Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] iphone problem

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] iphone problem


Chronological Thread 
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: Stefan Winter <stefan.winter AT restena.lu>
  • Cc: cat-users AT geant.net, "Angel, Judy" <admyet4 AT herts.ac.uk>
  • Subject: Re: [cat-users] iphone problem
  • Date: Fri, 14 Jun 2013 14:08:00 +0200
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

I will try to test this profile on Monday and see what comes up. Even
without valid credentials one can actually see quite a lot.

The description of the problem does not match my experience, therefore I
think that this must be the actual profile problem.

Tomasz


W dniu 14.06.2013 13:47, Stefan Winter pisze:
> Hi,
>
>> I have taken a look at the actual profile. It has an error. Instead of
>> the certificate chain for the CAs it just contains the server
>> certificate (TCS one). This is not correct.
>>
>> Please supply the whole TCS certificate chain as either one PEM file
>> containing all, or several files with separate certificates and please
>> try again then.
> You are right with that; but I don't think it is the root cause of the
> problem. Judy mentioned in her first mail that she initially had a
> self-signed cert; which is its own CA root certificate and is a complete
> chain in itself.
>
>> With TTLS-PAP, the newest IOS does not ask the user to provide
>> credentials at install time, only at first connection time. This is
>> different from PEAP.
> I understood the problem to be that on this first connection, the
> "unknown cert" warning comes up, and it is *not possible* to proceed
> with the connection. (?)
>
> Still, if she was able to upload a *server* cert instead of a CA cert,
> and wasn't told by the UI that this is wrong, then this is something we
> have to tackle in CAT. That warning needs to make it to the admin's eye.
>
> Greetings,
>
> Stefan
>
>> Tomasz
>>
>>
>>
>> W dniu 14.06.2013 13:04, Stefan Winter pisze:
>>> Hi,
>>>
>>>> We use PAP-TTLS as we authenticate against a unix password file.
>>>> Unfortunately PEAP did not work.
>>>> iPad and iPhone does not work and vast majority of students use have
>>>> these devices.
>>> Looking at the thread, I see that you reported OS X Lion+ to work
>>> without problems.
>>>
>>> That's "funny" because the OS X Lion download and iOS download are the
>>> identical file; they only have two different buttons on the download
>>> interface because people are looking for device classes usually, and a
>>> button with an abstract notion of "anythinig Apple" looked less
>>> intuitive than mentioning the exact device class.
>>>
>>> So if the OS X Lion+ installer works, I'm reasonably confident that the
>>> profile as generated by CAT is in good working order.
>>>
>>> Since Scott mentioned that their CloudPath installer has the same issue,
>>> I'm really tempted to think that this is an iOS bug - in that it can't
>>> do TTLS-PAP properly - much more than an eduroam CAT problem.
>>>
>>> Since you can't move away from TTLS-PAP, I'm sort of lost in things to
>>> suggest. There is one thing maybe: you could try to generate an iOS
>>> profile "by hand"; i.e. download Apple's "iPhone Configuration Utility",
>>> click together the settings as they apply to your IdP and see if the
>>> resulting profile works better with the iOS devices.
>>>
>>> I'm guessing it won't, and then it's clearly an iOS bug. If it does work
>>> better however, please send the profile over to me so I can inspect it
>>> for differences to what CAT generates.
>>>
>>> Greetings,
>>>
>>> Stefan Winter
>>>
>>>> Regards
>>>> Judy Angel
>>>>
>>>>
>>>> Sent from my iPad
>>>>
>>>> On 13 Jun 2013, at 08:56 PM, Scott Armitage
>>>> <S.P.Armitage AT lboro.ac.uk>
>>>> wrote:
>>>>
>>>>> On 13 Jun 2013, at 15:46, "Angel, Judy"
>>>>> <admyet4 AT herts.ac.uk>
>>>>> wrote:
>>>>>
>>>>>> Hi
>>>>>> I am new to this system and think it is great. Thank you very much for
>>>>>> developing such a useful tool.
>>>>>> I have tested the download for w7, XP ,lion , linux and all work fine.
>>>>>> However the iphone app does not look as nice as the others and
>>>>>> More to the point down not work for me. It goes through the install
>>>>>> screen, I enter username and password but there is no connection.
>>>>>> I originally had a self certified certificate. I have now installed
>>>>>> the Janet Terena one which I can see as verified in the
>>>>>> iphone>general>profile
>>>>>> But when I select the SSID eduroam the certificate page with the gears
>>>>>> is on the left, not verified in red in the middle of the screen,
>>>>>> accept on the right hand side but it is not an active button, so can
>>>>>> not be selected.
>>>>>> Have you come across such a problem? Any suggestions please.
>>>>> I think the problem is TTLS. I noticed the same problem with our
>>>>> cloudpath profiles if the authentication type was set to EAP-TTLS. I
>>>>> therefore had to switch PEAP.
>>>>> From memory this was discussed a while ago on another mailing list (but
>>>>> I can't remember).
>>>>>
>>>>> Try a PEAP configuration and see if you have the same problem.
>>>>>
>>>>> Regards
>>>>>
>>>>> Scott Armitage
>

--
Tomasz Wolniewicz

twoln AT umk.pl
http://www.umk.pl/~twoln

Uczelniane Centrum Informatyczne Information&Communication
Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576






Archive powered by MHonArc 2.6.19.

Top of Page