The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> It looks like it is to do with our mobile iron BYOD policy, something I
> will have to look in to as it worked fine on a user’s ipad without this
> on it.

To understand you correctly: you suspect an issue with some policy
enforcement software, not the CAT profile itself?

Please let us know if you can confirm this; we may or may not have a
workaround, but in any case it would be good to document this for others
then.

> Another issue I have is with a Mac Book Pro running mountain Lion, the
> profile is a basic PEAP-MSCHAPv2 and it works fine on the IPAD. But when
> I install it on the MacBook pro I get  an error that “the identity of
> the authentication server could not be established”? When I look in the
> installed certificites both the CA route and the Radius server certs are
> showing up, so not clear why it can’t establish the trust on this device.

In plain words: your certificate is a bit weird. You are using some
extensions which can cause problems; and are omitting one which is
standard since about a decade. Maybe the Mac Pro's OS is just that
little bit extra picky.

Two issues I found with a superficial glance at your server cert:

[crlDistributionPoints] =>
Full Name:

URI:ldap:///CN=AH-CA,CN=IAHIFS1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=iah,DC=ac,DC=uk?certificateRevocationList?base?objectClass=cRLDistributionPoint

That is, you tell client OSes that they can verify the current validity
status of the server cert post-authentication (good!) but the URL to
verify is an LDAP one; the client OS is unlikely to get access to your
LDAP server from world-wide. Some OSes may think that - since they were
told to have a verification source, but can't access it - verification
of the server was not possible.

The second odditiy is that your server cert does not carry the
"X509 Basic Constraint: CA = FALSE" property.

If this is not set, it's not clear whether the cert is supposed to be an
intermediate CA certificate (allowed to issue certificates to others
itself) or not.

CA's should obviously set this to TRUE; non-CAs to FALSE. Not setting it
at all is ambiguous.

Maybe Mac OS finds that lack of clarity too exciting. You've certainly
fooled our trunk code of CAT (to be 1.1) into thinking it is a CA cert.

I'll add code to trunk to warn about any certificate in the chain which
does not explicitly set the basicConstraints CA flag.

When it comes to "what properties should a CA and/or server certificate
contain for eduroam purposes, please read this":

https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-EAPServercertificateconsiderations

Greetings,

Stefan Winter

> 
>  
> 
> Regards
> 
>  
> 
> Aaron
> 
>  
> 
>  
> 
>  
> 
>  
> 
> *From:*Tomasz Wolniewicz 
> [mailto:twoln AT umk.pl]
> *Sent:* 28 August 2013 12:18
> *To:* aaron street
> *Cc:* 
> 'cat-users AT geant.net'
> *Subject:* Re: [cat-users] IPAD download issue
> 
>  
> 
> I have just tested the iOS download with both a Windows machine and an
> iPhone and did not find anything wrong.
> Could you please repeat the process and report if you still find the
> problem?
> You are using https://cat.eduroam.org , right?
> Tomasz
> 
> W dniu 2013-08-28 11:16, aaron street pisze:
> 
>     Dear Sir,
> 
>      
> 
>     I have an issue that when I go to download a profile using the IPAD,
>     I get a
> 
>      
> 
>     “Cannot open page
> 
>      
> 
>     Frame Load Interrupted”
> 
>      
> 
>     Error message, I read it’s something about the format of the URL
>     that the page is generating but is there any more you can tell me
>     about why I get this error?
> 
>      
> 
>     Kind regards
> 
>      
> 
>     Aaron Street
> 
>     Network Systems Analyst
> 
>     The Pirbright Institute <http://www.pirbright.ac.uk/>
> 
>     *t  *+44 (0) 1483 231368  *ex*** 1368
> 
>     *email*** 
> _aaron.street AT pirbright.ac.uk
>     
> <mailto:aaron.street AT pirbright.ac.uk>_
> 
>      
> 
>      
> 
>      
> 
>     ------------------------------------------------------------------------
> 
> 
>     The information contained in this message may be confidential or
>     legally privileged and is intended solely for the addressee. If you
>     have received this message in error please delete it & notify the
>     originator immediately.
>     Unauthorised use, disclosure, copying or alteration of this message
>     is forbidden & may be unlawful.
>     The contents of this e-mail are the views of the sender and do not
>     necessarily represent the views of the Institute.
>     This email and associated attachments has been checked locally for
>     viruses but we can accept no responsibility once it has left our
>     systems.
>     Communications on Institute computers are monitored to secure the
>     effective operation of the systems and for other lawful purposes.
> 
>     The Pirbright Institute is a company limited by guarantee,
>     registered in England no. 559784.
>     The Institute is also a registered charity.
> 
> 
> 
> -- 
> 
> Tomasz Wolniewicz    
> 
>           
> twoln AT umk.pl
>  
> <mailto:twoln AT umk.pl>
>         http://www.home.umk.pl/~twoln
> 
>  
> 
> Uczelniane Centrum Informatyczne   Information&Communication Technology 
> Centre
> 
> Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
> 
> pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
> 
> tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: 
> +48-693-032-576
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

Attachment: signature.asc
Description: OpenPGP digital signature