cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: aaron street <aaron.street AT pirbright.ac.uk>
- To: 'Stefan Winter' <stefan.winter AT restena.lu>
- Cc: "'cat-users AT geant.net'" <cat-users AT geant.net>
- Subject: Re: [cat-users] IPAD download issue
- Date: Wed, 28 Aug 2013 14:01:41 +0000
- Accept-language: en-GB, en-US
- List-archive: <https://mail.geant.net/mailman/private/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
Hi,
Thank you for your response, I am having issues getting windows CA to provide
a cert that has the basic constrain enabled. Think we might need to look
deeper in to how or Certifictes server infrastructure is set up.
Thank you for the pointers of what we need to look in to.
Kind regards
Aaron
-----Original Message-----
From: Stefan Winter
[mailto:stefan.winter AT restena.lu]
Sent: 28 August 2013 14:09
To: aaron street
Cc:
'cat-users AT geant.net'
Subject: Re: [cat-users] IPAD download issue
Hi,
further to this: trunk code now checks for all these conditions. If you were
to execute the realm check functionality in current trunk, you'd get the
attached output.
Thanks for talking to us about things that aren't detected properly yet
- all this makes the CAT even better!
Note: I've marked the non-HTTP case an informational "*" UI element because
we don't have confirmation that it's this particular thingy that makes the
Mac Pro fail validation. If it positively is the root cause, this would
better be elevated to a warning (!) UI element.
Greetings,
Stefan Winter
On 28.08.2013 14:18, Stefan Winter wrote:
> Hi,
>
>> It looks like it is to do with our mobile iron BYOD policy, something
>> I will have to look in to as it worked fine on a user's ipad without
>> this on it.
>
> To understand you correctly: you suspect an issue with some policy
> enforcement software, not the CAT profile itself?
>
> Please let us know if you can confirm this; we may or may not have a
> workaround, but in any case it would be good to document this for
> others then.
>
>> Another issue I have is with a Mac Book Pro running mountain Lion,
>> the profile is a basic PEAP-MSCHAPv2 and it works fine on the IPAD.
>> But when I install it on the MacBook pro I get an error that "the
>> identity of the authentication server could not be established"? When
>> I look in the installed certificites both the CA route and the Radius
>> server certs are showing up, so not clear why it can't establish the trust
>> on this device.
>
> In plain words: your certificate is a bit weird. You are using some
> extensions which can cause problems; and are omitting one which is
> standard since about a decade. Maybe the Mac Pro's OS is just that
> little bit extra picky.
>
> Two issues I found with a superficial glance at your server cert:
>
> [crlDistributionPoints] =>
> Full Name:
>
> URI:ldap:///CN=AH-CA,CN=IAHIFS1,CN=CDP,CN=Public%20Key%20Services,CN=S
> ervices,CN=Configuration,DC=iah,DC=ac,DC=uk?certificateRevocationList?
> base?objectClass=cRLDistributionPoint
>
> That is, you tell client OSes that they can verify the current
> validity status of the server cert post-authentication (good!) but the
> URL to verify is an LDAP one; the client OS is unlikely to get access
> to your LDAP server from world-wide. Some OSes may think that - since
> they were told to have a verification source, but can't access it -
> verification of the server was not possible.
>
> The second odditiy is that your server cert does not carry the
> "X509 Basic Constraint: CA = FALSE" property.
>
> If this is not set, it's not clear whether the cert is supposed to be
> an intermediate CA certificate (allowed to issue certificates to
> others
> itself) or not.
>
> CA's should obviously set this to TRUE; non-CAs to FALSE. Not setting
> it at all is ambiguous.
>
> Maybe Mac OS finds that lack of clarity too exciting. You've certainly
> fooled our trunk code of CAT (to be 1.1) into thinking it is a CA cert.
>
> I'll add code to trunk to warn about any certificate in the chain
> which does not explicitly set the basicConstraints CA flag.
>
> When it comes to "what properties should a CA and/or server
> certificate contain for eduroam purposes, please read this":
>
> https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+
> on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-EAPServercert
> ificateconsiderations
>
> Greetings,
>
> Stefan Winter
>
>>
>>
>>
>> Regards
>>
>>
>>
>> Aaron
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *From:*Tomasz Wolniewicz
>> [mailto:twoln AT umk.pl]
>> *Sent:* 28 August 2013 12:18
>> *To:* aaron street
>> *Cc:*
>> 'cat-users AT geant.net'
>> *Subject:* Re: [cat-users] IPAD download issue
>>
>>
>>
>> I have just tested the iOS download with both a Windows machine and
>> an iPhone and did not find anything wrong.
>> Could you please repeat the process and report if you still find the
>> problem?
>> You are using https://cat.eduroam.org , right?
>> Tomasz
>>
>> W dniu 2013-08-28 11:16, aaron street pisze:
>>
>> Dear Sir,
>>
>>
>>
>> I have an issue that when I go to download a profile using the IPAD,
>> I get a
>>
>>
>>
>> "Cannot open page
>>
>>
>>
>> Frame Load Interrupted"
>>
>>
>>
>> Error message, I read it's something about the format of the URL
>> that the page is generating but is there any more you can tell me
>> about why I get this error?
>>
>>
>>
>> Kind regards
>>
>>
>>
>> Aaron Street
>>
>> Network Systems Analyst
>>
>> The Pirbright Institute <http://www.pirbright.ac.uk/>
>>
>> *t *+44 (0) 1483 231368 *ex*** 1368
>>
>> *email***
>> _aaron.street AT pirbright.ac.uk
>>
>> <mailto:aaron.street AT pirbright.ac.uk>_
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> ---
>>
>>
>> The information contained in this message may be confidential or
>> legally privileged and is intended solely for the addressee. If you
>> have received this message in error please delete it & notify the
>> originator immediately.
>> Unauthorised use, disclosure, copying or alteration of this message
>> is forbidden & may be unlawful.
>> The contents of this e-mail are the views of the sender and do not
>> necessarily represent the views of the Institute.
>> This email and associated attachments has been checked locally for
>> viruses but we can accept no responsibility once it has left our
>> systems.
>> Communications on Institute computers are monitored to secure the
>> effective operation of the systems and for other lawful purposes.
>>
>> The Pirbright Institute is a company limited by guarantee,
>> registered in England no. 559784.
>> The Institute is also a registered charity.
>>
>>
>>
>> --
>>
>> Tomasz Wolniewicz
>>
>>
>> twoln AT umk.pl
>>
>> <mailto:twoln AT umk.pl>
>> http://www.home.umk.pl/~twoln
>>
>>
>>
>> Uczelniane Centrum Informatyczne Information&Communication Technology
>> Centre
>>
>> Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
>>
>> pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
>>
>> tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.:
>> +48-693-032-576
>>
>
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche 6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
________________________________
The information contained in this message may be confidential or legally
privileged and is intended solely for the addressee. If you have received
this message in error please delete it & notify the originator immediately.
Unauthorised use, disclosure, copying or alteration of this message is
forbidden & may be unlawful.
The contents of this e-mail are the views of the sender and do not
necessarily represent the views of the Institute.
This email and associated attachments has been checked locally for viruses
but we can accept no responsibility once it has left our systems.
Communications on Institute computers are monitored to secure the effective
operation of the systems and for other lawful purposes.
The Pirbright Institute is a company limited by guarantee, registered in
England no. 559784.
The Institute is also a registered charity.
- [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, Tomasz Wolniewicz, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, A . L . M . Buxey, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Tomasz Wolniewicz, 08/29/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, A . L . M . Buxey, 08/28/2013
Archive powered by MHonArc 2.6.19.