The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[aaron street <aaron.street AT pirbright.ac.uk>]

Hi,

 

Does this now look correct, it’s not x509 but.

 

 

Regards

 

Aaron

 

-----Original Message-----
From: Stefan Winter [mailto:stefan.winter AT restena.lu]
Sent: 28 August 2013 14:09
To: aaron street
Cc: 'cat-users AT geant.net'
Subject: Re: [cat-users] IPAD download issue

 

Hi,

 

further to this: trunk code now checks for all these conditions. If you were to execute the realm check functionality in current trunk, you'd get the attached output.

 

Thanks for talking to us about things that aren't detected properly yet

- all this makes the CAT even better!

 

Note: I've marked the non-HTTP case an informational "*" UI element because we don't have confirmation that it's this particular thingy that makes the Mac Pro fail validation. If it positively is the root cause, this would better be elevated to a warning (!) UI element.

 

Greetings,

 

Stefan Winter

 

On 28.08.2013 14:18, Stefan Winter wrote:

> Hi,

>

>> It looks like it is to do with our mobile iron BYOD policy, something

>> I will have to look in to as it worked fine on a user’s ipad without

>> this on it.

>

> To understand you correctly: you suspect an issue with some policy

> enforcement software, not the CAT profile itself?

>

> Please let us know if you can confirm this; we may or may not have a

> workaround, but in any case it would be good to document this for

> others then.

>

>> Another issue I have is with a Mac Book Pro running mountain Lion,

>> the profile is a basic PEAP-MSCHAPv2 and it works fine on the IPAD.

>> But when I install it on the MacBook pro I get  an error that “the

>> identity of the authentication server could not be established”? When

>> I look in the installed certificites both the CA route and the Radius

>> server certs are showing up, so not clear why it can’t establish the trust on this device.

>

> In plain words: your certificate is a bit weird. You are using some

> extensions which can cause problems; and are omitting one which is

> standard since about a decade. Maybe the Mac Pro's OS is just that

> little bit extra picky.

>

> Two issues I found with a superficial glance at your server cert:

>

> [crlDistributionPoints] =>

> Full Name:

>

> URI:ldap:///CN=AH-CA,CN=IAHIFS1,CN=CDP,CN=Public%20Key%20Services,CN=S

> ervices,CN=Configuration,DC=iah,DC=ac,DC=uk?certificateRevocationList?

> base?objectClass=cRLDistributionPoint

>

> That is, you tell client OSes that they can verify the current

> validity status of the server cert post-authentication (good!) but the

> URL to verify is an LDAP one; the client OS is unlikely to get access

> to your LDAP server from world-wide. Some OSes may think that - since

> they were told to have a verification source, but can't access it -

> verification of the server was not possible.

>

> The second odditiy is that your server cert does not carry the

> "X509 Basic Constraint: CA = FALSE" property.

>

> If this is not set, it's not clear whether the cert is supposed to be

> an intermediate CA certificate (allowed to issue certificates to

> others

> itself) or not.

>

> CA's should obviously set this to TRUE; non-CAs to FALSE. Not setting

> it at all is ambiguous.

>

> Maybe Mac OS finds that lack of clarity too exciting. You've certainly

> fooled our trunk code of CAT (to be 1.1) into thinking it is a CA cert.

>

> I'll add code to trunk to warn about any certificate in the chain

> which does not explicitly set the basicConstraints CA flag.

>

> When it comes to "what properties should a CA and/or server

> certificate contain for eduroam purposes, please read this":

>

> https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+

> on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-EAPServercert

> ificateconsiderations

>

> Greetings,

>

> Stefan Winter

>

>> 

>> 

>> 

>> Regards

>> 

>> 

>> 

>> Aaron

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> 

>> *From:*Tomasz Wolniewicz [mailto:twoln AT umk.pl]

>> *Sent:* 28 August 2013 12:18

>> *To:* aaron street

>> *Cc:* 'cat-users AT geant.net'

>> *Subject:* Re: [cat-users] IPAD download issue

>> 

>> 

>> 

>> I have just tested the iOS download with both a Windows machine and

>> an iPhone and did not find anything wrong.

>> Could you please repeat the process and report if you still find the

>> problem?

>> You are using https://cat.eduroam.org , right?

>> Tomasz

>> 

>> W dniu 2013-08-28 11:16, aaron street pisze:

>> 

>>     Dear Sir,

>> 

>>     

>> 

>>     I have an issue that when I go to download a profile using the IPAD,

>>     I get a

>> 

>>     

>> 

>>     “Cannot open page

>> 

>>     

>> 

>>     Frame Load Interrupted”

>> 

>>     

>> 

>>     Error message, I read it’s something about the format of the URL

>>     that the page is generating but is there any more you can tell me

>>     about why I get this error?

>> 

>>     

>> 

>>     Kind regards

>> 

>>     

>> 

>>     Aaron Street

>> 

>>     Network Systems Analyst

>> 

>>     The Pirbright Institute <http://www.pirbright.ac.uk/>

>> 

>>     *t  *+44 (0) 1483 231368  *ex*** 1368

>> 

>>     *email*** _aaron.street AT pirbright.ac.uk

>>     <mailto:aaron.street AT pirbright.ac.uk>_

>> 

>>     

>> 

>>     

>> 

>>     

>> 

>>    

>> ---------------------------------------------------------------------

>> ---

>> 

>> 

>>     The information contained in this message may be confidential or

>>     legally privileged and is intended solely for the addressee. If you

>>     have received this message in error please delete it & notify the

>>     originator immediately.

>>     Unauthorised use, disclosure, copying or alteration of this message

>>     is forbidden & may be unlawful.

>>     The contents of this e-mail are the views of the sender and do not

>>     necessarily represent the views of the Institute.

>>     This email and associated attachments has been checked locally for

>>     viruses but we can accept no responsibility once it has left our

>>     systems.

>>     Communications on Institute computers are monitored to secure the

>>     effective operation of the systems and for other lawful purposes.

>> 

>>     The Pirbright Institute is a company limited by guarantee,

>>     registered in England no. 559784.

>>     The Institute is also a registered charity.

>> 

>> 

>> 

>> --

>> 

>> Tomasz Wolniewicz   

>> 

>>           twoln AT umk.pl <mailto:twoln AT umk.pl>        http://www.home.umk.pl/~twoln

>> 

>> 

>> 

>> Uczelniane Centrum Informatyczne   Information&Communication Technology Centre

>> 

>> Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,

>> 

>> pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland

>> 

>> tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

>> 

>

>

 

 

--

Stefan WINTER

Ingenieur de Recherche

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi

L-1359 Luxembourg

 

Tel: +352 424409 1

Fax: +352 422473

---

The information contained in this message may be confidential or legally privileged and is intended solely for the addressee. If you have received this message in error please delete it & notify the originator immediately.
Unauthorised use, disclosure, copying or alteration of this message is forbidden & may be unlawful.
The contents of this e-mail are the views of the sender and do not necessarily represent the views of the Institute.
This email and associated attachments has been checked locally for viruses but we can accept no responsibility once it has left our systems.
Communications on Institute computers are monitored to secure the effective operation of the systems and for other lawful purposes.

The Pirbright Institute is a company limited by guarantee, registered in England no. 559784.
The Institute is also a registered charity.