The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi Judy,
The attached profiles does not have any security configured therefore it
makes users vulnerable to credentials theft.
In short this is definitely NOT the way to go.

I will try to do some testing on Monday .

Tomasz


W dniu 14.06.2013 16:31, Angel, Judy pisze:
> Hi
> I have attached the config that is working on the iphone, hope this helps.
>
> Judy
> -----Original Message-----
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
>  
> Sent: 14 June 2013 15:07
> To: Mailcon2
> Cc: 
> cat-users AT geant.net;
>  Mailcon2
> Subject: Re: [cat-users] iphone problem
>
> Hi,
>
>> I have uploaded a Terena certificate, but not a chain.
> Further to this, I've now added code into trunk (i.e. a 1.1 version coming 
> up later) which will visualise that it's a bad idea to upload a server cert 
> at all, see attached screenshot.
>
> Maybe that's not the best solution... instead uploading a server cert could 
> outright be rejected in the first place; I guess this needs to be thought 
> through a bit more thoroughly.
>
> Stefan
>
>  I will try that later.
>
>> I did notice that the code is identical for the different apple devices 
>> but in my site the lion works and iphone ipad does not. The ipad download 
>> web page looks like all the others but the iphone one looks very 
>> different,  which seems to suggest that there is a difference somewhere.
>> We have a profile that works on an iphone I will get hold of it and send 
>> to the list.
>>
>> Thanks
>>
>> Judy
>>
>>
>> -----Original Message-----
>> From: Stefan Winter 
>> [mailto:stefan.winter AT restena.lu]
>> Sent: 14 June 2013 12:47
>> To: 
>> cat-users AT geant.net;
>>  Mailcon2
>> Subject: Re: [cat-users] iphone problem
>>
>> Hi,
>>
>>> I have taken a look at the actual profile. It has an error. Instead 
>>> of the certificate chain for the CAs it just contains the server 
>>> certificate (TCS one). This is not correct.
>>>
>>> Please supply the whole TCS certificate chain as either one PEM file 
>>> containing all, or several files with separate certificates and 
>>> please try again then.
>> You are right with that; but I don't think it is the root cause of the 
>> problem. Judy mentioned in her first mail that she initially had a 
>> self-signed cert; which is its own CA root certificate and is a complete 
>> chain in itself.
>>
>>> With TTLS-PAP, the newest IOS does not ask the user to provide 
>>> credentials at install time, only at first connection time. This is 
>>> different from PEAP.
>> I understood the problem to be that on this first connection, the 
>> "unknown cert" warning comes up, and it is *not possible* to proceed 
>> with the connection. (?)
>>
>> Still, if she was able to upload a *server* cert instead of a CA cert, and 
>> wasn't told by the UI that this is wrong, then this is something we have 
>> to tackle in CAT. That warning needs to make it to the admin's eye.
>>
>> Greetings,
>>
>> Stefan
>>
>>> Tomasz
>>>
>>>
>>>
>>> W dniu 14.06.2013 13:04, Stefan Winter pisze:
>>>> Hi,
>>>>
>>>>> We use PAP-TTLS as we authenticate against a unix password file. 
>>>>> Unfortunately PEAP did not work. 
>>>>> iPad and iPhone does not work and vast majority of students use have 
>>>>> these devices. 
>>>> Looking at the thread, I see that you reported OS X Lion+ to work 
>>>> without problems.
>>>>
>>>> That's "funny" because the OS X Lion download and iOS download are 
>>>> the identical file; they only have two different buttons on the 
>>>> download interface because people are looking for device classes 
>>>> usually, and a button with an abstract notion of "anythinig Apple"
>>>> looked less intuitive than mentioning the exact device class.
>>>>
>>>> So if the OS X Lion+ installer works, I'm reasonably confident that 
>>>> the profile as generated by CAT is in good working order.
>>>>
>>>> Since Scott mentioned that their CloudPath installer has the same 
>>>> issue, I'm really tempted to think that this is an iOS bug - in that 
>>>> it can't do TTLS-PAP properly - much more than an eduroam CAT problem.
>>>>
>>>> Since you can't move away from TTLS-PAP, I'm sort of lost in things 
>>>> to suggest. There is one thing maybe: you could try to generate an 
>>>> iOS profile "by hand"; i.e. download Apple's "iPhone Configuration 
>>>> Utility", click together the settings as they apply to your IdP and 
>>>> see if the resulting profile works better with the iOS devices.
>>>>
>>>> I'm guessing it won't, and then it's clearly an iOS bug. If it does 
>>>> work better however, please send the profile over to me so I can 
>>>> inspect it for differences to what CAT generates.
>>>>
>>>> Greetings,
>>>>
>>>> Stefan Winter
>>>>
>>>>> Regards
>>>>> Judy Angel
>>>>>  
>>>>>
>>>>> Sent from my iPad
>>>>>
>>>>> On 13 Jun 2013, at 08:56 PM, Scott Armitage 
>>>>> <S.P.Armitage AT lboro.ac.uk>
>>>>>  wrote:
>>>>>
>>>>>> On 13 Jun 2013, at 15:46, "Angel, Judy" 
>>>>>> <admyet4 AT herts.ac.uk>
>>>>>>  wrote:
>>>>>>
>>>>>>> Hi
>>>>>>> I am new to this system and think it is great. Thank you very much 
>>>>>>> for developing such a useful tool.
>>>>>>> I have tested the download for w7, XP ,lion , linux and all work 
>>>>>>> fine. However the iphone app does not look as nice as the others and 
>>>>>>> More to the point down not work for me. It goes through the install 
>>>>>>> screen, I enter username and password but there is no connection.
>>>>>>> I originally had a self certified certificate. I have now 
>>>>>>> installed the Janet Terena one which I can see as verified in the 
>>>>>>> iphone>general>profile But when I select the SSID eduroam the 
>>>>>>> certificate page with the gears is on the left, not verified in red 
>>>>>>> in the middle of the screen, accept on the right hand side but it is 
>>>>>>> not an active button, so can not be selected.
>>>>>>> Have you come across such a problem? Any suggestions please.
>>>>>> I think the problem is TTLS.  I noticed the same problem with our 
>>>>>> cloudpath profiles if the authentication type was set to EAP-TTLS.  I 
>>>>>> therefore had to switch PEAP.
>>>>>> From memory this was discussed a while ago on another mailing list 
>>>>>> (but I can't remember).
>>>>>>
>>>>>> Try a PEAP configuration and see if you have the same problem.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Scott Armitage
>>
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale 
>> et de la Recherche 6, rue Richard Coudenhove-Kalergi
>> L-1359 Luxembourg
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
> la Recherche 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473

-- 
Tomasz Wolniewicz    
  
twoln AT umk.pl
     http://www.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication
                                      Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750  fax: +48-56-622-1850 tel kom.: +48-693-032-576