The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> Thank you for the help with this, good to see it working as expected
> now. I am off to implementing eduroam training tomorrow, so hopefully
> that will answer the last few questions I have.

Before you're off :-)

So that was a MacBook Pro with OS X Mountain Lion, and it refused to
trust the cert when BasicConstraints:CA=FALSE was NOT set?

Having a confirmation of this would be very valuable... we'll update the
"EAP server cert Considerations" section then; and the warning message
in CAT will specifically mention that OS X has this compatibility
requirement.

Greetings,

Stefan Winter

> 
>  
> 
> Aaron
> 
>  
> 
> *From:*aaron street
> *Sent:* 28 August 2013 15:13
> *To:* 'Stefan Winter'
> *Cc:* 
> 'cat-users AT geant.net'
> *Subject:* RE: [cat-users] IPAD download issue
> 
>  
> 
> Hi,
> 
>  
> 
> Does this now look correct, it’s not x509 but.
> 
>  
> 
>  
> 
> Regards
> 
>  
> 
> Aaron
> 
>  
> 
> -----Original Message-----
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
> Sent: 28 August 2013 14:09
> To: aaron street
> Cc: 
> 'cat-users AT geant.net'
> Subject: Re: [cat-users] IPAD download issue
> 
>  
> 
> Hi,
> 
>  
> 
> further to this: trunk code now checks for all these conditions. If you
> were to execute the realm check functionality in current trunk, you'd
> get the attached output.
> 
>  
> 
> Thanks for talking to us about things that aren't detected properly yet
> 
> - all this makes the CAT even better!
> 
>  
> 
> Note: I've marked the non-HTTP case an informational "*" UI element
> because we don't have confirmation that it's this particular thingy that
> makes the Mac Pro fail validation. If it positively is the root cause,
> this would better be elevated to a warning (!) UI element.
> 
>  
> 
> Greetings,
> 
>  
> 
> Stefan Winter
> 
>  
> 
> On 28.08.2013 14:18, Stefan Winter wrote:
> 
>> Hi,
> 
>>
> 
>>> It looks like it is to do with our mobile iron BYOD policy, something
> 
>>> I will have to look in to as it worked fine on a user’s ipad without
> 
>>> this on it.
> 
>>
> 
>> To understand you correctly: you suspect an issue with some policy
> 
>> enforcement software, not the CAT profile itself?
> 
>>
> 
>> Please let us know if you can confirm this; we may or may not have a
> 
>> workaround, but in any case it would be good to document this for
> 
>> others then.
> 
>>
> 
>>> Another issue I have is with a Mac Book Pro running mountain Lion,
> 
>>> the profile is a basic PEAP-MSCHAPv2 and it works fine on the IPAD.
> 
>>> But when I install it on the MacBook pro I get  an error that “the
> 
>>> identity of the authentication server could not be established”? When
> 
>>> I look in the installed certificites both the CA route and the Radius
> 
>>> server certs are showing up, so not clear why it can’t establish the
> trust on this device.
> 
>>
> 
>> In plain words: your certificate is a bit weird. You are using some
> 
>> extensions which can cause problems; and are omitting one which is
> 
>> standard since about a decade. Maybe the Mac Pro's OS is just that
> 
>> little bit extra picky.
> 
>>
> 
>> Two issues I found with a superficial glance at your server cert:
> 
>>
> 
>> [crlDistributionPoints] =>
> 
>> Full Name:
> 
>>
> 
>> URI:ldap:///CN=AH-CA,CN=IAHIFS1,CN=CDP,CN=Public%20Key%20Services,CN=S
> 
>> ervices,CN=Configuration,DC=iah,DC=ac,DC=uk?certificateRevocationList?
> 
>> base?objectClass=cRLDistributionPoint
> 
>>
> 
>> That is, you tell client OSes that they can verify the current
> 
>> validity status of the server cert post-authentication (good!) but the
> 
>> URL to verify is an LDAP one; the client OS is unlikely to get access
> 
>> to your LDAP server from world-wide. Some OSes may think that - since
> 
>> they were told to have a verification source, but can't access it -
> 
>> verification of the server was not possible.
> 
>>
> 
>> The second odditiy is that your server cert does not carry the
> 
>> "X509 Basic Constraint: CA = FALSE" property.
> 
>>
> 
>> If this is not set, it's not clear whether the cert is supposed to be
> 
>> an intermediate CA certificate (allowed to issue certificates to
> 
>> others
> 
>> itself) or not.
> 
>>
> 
>> CA's should obviously set this to TRUE; non-CAs to FALSE. Not setting
> 
>> it at all is ambiguous.
> 
>>
> 
>> Maybe Mac OS finds that lack of clarity too exciting. You've certainly
> 
>> fooled our trunk code of CAT (to be 1.1) into thinking it is a CA cert.
> 
>>
> 
>> I'll add code to trunk to warn about any certificate in the chain
> 
>> which does not explicitly set the basicConstraints CA flag.
> 
>>
> 
>> When it comes to "what properties should a CA and/or server
> 
>> certificate contain for eduroam purposes, please read this":
> 
>>
> 
>> https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+
> 
>> on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-EAPServercert
> 
>> ificateconsiderations
> 
>>
> 
>> Greetings,
> 
>>
> 
>> Stefan Winter
> 
>>
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> Regards
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> Aaron
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> *From:*Tomasz Wolniewicz 
>>> [mailto:twoln AT umk.pl]
> 
>>> *Sent:* 28 August 2013 12:18
> 
>>> *To:* aaron street
> 
>>> *Cc:* 
>>> 'cat-users AT geant.net'
> 
>>> *Subject:* Re: [cat-users] IPAD download issue
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> I have just tested the iOS download with both a Windows machine and
> 
>>> an iPhone and did not find anything wrong.
> 
>>> Could you please repeat the process and report if you still find the
> 
>>> problem?
> 
>>> You are using https://cat.eduroam.org , right?
> 
>>> Tomasz
> 
>>> 
> 
>>> W dniu 2013-08-28 11:16, aaron street pisze:
> 
>>> 
> 
>>>     Dear Sir,
> 
>>> 
> 
>>>     
> 
>>> 
> 
>>>     I have an issue that when I go to download a profile using the IPAD,
> 
>>>     I get a
> 
>>> 
> 
>>>     
> 
>>> 
> 
>>>     “Cannot open page
> 
>>> 
> 
>>>     
> 
>>> 
> 
>>>     Frame Load Interrupted”
> 
>>> 
> 
>>>     
> 
>>> 
> 
>>>     Error message, I read it’s something about the format of the URL
> 
>>>     that the page is generating but is there any more you can tell me
> 
>>>     about why I get this error?
> 
>>> 
> 
>>>     
> 
>>> 
> 
>>>     Kind regards
> 
>>> 
> 
>>>     
> 
>>> 
> 
>>>     Aaron Street
> 
>>> 
> 
>>>     Network Systems Analyst
> 
>>> 
> 
>>>     The Pirbright Institute <http://www.pirbright.ac.uk/>
> 
>>> 
> 
>>>     *t  *+44 (0) 1483 231368  *ex*** 1368
> 
>>> 
> 
>>>     *email*** 
>>> _aaron.street AT pirbright.ac.uk
> <mailto:_aaron.street AT pirbright.ac.uk>
> 
>>>     
>>> <mailto:aaron.street AT pirbright.ac.uk>_
> 
>>> 
> 
>>>     
> 
>>> 
> 
>>>     
> 
>>> 
> 
>>>     
> 
>>> 
> 
>>>    
> 
>>> ---------------------------------------------------------------------
> 
>>> ---
> 
>>> 
> 
>>> 
> 
>>>     The information contained in this message may be confidential or
> 
>>>     legally privileged and is intended solely for the addressee. If you
> 
>>>     have received this message in error please delete it & notify the
> 
>>>     originator immediately.
> 
>>>     Unauthorised use, disclosure, copying or alteration of this message
> 
>>>     is forbidden & may be unlawful.
> 
>>>     The contents of this e-mail are the views of the sender and do not
> 
>>>     necessarily represent the views of the Institute.
> 
>>>     This email and associated attachments has been checked locally for
> 
>>>     viruses but we can accept no responsibility once it has left our
> 
>>>     systems.
> 
>>>     Communications on Institute computers are monitored to secure the
> 
>>>     effective operation of the systems and for other lawful purposes.
> 
>>> 
> 
>>>     The Pirbright Institute is a company limited by guarantee,
> 
>>>     registered in England no. 559784.
> 
>>>     The Institute is also a registered charity.
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> --
> 
>>> 
> 
>>> Tomasz Wolniewicz   
> 
>>> 
> 
>>>           
>>> twoln AT umk.pl
>>>  
>>> <mailto:twoln AT umk.pl>
> <mailto:twoln AT umk.pl>
>         http://www.home.umk.pl/~twoln
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> Uczelniane Centrum Informatyczne   Information&Communication
> Technology Centre
> 
>>> 
> 
>>> Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
> 
>>> 
> 
>>> pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
> 
>>> 
> 
>>> tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.:
> +48-693-032-576
> 
>>> 
> 
>>
> 
>>
> 
>  
> 
>  
> 
> --
> 
> Stefan WINTER
> 
> Ingenieur de Recherche
> 
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche 6, rue Richard Coudenhove-Kalergi
> 
> L-1359 Luxembourg
> 
>  
> 
> Tel: +352 424409 1
> 
> Fax: +352 422473
> 
> 
> ------------------------------------------------------------------------
> 
> The information contained in this message may be confidential or legally
> privileged and is intended solely for the addressee. If you have
> received this message in error please delete it & notify the originator
> immediately.
> Unauthorised use, disclosure, copying or alteration of this message is
> forbidden & may be unlawful.
> The contents of this e-mail are the views of the sender and do not
> necessarily represent the views of the Institute.
> This email and associated attachments has been checked locally for
> viruses but we can accept no responsibility once it has left our systems.
> Communications on Institute computers are monitored to secure the
> effective operation of the systems and for other lawful purposes.
> 
> The Pirbright Institute is a company limited by guarantee, registered in
> England no. 559784.
> The Institute is also a registered charity.
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

Attachment: signature.asc
Description: OpenPGP digital signature