cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: aaron street <aaron.street AT pirbright.ac.uk>
- Cc: "'cat-users AT geant.net'" <cat-users AT geant.net>
- Subject: Re: [cat-users] IPAD download issue
- Date: Wed, 28 Aug 2013 16:30:27 +0200
- List-archive: <https://mail.geant.net/mailman/private/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
Hi,
> Thank you for the help with this, good to see it working as expected
> now. I am off to implementing eduroam training tomorrow, so hopefully
> that will answer the last few questions I have.
Before you're off :-)
So that was a MacBook Pro with OS X Mountain Lion, and it refused to
trust the cert when BasicConstraints:CA=FALSE was NOT set?
Having a confirmation of this would be very valuable... we'll update the
"EAP server cert Considerations" section then; and the warning message
in CAT will specifically mention that OS X has this compatibility
requirement.
Greetings,
Stefan Winter
>
>
>
> Aaron
>
>
>
> *From:*aaron street
> *Sent:* 28 August 2013 15:13
> *To:* 'Stefan Winter'
> *Cc:*
> 'cat-users AT geant.net'
> *Subject:* RE: [cat-users] IPAD download issue
>
>
>
> Hi,
>
>
>
> Does this now look correct, it’s not x509 but.
>
>
>
>
>
> Regards
>
>
>
> Aaron
>
>
>
> -----Original Message-----
> From: Stefan Winter
> [mailto:stefan.winter AT restena.lu]
> Sent: 28 August 2013 14:09
> To: aaron street
> Cc:
> 'cat-users AT geant.net'
> Subject: Re: [cat-users] IPAD download issue
>
>
>
> Hi,
>
>
>
> further to this: trunk code now checks for all these conditions. If you
> were to execute the realm check functionality in current trunk, you'd
> get the attached output.
>
>
>
> Thanks for talking to us about things that aren't detected properly yet
>
> - all this makes the CAT even better!
>
>
>
> Note: I've marked the non-HTTP case an informational "*" UI element
> because we don't have confirmation that it's this particular thingy that
> makes the Mac Pro fail validation. If it positively is the root cause,
> this would better be elevated to a warning (!) UI element.
>
>
>
> Greetings,
>
>
>
> Stefan Winter
>
>
>
> On 28.08.2013 14:18, Stefan Winter wrote:
>
>> Hi,
>
>>
>
>>> It looks like it is to do with our mobile iron BYOD policy, something
>
>>> I will have to look in to as it worked fine on a user’s ipad without
>
>>> this on it.
>
>>
>
>> To understand you correctly: you suspect an issue with some policy
>
>> enforcement software, not the CAT profile itself?
>
>>
>
>> Please let us know if you can confirm this; we may or may not have a
>
>> workaround, but in any case it would be good to document this for
>
>> others then.
>
>>
>
>>> Another issue I have is with a Mac Book Pro running mountain Lion,
>
>>> the profile is a basic PEAP-MSCHAPv2 and it works fine on the IPAD.
>
>>> But when I install it on the MacBook pro I get an error that “the
>
>>> identity of the authentication server could not be established”? When
>
>>> I look in the installed certificites both the CA route and the Radius
>
>>> server certs are showing up, so not clear why it can’t establish the
> trust on this device.
>
>>
>
>> In plain words: your certificate is a bit weird. You are using some
>
>> extensions which can cause problems; and are omitting one which is
>
>> standard since about a decade. Maybe the Mac Pro's OS is just that
>
>> little bit extra picky.
>
>>
>
>> Two issues I found with a superficial glance at your server cert:
>
>>
>
>> [crlDistributionPoints] =>
>
>> Full Name:
>
>>
>
>> URI:ldap:///CN=AH-CA,CN=IAHIFS1,CN=CDP,CN=Public%20Key%20Services,CN=S
>
>> ervices,CN=Configuration,DC=iah,DC=ac,DC=uk?certificateRevocationList?
>
>> base?objectClass=cRLDistributionPoint
>
>>
>
>> That is, you tell client OSes that they can verify the current
>
>> validity status of the server cert post-authentication (good!) but the
>
>> URL to verify is an LDAP one; the client OS is unlikely to get access
>
>> to your LDAP server from world-wide. Some OSes may think that - since
>
>> they were told to have a verification source, but can't access it -
>
>> verification of the server was not possible.
>
>>
>
>> The second odditiy is that your server cert does not carry the
>
>> "X509 Basic Constraint: CA = FALSE" property.
>
>>
>
>> If this is not set, it's not clear whether the cert is supposed to be
>
>> an intermediate CA certificate (allowed to issue certificates to
>
>> others
>
>> itself) or not.
>
>>
>
>> CA's should obviously set this to TRUE; non-CAs to FALSE. Not setting
>
>> it at all is ambiguous.
>
>>
>
>> Maybe Mac OS finds that lack of clarity too exciting. You've certainly
>
>> fooled our trunk code of CAT (to be 1.1) into thinking it is a CA cert.
>
>>
>
>> I'll add code to trunk to warn about any certificate in the chain
>
>> which does not explicitly set the basicConstraints CA flag.
>
>>
>
>> When it comes to "what properties should a CA and/or server
>
>> certificate contain for eduroam purposes, please read this":
>
>>
>
>> https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+
>
>> on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-EAPServercert
>
>> ificateconsiderations
>
>>
>
>> Greetings,
>
>>
>
>> Stefan Winter
>
>>
>
>>>
>
>>>
>
>>>
>
>>> Regards
>
>>>
>
>>>
>
>>>
>
>>> Aaron
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>> *From:*Tomasz Wolniewicz
>>> [mailto:twoln AT umk.pl]
>
>>> *Sent:* 28 August 2013 12:18
>
>>> *To:* aaron street
>
>>> *Cc:*
>>> 'cat-users AT geant.net'
>
>>> *Subject:* Re: [cat-users] IPAD download issue
>
>>>
>
>>>
>
>>>
>
>>> I have just tested the iOS download with both a Windows machine and
>
>>> an iPhone and did not find anything wrong.
>
>>> Could you please repeat the process and report if you still find the
>
>>> problem?
>
>>> You are using https://cat.eduroam.org , right?
>
>>> Tomasz
>
>>>
>
>>> W dniu 2013-08-28 11:16, aaron street pisze:
>
>>>
>
>>> Dear Sir,
>
>>>
>
>>>
>
>>>
>
>>> I have an issue that when I go to download a profile using the IPAD,
>
>>> I get a
>
>>>
>
>>>
>
>>>
>
>>> “Cannot open page
>
>>>
>
>>>
>
>>>
>
>>> Frame Load Interrupted”
>
>>>
>
>>>
>
>>>
>
>>> Error message, I read it’s something about the format of the URL
>
>>> that the page is generating but is there any more you can tell me
>
>>> about why I get this error?
>
>>>
>
>>>
>
>>>
>
>>> Kind regards
>
>>>
>
>>>
>
>>>
>
>>> Aaron Street
>
>>>
>
>>> Network Systems Analyst
>
>>>
>
>>> The Pirbright Institute <http://www.pirbright.ac.uk/>
>
>>>
>
>>> *t *+44 (0) 1483 231368 *ex*** 1368
>
>>>
>
>>> *email***
>>> _aaron.street AT pirbright.ac.uk
> <mailto:_aaron.street AT pirbright.ac.uk>
>
>>>
>>> <mailto:aaron.street AT pirbright.ac.uk>_
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>> ---------------------------------------------------------------------
>
>>> ---
>
>>>
>
>>>
>
>>> The information contained in this message may be confidential or
>
>>> legally privileged and is intended solely for the addressee. If you
>
>>> have received this message in error please delete it & notify the
>
>>> originator immediately.
>
>>> Unauthorised use, disclosure, copying or alteration of this message
>
>>> is forbidden & may be unlawful.
>
>>> The contents of this e-mail are the views of the sender and do not
>
>>> necessarily represent the views of the Institute.
>
>>> This email and associated attachments has been checked locally for
>
>>> viruses but we can accept no responsibility once it has left our
>
>>> systems.
>
>>> Communications on Institute computers are monitored to secure the
>
>>> effective operation of the systems and for other lawful purposes.
>
>>>
>
>>> The Pirbright Institute is a company limited by guarantee,
>
>>> registered in England no. 559784.
>
>>> The Institute is also a registered charity.
>
>>>
>
>>>
>
>>>
>
>>> --
>
>>>
>
>>> Tomasz Wolniewicz
>
>>>
>
>>>
>>> twoln AT umk.pl
>>>
>>> <mailto:twoln AT umk.pl>
> <mailto:twoln AT umk.pl>
> http://www.home.umk.pl/~twoln
>
>>>
>
>>>
>
>>>
>
>>> Uczelniane Centrum Informatyczne Information&Communication
> Technology Centre
>
>>>
>
>>> Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
>
>>>
>
>>> pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
>
>>>
>
>>> tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.:
> +48-693-032-576
>
>>>
>
>>
>
>>
>
>
>
>
>
> --
>
> Stefan WINTER
>
> Ingenieur de Recherche
>
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche 6, rue Richard Coudenhove-Kalergi
>
> L-1359 Luxembourg
>
>
>
> Tel: +352 424409 1
>
> Fax: +352 422473
>
>
> ------------------------------------------------------------------------
>
> The information contained in this message may be confidential or legally
> privileged and is intended solely for the addressee. If you have
> received this message in error please delete it & notify the originator
> immediately.
> Unauthorised use, disclosure, copying or alteration of this message is
> forbidden & may be unlawful.
> The contents of this e-mail are the views of the sender and do not
> necessarily represent the views of the Institute.
> This email and associated attachments has been checked locally for
> viruses but we can accept no responsibility once it has left our systems.
> Communications on Institute computers are monitored to secure the
> effective operation of the systems and for other lawful purposes.
>
> The Pirbright Institute is a company limited by guarantee, registered in
> England no. 559784.
> The Institute is also a registered charity.
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
Attachment:
signature.asc
Description: OpenPGP digital signature
- [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, Tomasz Wolniewicz, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, A . L . M . Buxey, 08/28/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, Tomasz Wolniewicz, 08/29/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/29/2013
- Re: [cat-users] IPAD download issue, Tomasz Wolniewicz, 08/29/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/29/2013
- Re: [cat-users] IPAD download issue, Stefan Winter, 08/29/2013
- Re: [cat-users] IPAD download issue, Tomasz Wolniewicz, 08/29/2013
- Re: [cat-users] IPAD download issue, aaron street, 08/28/2013
- Re: [cat-users] IPAD download issue, A . L . M . Buxey, 08/28/2013
Archive powered by MHonArc 2.6.19.