The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

I will try to test this profile on Monday and see what comes up. Even
without valid credentials one can actually see quite a lot.

The description of the problem does not match my experience, therefore I
think that this must be the actual profile problem.

Tomasz


W dniu 14.06.2013 13:47, Stefan Winter pisze:
> Hi,
>
>> I have taken a look at the actual profile. It has an error. Instead of
>> the certificate chain for the CAs it just contains the server
>> certificate (TCS one). This is not correct.
>>
>> Please supply the whole TCS certificate chain as either one PEM file
>> containing all, or several files with separate certificates and please
>> try again then.
> You are right with that; but I don't think it is the root cause of the
> problem. Judy mentioned in her first mail that she initially had a
> self-signed cert; which is its own CA root certificate and is a complete
> chain in itself.
>
>> With TTLS-PAP, the newest IOS does not ask the user to provide
>> credentials at install time, only at first connection time. This is
>> different from PEAP.
> I understood the problem to be that on this first connection, the
> "unknown cert" warning comes up, and it is *not possible* to proceed
> with the connection. (?)
>
> Still, if she was able to upload a *server* cert instead of a CA cert,
> and wasn't told by the UI that this is wrong, then this is something we
> have to tackle in CAT. That warning needs to make it to the admin's eye.
>
> Greetings,
>
> Stefan
>
>> Tomasz
>>
>>
>>
>> W dniu 14.06.2013 13:04, Stefan Winter pisze:
>>> Hi,
>>>
>>>> We use PAP-TTLS as we authenticate against a unix password file. 
>>>> Unfortunately PEAP did not work. 
>>>> iPad and iPhone does not work and vast majority of students use have 
>>>> these devices. 
>>> Looking at the thread, I see that you reported OS X Lion+ to work
>>> without problems.
>>>
>>> That's "funny" because the OS X Lion download and iOS download are the
>>> identical file; they only have two different buttons on the download
>>> interface because people are looking for device classes usually, and a
>>> button with an abstract notion of "anythinig Apple" looked less
>>> intuitive than mentioning the exact device class.
>>>
>>> So if the OS X Lion+ installer works, I'm reasonably confident that the
>>> profile as generated by CAT is in good working order.
>>>
>>> Since Scott mentioned that their CloudPath installer has the same issue,
>>> I'm really tempted to think that this is an iOS bug - in that it can't
>>> do TTLS-PAP properly - much more than an eduroam CAT problem.
>>>
>>> Since you can't move away from TTLS-PAP, I'm sort of lost in things to
>>> suggest. There is one thing maybe: you could try to generate an iOS
>>> profile "by hand"; i.e. download Apple's "iPhone Configuration Utility",
>>> click together the settings as they apply to your IdP and see if the
>>> resulting profile works better with the iOS devices.
>>>
>>> I'm guessing it won't, and then it's clearly an iOS bug. If it does work
>>> better however, please send the profile over to me so I can inspect it
>>> for differences to what CAT generates.
>>>
>>> Greetings,
>>>
>>> Stefan Winter
>>>
>>>> Regards
>>>> Judy Angel
>>>>  
>>>>
>>>> Sent from my iPad
>>>>
>>>> On 13 Jun 2013, at 08:56 PM, Scott Armitage 
>>>> <S.P.Armitage AT lboro.ac.uk>
>>>>  wrote:
>>>>
>>>>> On 13 Jun 2013, at 15:46, "Angel, Judy" 
>>>>> <admyet4 AT herts.ac.uk>
>>>>>  wrote:
>>>>>
>>>>>> Hi
>>>>>> I am new to this system and think it is great. Thank you very much for 
>>>>>> developing such a useful tool.
>>>>>> I have tested the download for w7, XP ,lion , linux and all work fine. 
>>>>>> However the iphone app does not look as nice as the others and
>>>>>> More to the point down not work for me. It goes through the install 
>>>>>> screen, I enter username and password but there is no connection.
>>>>>> I originally had a self certified certificate. I have now installed 
>>>>>> the Janet Terena one which I can see as verified in the 
>>>>>> iphone>general>profile
>>>>>> But when I select the SSID eduroam the certificate page with the gears 
>>>>>> is on the left, not verified in red in the middle of the screen, 
>>>>>> accept on the right hand side but it is not an active button, so can 
>>>>>> not be selected.
>>>>>> Have you come across such a problem? Any suggestions please.
>>>>> I think the problem is TTLS.  I noticed the same problem with our 
>>>>> cloudpath profiles if the authentication type was set to EAP-TTLS.  I 
>>>>> therefore had to switch PEAP.
>>>>> From memory this was discussed a while ago on another mailing list (but 
>>>>> I can't remember).
>>>>>
>>>>> Try a PEAP configuration and see if you have the same problem.
>>>>>
>>>>> Regards
>>>>>
>>>>> Scott Armitage
>

-- 
Tomasz Wolniewicz    
  
twoln AT umk.pl
     http://www.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication
                                      Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750  fax: +48-56-622-1850 tel kom.: +48-693-032-576