The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Angel, Judy" <admyet4 AT herts.ac.uk>]

I have uploaded a Terena certificate, but not a chain. I will try that later.
I did notice that the code is identical for the different apple devices but 
in my site the lion works and iphone ipad does not. The ipad download web 
page looks like all the others but the iphone one looks very different,  
which seems to suggest that there is a difference somewhere.
We have a profile that works on an iphone I will get hold of it and send to 
the list.

Thanks

Judy


-----Original Message-----
From: Stefan Winter 
[mailto:stefan.winter AT restena.lu]
 
Sent: 14 June 2013 12:47
To: 
cat-users AT geant.net;
 Mailcon2
Subject: Re: [cat-users] iphone problem

Hi,

> I have taken a look at the actual profile. It has an error. Instead of 
> the certificate chain for the CAs it just contains the server 
> certificate (TCS one). This is not correct.
> 
> Please supply the whole TCS certificate chain as either one PEM file 
> containing all, or several files with separate certificates and please 
> try again then.

You are right with that; but I don't think it is the root cause of the 
problem. Judy mentioned in her first mail that she initially had a 
self-signed cert; which is its own CA root certificate and is a complete 
chain in itself.

> With TTLS-PAP, the newest IOS does not ask the user to provide 
> credentials at install time, only at first connection time. This is 
> different from PEAP.

I understood the problem to be that on this first connection, the "unknown 
cert" warning comes up, and it is *not possible* to proceed with the 
connection. (?)

Still, if she was able to upload a *server* cert instead of a CA cert, and 
wasn't told by the UI that this is wrong, then this is something we have to 
tackle in CAT. That warning needs to make it to the admin's eye.

Greetings,

Stefan

> 
> Tomasz
> 
> 
> 
> W dniu 14.06.2013 13:04, Stefan Winter pisze:
>> Hi,
>>
>>> We use PAP-TTLS as we authenticate against a unix password file. 
>>> Unfortunately PEAP did not work. 
>>> iPad and iPhone does not work and vast majority of students use have 
>>> these devices. 
>> Looking at the thread, I see that you reported OS X Lion+ to work 
>> without problems.
>>
>> That's "funny" because the OS X Lion download and iOS download are 
>> the identical file; they only have two different buttons on the 
>> download interface because people are looking for device classes 
>> usually, and a button with an abstract notion of "anythinig Apple" 
>> looked less intuitive than mentioning the exact device class.
>>
>> So if the OS X Lion+ installer works, I'm reasonably confident that 
>> the profile as generated by CAT is in good working order.
>>
>> Since Scott mentioned that their CloudPath installer has the same 
>> issue, I'm really tempted to think that this is an iOS bug - in that 
>> it can't do TTLS-PAP properly - much more than an eduroam CAT problem.
>>
>> Since you can't move away from TTLS-PAP, I'm sort of lost in things 
>> to suggest. There is one thing maybe: you could try to generate an 
>> iOS profile "by hand"; i.e. download Apple's "iPhone Configuration 
>> Utility", click together the settings as they apply to your IdP and 
>> see if the resulting profile works better with the iOS devices.
>>
>> I'm guessing it won't, and then it's clearly an iOS bug. If it does 
>> work better however, please send the profile over to me so I can 
>> inspect it for differences to what CAT generates.
>>
>> Greetings,
>>
>> Stefan Winter
>>
>>>
>>> Regards
>>> Judy Angel
>>>  
>>>
>>> Sent from my iPad
>>>
>>> On 13 Jun 2013, at 08:56 PM, Scott Armitage 
>>> <S.P.Armitage AT lboro.ac.uk>
>>>  wrote:
>>>
>>>> On 13 Jun 2013, at 15:46, "Angel, Judy" 
>>>> <admyet4 AT herts.ac.uk>
>>>>  wrote:
>>>>
>>>>> Hi
>>>>> I am new to this system and think it is great. Thank you very much for 
>>>>> developing such a useful tool.
>>>>> I have tested the download for w7, XP ,lion , linux and all work 
>>>>> fine. However the iphone app does not look as nice as the others and 
>>>>> More to the point down not work for me. It goes through the install 
>>>>> screen, I enter username and password but there is no connection.
>>>>> I originally had a self certified certificate. I have now 
>>>>> installed the Janet Terena one which I can see as verified in the 
>>>>> iphone>general>profile But when I select the SSID eduroam the 
>>>>> certificate page with the gears is on the left, not verified in red in 
>>>>> the middle of the screen, accept on the right hand side but it is not 
>>>>> an active button, so can not be selected.
>>>>> Have you come across such a problem? Any suggestions please.
>>>>
>>>> I think the problem is TTLS.  I noticed the same problem with our 
>>>> cloudpath profiles if the authentication type was set to EAP-TTLS.  I 
>>>> therefore had to switch PEAP.
>>>> From memory this was discussed a while ago on another mailing list (but 
>>>> I can't remember).
>>>>
>>>> Try a PEAP configuration and see if you have the same problem.
>>>>
>>>> Regards
>>>>
>>>> Scott Armitage
>>
> 


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche 6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473