You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 10, 2024. It is now read-only.
configure "eduroam" using the TCA eduroam assistant
Expected Result
"eduroam" should be configured in a secure way according to the eduroam / lrz guides including checks for valid CA certificate and radius server certificate subject match
Actual Result
"eduroam" is not configured in an entirely secure way, no radius server certificate subject match is applied
Problem
Phone will connect to any malicious "eduroam" accespoint that issues a certificate signed by Deutsche Telekom Root CA 2 (which is actually not hard to obtain legally) and may expose user credentials
Suggested Enhancement ✨
Add radius server certificate subject match (you may check eduroamCAT App for details)
Environment
Phone: Any
OS: Android 4.x+
TCA Version: 1.4.7
The text was updated successfully, but these errors were encountered:
Thanks for bringing this to our attention.
We definetly already set the CA certificate, however I am currently not aware of a "radius server certificate subject match". Do you have a link to the "eduroam / lrz guides" you mentioned regarding this subject match?
The CAT-Android app is also rather a train wreck considering UI and code quality. I couldn't get it to configure eduroam for me… (What does a free-text field in "manual search" mean? Nothing I entered gives me results? 😦)
Yep, the app is pretty bad... Took me a while to figure out that you have to actually search for "DFN" if you want to get a step further ... which is getting redirected to a crappy website ;)
The LRZ guides aren't the best either, but I hope they'll get reworked before next semester. There is no good way of getting notifications about changes on the lrz websites (afaik). The security flaw mentioned is also not new, it is known for many years now...
The check against "radius.lrz.de" is what I meant. Looks good to me ;)
Steps to Reproduce
Expected Result
"eduroam" should be configured in a secure way according to the eduroam / lrz guides including checks for valid CA certificate and radius server certificate subject match
Actual Result
"eduroam" is not configured in an entirely secure way, no radius server certificate subject match is applied
Problem
Phone will connect to any malicious "eduroam" accespoint that issues a certificate signed by Deutsche Telekom Root CA 2 (which is actually not hard to obtain legally) and may expose user credentials
Suggested Enhancement ✨
Add radius server certificate subject match (you may check eduroamCAT App for details)
Environment
The text was updated successfully, but these errors were encountered: