The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Angel, Judy" <admyet4 AT herts.ac.uk>]

Problem resolved once the radius server certificate was the Terena 
certificate, matching  the one uploaded to cat,  which was generated on a 
solaris box by default now SHA-1.
Thank you very much for all your assistance. The tool is going to make 
eduroam world a better place and will enable rollout to the whole campus.  
Much appreciated.

Judy

-----Original Message-----
From: Tomasz Wolniewicz 
[mailto:twoln AT umk.pl]
 
Sent: 17 June 2013 08:12
To: Stefan Winter
Cc: Mailcon2; 
cat-users AT geant.net;
 Mailcon2
Subject: Re: [cat-users] iphone problem

Hi Stefan,
    there seem to be a number of inconsistencies in all this.
The CAT profile used to contain the TCS certificate for the server.
However, as you have properly spotted, the actual server uses a certificate 
from the local CA, which to makes things worse is MD5.

Therefore, the CAT profile cannot work since it has different settings then 
the actual server setup.
There are two ways to fix things. One is to put the TCS certificate on the 
RADIUS server and keep the current CAT profile (we do not recommend using TCS 
certificates since in order to have proper security a user device has to 
additionally check the server name and some devices just do not support 
that). The second solution is to reissue the certificate for your server from 
your local CA, this time with SHA and then put your CA algorithm in the CAT 
profile.

Tomasz


W dniu 2013-06-17 08:13, Stefan Winter pisze:
> Judy,
>
>> I have attached the config that is working on the iphone, hope this helps.
> I see where the problem is... and it's not CAT related :-)
>
> I've just run an in-depth diagnostics on your RADIUS server (you'll 
> see a few failed authentications from 
> "test AT herts.ac.uk"
>  in your logs).
>
> Your server certificate is signed with the MD5 signature algorithm:
>
> Certificate:
>      Data:
>          Version: 1 (0x0)
>          Serial Number: 1 (0x1)
>      Signature Algorithm: md5WithRSAEncryption
>          Issuer: C=GB, ST=Hertfordshire, L=Hatfield,
>                  O=University of Hertfordshire,
>                  CN=University of Hertfordshire Radius Service
>          Validity
>              Not Before: Apr  4 14:59:47 2011 GMT
>              Not After : Apr  3 14:59:47 2014 GMT
>          Subject: C=GB, ST=Hertfordshire, L=Hatfield,
>                   O=University of Hertfordshire,
>                   CN=radius.herts.ac.uk
>
> iOS since version 6 refuses to accept such server certificates, no 
> matter whether the CA chain is in order or not. This is part of 
> Apple's crusade to get rid of known-broken signature algorithms.
>
> Depending on who you ask, their crusade either a good thing or a bad 
> thing - but it is reality :-)
>
> So, you should really not sign your server certificate with MD5. Other 
> OSes are going a similar way but with different subtleties (e.g. 
> Windows stopped to accept certificates with a key length of <1024 
> bits, no matter the sig algorithm).
>
> I'm a bit lost why your certs (also the server cert) still use MD5, 
> given they were created in 2011 when the demise of MD5 was a wide-open 
> secret already.
>
> I'm using SHA-512 for my latest CA and certs, which seems to have very 
> wide-spread support among client devices. If you have legacy devices 
> to work with and are unsure if they can do SHA-512, then SHA-1 is your 
> best bet as a signature algorithm.
>
> BTW, since we already had a couple of such cases, I'm planning on 
> adding detection for MD5 cert sig algorithm for 1.1 as well; that way, 
> no human intervention would be needed to uncover this situation. It's 
> a bit of code to write though...
>
> As a second BTW: we've recently discovered that supporting Windows 
> Phone
> 8 requires more from your server certificate: it needs to have the 
> extension "CRL Distribution Point" (CDP) set; otherwise the cert will 
> always fail to validate (the cleverness level of this new requirement 
> is arguable). Since many operating systems will actually check if 
> there is actually a CRL at the URL given in CDP, you should then also 
> make sure that the CRL exists at that spot. - Or you decide not to 
> care about the peculiarities of Windows Phone 8 and declare it 
> unsupported for your users :-)
>
> Greetings,
>
> Stefan Winter
>
>
> Greetings,
>
> Stefan Winter
>
>> Judy
>> -----Original Message-----
>> From: Stefan Winter 
>> [mailto:stefan.winter AT restena.lu]
>> Sent: 14 June 2013 15:07
>> To: Mailcon2
>> Cc: 
>> cat-users AT geant.net;
>>  Mailcon2
>> Subject: Re: [cat-users] iphone problem
>>
>> Hi,
>>
>>> I have uploaded a Terena certificate, but not a chain.
>> Further to this, I've now added code into trunk (i.e. a 1.1 version coming 
>> up later) which will visualise that it's a bad idea to upload a server 
>> cert at all, see attached screenshot.
>>
>> Maybe that's not the best solution... instead uploading a server cert 
>> could outright be rejected in the first place; I guess this needs to be 
>> thought through a bit more thoroughly.
>>
>> Stefan
>>
>>   I will try that later.
>>
>>> I did notice that the code is identical for the different apple devices 
>>> but in my site the lion works and iphone ipad does not. The ipad download 
>>> web page looks like all the others but the iphone one looks very 
>>> different,  which seems to suggest that there is a difference somewhere.
>>> We have a profile that works on an iphone I will get hold of it and send 
>>> to the list.
>>>
>>> Thanks
>>>
>>> Judy
>>>
>>>
>>> -----Original Message-----
>>> From: Stefan Winter 
>>> [mailto:stefan.winter AT restena.lu]
>>> Sent: 14 June 2013 12:47
>>> To: 
>>> cat-users AT geant.net;
>>>  Mailcon2
>>> Subject: Re: [cat-users] iphone problem
>>>
>>> Hi,
>>>
>>>> I have taken a look at the actual profile. It has an error. Instead 
>>>> of the certificate chain for the CAs it just contains the server 
>>>> certificate (TCS one). This is not correct.
>>>>
>>>> Please supply the whole TCS certificate chain as either one PEM 
>>>> file containing all, or several files with separate certificates 
>>>> and please try again then.
>>> You are right with that; but I don't think it is the root cause of the 
>>> problem. Judy mentioned in her first mail that she initially had a 
>>> self-signed cert; which is its own CA root certificate and is a complete 
>>> chain in itself.
>>>
>>>> With TTLS-PAP, the newest IOS does not ask the user to provide 
>>>> credentials at install time, only at first connection time. This is 
>>>> different from PEAP.
>>> I understood the problem to be that on this first connection, the 
>>> "unknown cert" warning comes up, and it is *not possible* to proceed 
>>> with the connection. (?)
>>>
>>> Still, if she was able to upload a *server* cert instead of a CA cert, 
>>> and wasn't told by the UI that this is wrong, then this is something we 
>>> have to tackle in CAT. That warning needs to make it to the admin's eye.
>>>
>>> Greetings,
>>>
>>> Stefan
>>>
>>>> Tomasz
>>>>
>>>>
>>>>
>>>> W dniu 14.06.2013 13:04, Stefan Winter pisze:
>>>>> Hi,
>>>>>
>>>>>> We use PAP-TTLS as we authenticate against a unix password file. 
>>>>>> Unfortunately PEAP did not work.
>>>>>> iPad and iPhone does not work and vast majority of students use have 
>>>>>> these devices.
>>>>> Looking at the thread, I see that you reported OS X Lion+ to work 
>>>>> without problems.
>>>>>
>>>>> That's "funny" because the OS X Lion download and iOS download are 
>>>>> the identical file; they only have two different buttons on the 
>>>>> download interface because people are looking for device classes 
>>>>> usually, and a button with an abstract notion of "anythinig Apple"
>>>>> looked less intuitive than mentioning the exact device class.
>>>>>
>>>>> So if the OS X Lion+ installer works, I'm reasonably confident 
>>>>> that the profile as generated by CAT is in good working order.
>>>>>
>>>>> Since Scott mentioned that their CloudPath installer has the same 
>>>>> issue, I'm really tempted to think that this is an iOS bug - in 
>>>>> that it can't do TTLS-PAP properly - much more than an eduroam CAT 
>>>>> problem.
>>>>>
>>>>> Since you can't move away from TTLS-PAP, I'm sort of lost in 
>>>>> things to suggest. There is one thing maybe: you could try to 
>>>>> generate an iOS profile "by hand"; i.e. download Apple's "iPhone 
>>>>> Configuration Utility", click together the settings as they apply 
>>>>> to your IdP and see if the resulting profile works better with the iOS 
>>>>> devices.
>>>>>
>>>>> I'm guessing it won't, and then it's clearly an iOS bug. If it 
>>>>> does work better however, please send the profile over to me so I 
>>>>> can inspect it for differences to what CAT generates.
>>>>>
>>>>> Greetings,
>>>>>
>>>>> Stefan Winter
>>>>>
>>>>>> Regards
>>>>>> Judy Angel
>>>>>>   
>>>>>>
>>>>>> Sent from my iPad
>>>>>>
>>>>>> On 13 Jun 2013, at 08:56 PM, Scott Armitage 
>>>>>> <S.P.Armitage AT lboro.ac.uk>
>>>>>>  wrote:
>>>>>>
>>>>>>> On 13 Jun 2013, at 15:46, "Angel, Judy" 
>>>>>>> <admyet4 AT herts.ac.uk>
>>>>>>>  wrote:
>>>>>>>
>>>>>>>> Hi
>>>>>>>> I am new to this system and think it is great. Thank you very much 
>>>>>>>> for developing such a useful tool.
>>>>>>>> I have tested the download for w7, XP ,lion , linux and all 
>>>>>>>> work fine. However the iphone app does not look as nice as the 
>>>>>>>> others and More to the point down not work for me. It goes through 
>>>>>>>> the install screen, I enter username and password but there is no 
>>>>>>>> connection.
>>>>>>>> I originally had a self certified certificate. I have now 
>>>>>>>> installed the Janet Terena one which I can see as verified in the 
>>>>>>>> iphone>general>profile But when I select the SSID eduroam the 
>>>>>>>> certificate page with the gears is on the left, not verified in red 
>>>>>>>> in the middle of the screen, accept on the right hand side but it is 
>>>>>>>> not an active button, so can not be selected.
>>>>>>>> Have you come across such a problem? Any suggestions please.
>>>>>>> I think the problem is TTLS.  I noticed the same problem with our 
>>>>>>> cloudpath profiles if the authentication type was set to EAP-TTLS.  I 
>>>>>>> therefore had to switch PEAP.
>>>>>>>  From memory this was discussed a while ago on another mailing list 
>>>>>>> (but I can't remember).
>>>>>>>
>>>>>>> Try a PEAP configuration and see if you have the same problem.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Scott Armitage
>>>
>>> --
>>> Stefan WINTER
>>> Ingenieur de Recherche
>>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale 
>>> et de la Recherche 6, rue Richard Coudenhove-Kalergi
>>> L-1359 Luxembourg
>>>
>>> Tel: +352 424409 1
>>> Fax: +352 422473
>>>
>>
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale 
>> et de la Recherche 6, rue Richard Coudenhove-Kalergi
>> L-1359 Luxembourg
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
>

--
Tomasz Wolniewicz
           
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576