The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> I have uploaded a Terena certificate, but not a chain.

Further to this, I've now added code into trunk (i.e. a 1.1 version
coming up later) which will visualise that it's a bad idea to upload a
server cert at all, see attached screenshot.

Maybe that's not the best solution... instead uploading a server cert
could outright be rejected in the first place; I guess this needs to be
thought through a bit more thoroughly.

Stefan

 I will try that later.

> I did notice that the code is identical for the different apple devices but 
> in my site the lion works and iphone ipad does not. The ipad download web 
> page looks like all the others but the iphone one looks very different,  
> which seems to suggest that there is a difference somewhere.
> We have a profile that works on an iphone I will get hold of it and send to 
> the list.
> 
> Thanks
> 
> Judy
> 
> 
> -----Original Message-----
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
>  
> Sent: 14 June 2013 12:47
> To: 
> cat-users AT geant.net;
>  Mailcon2
> Subject: Re: [cat-users] iphone problem
> 
> Hi,
> 
>> I have taken a look at the actual profile. It has an error. Instead of 
>> the certificate chain for the CAs it just contains the server 
>> certificate (TCS one). This is not correct.
>>
>> Please supply the whole TCS certificate chain as either one PEM file 
>> containing all, or several files with separate certificates and please 
>> try again then.
> 
> You are right with that; but I don't think it is the root cause of the 
> problem. Judy mentioned in her first mail that she initially had a 
> self-signed cert; which is its own CA root certificate and is a complete 
> chain in itself.
> 
>> With TTLS-PAP, the newest IOS does not ask the user to provide 
>> credentials at install time, only at first connection time. This is 
>> different from PEAP.
> 
> I understood the problem to be that on this first connection, the "unknown 
> cert" warning comes up, and it is *not possible* to proceed with the 
> connection. (?)
> 
> Still, if she was able to upload a *server* cert instead of a CA cert, and 
> wasn't told by the UI that this is wrong, then this is something we have to 
> tackle in CAT. That warning needs to make it to the admin's eye.
> 
> Greetings,
> 
> Stefan
> 
>>
>> Tomasz
>>
>>
>>
>> W dniu 14.06.2013 13:04, Stefan Winter pisze:
>>> Hi,
>>>
>>>> We use PAP-TTLS as we authenticate against a unix password file. 
>>>> Unfortunately PEAP did not work. 
>>>> iPad and iPhone does not work and vast majority of students use have 
>>>> these devices. 
>>> Looking at the thread, I see that you reported OS X Lion+ to work 
>>> without problems.
>>>
>>> That's "funny" because the OS X Lion download and iOS download are 
>>> the identical file; they only have two different buttons on the 
>>> download interface because people are looking for device classes 
>>> usually, and a button with an abstract notion of "anythinig Apple" 
>>> looked less intuitive than mentioning the exact device class.
>>>
>>> So if the OS X Lion+ installer works, I'm reasonably confident that 
>>> the profile as generated by CAT is in good working order.
>>>
>>> Since Scott mentioned that their CloudPath installer has the same 
>>> issue, I'm really tempted to think that this is an iOS bug - in that 
>>> it can't do TTLS-PAP properly - much more than an eduroam CAT problem.
>>>
>>> Since you can't move away from TTLS-PAP, I'm sort of lost in things 
>>> to suggest. There is one thing maybe: you could try to generate an 
>>> iOS profile "by hand"; i.e. download Apple's "iPhone Configuration 
>>> Utility", click together the settings as they apply to your IdP and 
>>> see if the resulting profile works better with the iOS devices.
>>>
>>> I'm guessing it won't, and then it's clearly an iOS bug. If it does 
>>> work better however, please send the profile over to me so I can 
>>> inspect it for differences to what CAT generates.
>>>
>>> Greetings,
>>>
>>> Stefan Winter
>>>
>>>>
>>>> Regards
>>>> Judy Angel
>>>>  
>>>>
>>>> Sent from my iPad
>>>>
>>>> On 13 Jun 2013, at 08:56 PM, Scott Armitage 
>>>> <S.P.Armitage AT lboro.ac.uk>
>>>>  wrote:
>>>>
>>>>> On 13 Jun 2013, at 15:46, "Angel, Judy" 
>>>>> <admyet4 AT herts.ac.uk>
>>>>>  wrote:
>>>>>
>>>>>> Hi
>>>>>> I am new to this system and think it is great. Thank you very much for 
>>>>>> developing such a useful tool.
>>>>>> I have tested the download for w7, XP ,lion , linux and all work 
>>>>>> fine. However the iphone app does not look as nice as the others and 
>>>>>> More to the point down not work for me. It goes through the install 
>>>>>> screen, I enter username and password but there is no connection.
>>>>>> I originally had a self certified certificate. I have now 
>>>>>> installed the Janet Terena one which I can see as verified in the 
>>>>>> iphone>general>profile But when I select the SSID eduroam the 
>>>>>> certificate page with the gears is on the left, not verified in red in 
>>>>>> the middle of the screen, accept on the right hand side but it is not 
>>>>>> an active button, so can not be selected.
>>>>>> Have you come across such a problem? Any suggestions please.
>>>>>
>>>>> I think the problem is TTLS.  I noticed the same problem with our 
>>>>> cloudpath profiles if the authentication type was set to EAP-TTLS.  I 
>>>>> therefore had to switch PEAP.
>>>>> From memory this was discussed a while ago on another mailing list (but 
>>>>> I can't remember).
>>>>>
>>>>> Try a PEAP configuration and see if you have the same problem.
>>>>>
>>>>> Regards
>>>>>
>>>>> Scott Armitage
>>>
>>
> 
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
> la Recherche 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

Attachment: new-cert-visual.jpg
Description: JPEG image

Attachment: signature.asc
Description: OpenPGP digital signature