working with (cert + passphrase work but are revoked)

 

Thanks,

 

Jim Potter

Jisc

 

 

 

 

 


Archive powered by MHonArc 2.6.24.

Top of Page