The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> I have taken a look at the actual profile. It has an error. Instead of
> the certificate chain for the CAs it just contains the server
> certificate (TCS one). This is not correct.
> 
> Please supply the whole TCS certificate chain as either one PEM file
> containing all, or several files with separate certificates and please
> try again then.

You are right with that; but I don't think it is the root cause of the
problem. Judy mentioned in her first mail that she initially had a
self-signed cert; which is its own CA root certificate and is a complete
chain in itself.

> With TTLS-PAP, the newest IOS does not ask the user to provide
> credentials at install time, only at first connection time. This is
> different from PEAP.

I understood the problem to be that on this first connection, the
"unknown cert" warning comes up, and it is *not possible* to proceed
with the connection. (?)

Still, if she was able to upload a *server* cert instead of a CA cert,
and wasn't told by the UI that this is wrong, then this is something we
have to tackle in CAT. That warning needs to make it to the admin's eye.

Greetings,

Stefan

> 
> Tomasz
> 
> 
> 
> W dniu 14.06.2013 13:04, Stefan Winter pisze:
>> Hi,
>>
>>> We use PAP-TTLS as we authenticate against a unix password file. 
>>> Unfortunately PEAP did not work. 
>>> iPad and iPhone does not work and vast majority of students use have 
>>> these devices. 
>> Looking at the thread, I see that you reported OS X Lion+ to work
>> without problems.
>>
>> That's "funny" because the OS X Lion download and iOS download are the
>> identical file; they only have two different buttons on the download
>> interface because people are looking for device classes usually, and a
>> button with an abstract notion of "anythinig Apple" looked less
>> intuitive than mentioning the exact device class.
>>
>> So if the OS X Lion+ installer works, I'm reasonably confident that the
>> profile as generated by CAT is in good working order.
>>
>> Since Scott mentioned that their CloudPath installer has the same issue,
>> I'm really tempted to think that this is an iOS bug - in that it can't
>> do TTLS-PAP properly - much more than an eduroam CAT problem.
>>
>> Since you can't move away from TTLS-PAP, I'm sort of lost in things to
>> suggest. There is one thing maybe: you could try to generate an iOS
>> profile "by hand"; i.e. download Apple's "iPhone Configuration Utility",
>> click together the settings as they apply to your IdP and see if the
>> resulting profile works better with the iOS devices.
>>
>> I'm guessing it won't, and then it's clearly an iOS bug. If it does work
>> better however, please send the profile over to me so I can inspect it
>> for differences to what CAT generates.
>>
>> Greetings,
>>
>> Stefan Winter
>>
>>>
>>> Regards
>>> Judy Angel
>>>  
>>>
>>> Sent from my iPad
>>>
>>> On 13 Jun 2013, at 08:56 PM, Scott Armitage 
>>> <S.P.Armitage AT lboro.ac.uk>
>>>  wrote:
>>>
>>>> On 13 Jun 2013, at 15:46, "Angel, Judy" 
>>>> <admyet4 AT herts.ac.uk>
>>>>  wrote:
>>>>
>>>>> Hi
>>>>> I am new to this system and think it is great. Thank you very much for 
>>>>> developing such a useful tool.
>>>>> I have tested the download for w7, XP ,lion , linux and all work fine. 
>>>>> However the iphone app does not look as nice as the others and
>>>>> More to the point down not work for me. It goes through the install 
>>>>> screen, I enter username and password but there is no connection.
>>>>> I originally had a self certified certificate. I have now installed the 
>>>>> Janet Terena one which I can see as verified in the 
>>>>> iphone>general>profile
>>>>> But when I select the SSID eduroam the certificate page with the gears 
>>>>> is on the left, not verified in red in the middle of the screen, accept 
>>>>> on the right hand side but it is not an active button, so can not be 
>>>>> selected.
>>>>> Have you come across such a problem? Any suggestions please.
>>>>
>>>> I think the problem is TTLS.  I noticed the same problem with our 
>>>> cloudpath profiles if the authentication type was set to EAP-TTLS.  I 
>>>> therefore had to switch PEAP.
>>>> From memory this was discussed a while ago on another mailing list (but 
>>>> I can't remember).
>>>>
>>>> Try a PEAP configuration and see if you have the same problem.
>>>>
>>>> Regards
>>>>
>>>> Scott Armitage
>>
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

Attachment: signature.asc
Description: OpenPGP digital signature