Skip to Content.

cat-users - Re: [cat-users] IPAD download issue

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [cat-users] IPAD download issue


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: aaron street <aaron.street AT pirbright.ac.uk>
  • Cc: "'cat-users AT geant.net'" <cat-users AT geant.net>
  • Subject: Re: [cat-users] IPAD download issue
  • Date: Wed, 28 Aug 2013 16:45:51 +0200
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
Hi,

excellent! I've updated the Wiki and the warning message in CAT.

Thanks,

Stefan Winter

On 28.08.2013 16:35, aaron street wrote:
> The only change I made on the last attempt was to go on to the root CA
> and alter the "radius cert" template to require Basic Constraint.
>
>
>
>
>
> I then went back to the Radius server and request a new cert with the
> same key. Filled in the common name and subject name and enrolled. Once
> it had got the new cert I exported it without the privet key and
> uploaded it to the CAT tool. I then deleted the old profile of the
> MacBook with Mountain Lion, and downloaded the one with the updated cert
> and tried again and it worked fine.
>
>
>
> So this does seem to be the issue here that insuring the basic
> constraint is present makes it work J
>
>
>
> I hope that helps
>
>
>
> Aaron
>
>
>
>
>
> -----Original Message-----
> From: Stefan Winter
> [mailto:stefan.winter AT restena.lu]
> Sent: 28 August 2013 15:30
> To: aaron street
> Cc:
> 'cat-users AT geant.net'
> Subject: Re: [cat-users] IPAD download issue
>
>
>
> Hi,
>
>
>
>> Thank you for the help with this, good to see it working as expected
>
>> now. I am off to implementing eduroam training tomorrow, so hopefully
>
>> that will answer the last few questions I have.
>
>
>
> Before you're off :-)
>
>
>
> So that was a MacBook Pro with OS X Mountain Lion, and it refused to
> trust the cert when BasicConstraints:CA=FALSE was NOT set?
>
>
>
> Having a confirmation of this would be very valuable... we'll update the
> "EAP server cert Considerations" section then; and the warning message
> in CAT will specifically mention that OS X has this compatibility
> requirement.
>
>
>
> Greetings,
>
>
>
> Stefan Winter
>
>
>
>>
>
>>
>
>>
>
>> Aaron
>
>>
>
>>
>
>>
>
>> *From:*aaron street
>
>> *Sent:* 28 August 2013 15:13
>
>> *To:* 'Stefan Winter'
>
>> *Cc:*
>> 'cat-users AT geant.net'
>
>> *Subject:* RE: [cat-users] IPAD download issue
>
>>
>
>>
>
>>
>
>> Hi,
>
>>
>
>>
>
>>
>
>> Does this now look correct, it’s not x509 but.
>
>>
>
>>
>
>>
>
>>
>
>>
>
>> Regards
>
>>
>
>>
>
>>
>
>> Aaron
>
>>
>
>>
>
>>
>
>> -----Original Message-----
>
>> From: Stefan Winter
>> [mailto:stefan.winter AT restena.lu]
>
>> Sent: 28 August 2013 14:09
>
>> To: aaron street
>
>> Cc:
>> 'cat-users AT geant.net'
>
>> Subject: Re: [cat-users] IPAD download issue
>
>>
>
>>
>
>>
>
>> Hi,
>
>>
>
>>
>
>>
>
>> further to this: trunk code now checks for all these conditions. If
>
>> you were to execute the realm check functionality in current trunk,
>
>> you'd get the attached output.
>
>>
>
>>
>
>>
>
>> Thanks for talking to us about things that aren't detected properly
>
>> yet
>
>>
>
>> - all this makes the CAT even better!
>
>>
>
>>
>
>>
>
>> Note: I've marked the non-HTTP case an informational "*" UI element
>
>> because we don't have confirmation that it's this particular thingy
>
>> that makes the Mac Pro fail validation. If it positively is the root
>
>> cause, this would better be elevated to a warning (!) UI element.
>
>>
>
>>
>
>>
>
>> Greetings,
>
>>
>
>>
>
>>
>
>> Stefan Winter
>
>>
>
>>
>
>>
>
>> On 28.08.2013 14:18, Stefan Winter wrote:
>
>>
>
>>> Hi,
>
>>
>
>>>
>
>>
>
>>>> It looks like it is to do with our mobile iron BYOD policy,
>
>>>> something
>
>>
>
>>>> I will have to look in to as it worked fine on a user’s ipad without
>
>>
>
>>>> this on it.
>
>>
>
>>>
>
>>
>
>>> To understand you correctly: you suspect an issue with some policy
>
>>
>
>>> enforcement software, not the CAT profile itself?
>
>>
>
>>>
>
>>
>
>>> Please let us know if you can confirm this; we may or may not have a
>
>>
>
>>> workaround, but in any case it would be good to document this for
>
>>
>
>>> others then.
>
>>
>
>>>
>
>>
>
>>>> Another issue I have is with a Mac Book Pro running mountain Lion,
>
>>
>
>>>> the profile is a basic PEAP-MSCHAPv2 and it works fine on the IPAD.
>
>>
>
>>>> But when I install it on the MacBook pro I get an error that “the
>
>>
>
>>>> identity of the authentication server could not be established”?
>
>>>> When
>
>>
>
>>>> I look in the installed certificites both the CA route and the
>
>>>> Radius
>
>>
>
>>>> server certs are showing up, so not clear why it can’t establish the
>
>> trust on this device.
>
>>
>
>>>
>
>>
>
>>> In plain words: your certificate is a bit weird. You are using some
>
>>
>
>>> extensions which can cause problems; and are omitting one which is
>
>>
>
>>> standard since about a decade. Maybe the Mac Pro's OS is just that
>
>>
>
>>> little bit extra picky.
>
>>
>
>>>
>
>>
>
>>> Two issues I found with a superficial glance at your server cert:
>
>>
>
>>>
>
>>
>
>>> [crlDistributionPoints] =>
>
>>
>
>>> Full Name:
>
>>
>
>>>
>
>>
>
>>> URI:ldap:///CN=AH-CA,CN=IAHIFS1,CN=CDP,CN=Public%20Key%20Services,CN=
>
>>> S
>
>>
>
>>> ervices,CN=Configuration,DC=iah,DC=ac,DC=uk?certificateRevocationList?
>
>>
>
>>> base?objectClass=cRLDistributionPoint
>
>>
>
>>>
>
>>
>
>>> That is, you tell client OSes that they can verify the current
>
>>
>
>>> validity status of the server cert post-authentication (good!) but
>
>>> the
>
>>
>
>>> URL to verify is an LDAP one; the client OS is unlikely to get access
>
>>
>
>>> to your LDAP server from world-wide. Some OSes may think that - since
>
>>
>
>>> they were told to have a verification source, but can't access it -
>
>>
>
>>> verification of the server was not possible.
>
>>
>
>>>
>
>>
>
>>> The second odditiy is that your server cert does not carry the
>
>>
>
>>> "X509 Basic Constraint: CA = FALSE" property.
>
>>
>
>>>
>
>>
>
>>> If this is not set, it's not clear whether the cert is supposed to be
>
>>
>
>>> an intermediate CA certificate (allowed to issue certificates to
>
>>
>
>>> others
>
>>
>
>>> itself) or not.
>
>>
>
>>>
>
>>
>
>>> CA's should obviously set this to TRUE; non-CAs to FALSE. Not setting
>
>>
>
>>> it at all is ambiguous.
>
>>
>
>>>
>
>>
>
>>> Maybe Mac OS finds that lack of clarity too exciting. You've
>
>>> certainly
>
>>
>
>>> fooled our trunk code of CAT (to be 1.1) into thinking it is a CA cert.
>
>>
>
>>>
>
>>
>
>>> I'll add code to trunk to warn about any certificate in the chain
>
>>
>
>>> which does not explicitly set the basicConstraints CA flag.
>
>>
>
>>>
>
>>
>
>>> When it comes to "what properties should a CA and/or server
>
>>
>
>>> certificate contain for eduroam purposes, please read this":
>
>>
>
>>>
>
>>
>
>>> https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam
>
>>> +
>
>>
>
>>> on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-EAPServercer
>
>>> on-site+or+on+t
>
>>
>
>>> ificateconsiderations
>
>>
>
>>>
>
>>
>
>>> Greetings,
>
>>
>
>>>
>
>>
>
>>> Stefan Winter
>
>>
>
>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> Regards
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> Aaron
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> *From:*Tomasz Wolniewicz
>>>> [mailto:twoln AT umk.pl]
>
>>
>
>>>> *Sent:* 28 August 2013 12:18
>
>>
>
>>>> *To:* aaron street
>
>>
>
>>>> *Cc:*
>>>> 'cat-users AT geant.net'
>
>>
>
>>>> *Subject:* Re: [cat-users] IPAD download issue
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> I have just tested the iOS download with both a Windows machine and
>
>>
>
>>>> an iPhone and did not find anything wrong.
>
>>
>
>>>> Could you please repeat the process and report if you still find the
>
>>
>
>>>> problem?
>
>>
>
>>>> You are using https://cat.eduroam.org , right?
>
>>
>
>>>> Tomasz
>
>>
>
>>>>
>
>>
>
>>>> W dniu 2013-08-28 11:16, aaron street pisze:
>
>>
>
>>>>
>
>>
>
>>>> Dear Sir,
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> I have an issue that when I go to download a profile using the
>
>>>> IPAD,
>
>>
>
>>>> I get a
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> “Cannot open page
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> Frame Load Interrupted”
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> Error message, I read it’s something about the format of the URL
>
>>
>
>>>> that the page is generating but is there any more you can tell
>
>>>> me
>
>>
>
>>>> about why I get this error?
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> Kind regards
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> Aaron Street
>
>>
>
>>>>
>
>>
>
>>>> Network Systems Analyst
>
>>
>
>>>>
>
>>
>
>>>> The Pirbright Institute <http://www.pirbright.ac.uk/>
>
>>
>
>>>>
>
>>
>
>>>> *t *+44 (0) 1483 231368 *ex*** 1368
>
>>
>
>>>>
>
>>
>
>>>> *email***
>>>> _aaron.street AT pirbright.ac.uk
> <mailto:_aaron.street AT pirbright.ac.uk>
>
>> <mailto:_aaron.street AT pirbright.ac.uk>
>
>>
>
>>>>
>>>> <mailto:aaron.street AT pirbright.ac.uk>_
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> --------------------------------------------------------------------
>
>>>> -
>
>>
>
>>>> ---
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> The information contained in this message may be confidential or
>
>>
>
>>>> legally privileged and is intended solely for the addressee. If
>
>>>> you
>
>>
>
>>>> have received this message in error please delete it & notify
>
>>>> the
>
>>
>
>>>> originator immediately.
>
>>
>
>>>> Unauthorised use, disclosure, copying or alteration of this
>
>>>> message
>
>>
>
>>>> is forbidden & may be unlawful.
>
>>
>
>>>> The contents of this e-mail are the views of the sender and do
>
>>>> not
>
>>
>
>>>> necessarily represent the views of the Institute.
>
>>
>
>>>> This email and associated attachments has been checked locally
>
>>>> for
>
>>
>
>>>> viruses but we can accept no responsibility once it has left our
>
>>
>
>>>> systems.
>
>>
>
>>>> Communications on Institute computers are monitored to secure
>
>>>> the
>
>>
>
>>>> effective operation of the systems and for other lawful purposes.
>
>>
>
>>>>
>
>>
>
>>>> The Pirbright Institute is a company limited by guarantee,
>
>>
>
>>>> registered in England no. 559784.
>
>>
>
>>>> The Institute is also a registered charity.
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> --
>
>>
>
>>>>
>
>>
>
>>>> Tomasz Wolniewicz
>
>>
>
>>>>
>
>>
>
>>>>
>>>> twoln AT umk.pl
>>>>
>>>> <mailto:twoln AT umk.pl>
>>>>
>>>> <mailto:twoln AT umk.pl>
>
>> <mailto:twoln AT umk.pl>
>> http://www.home.umk.pl/~twoln
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>>
>
>>
>
>>>> Uczelniane Centrum Informatyczne Information&Communication
>
>> Technology Centre
>
>>
>
>>>>
>
>>
>
>>>> Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
>
>>
>
>>>>
>
>>
>
>>>> pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
>
>>
>
>>>>
>
>>
>
>>>> tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.:
>
>> +48-693-032-576
>
>>
>
>>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>> --
>
>>
>
>> Stefan WINTER
>
>>
>
>> Ingenieur de Recherche
>
>>
>
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
>
>> et de la Recherche 6, rue Richard Coudenhove-Kalergi
>
>>
>
>> L-1359 Luxembourg
>
>>
>
>>
>
>>
>
>> Tel: +352 424409 1
>
>>
>
>> Fax: +352 422473
>
>>
>
>>
>
>> ----------------------------------------------------------------------
>
>> --
>
>>
>
>> The information contained in this message may be confidential or
>
>> legally privileged and is intended solely for the addressee. If you
>
>> have received this message in error please delete it & notify the
>
>> originator immediately.
>
>> Unauthorised use, disclosure, copying or alteration of this message is
>
>> forbidden & may be unlawful.
>
>> The contents of this e-mail are the views of the sender and do not
>
>> necessarily represent the views of the Institute.
>
>> This email and associated attachments has been checked locally for
>
>> viruses but we can accept no responsibility once it has left our systems.
>
>> Communications on Institute computers are monitored to secure the
>
>> effective operation of the systems and for other lawful purposes.
>
>>
>
>> The Pirbright Institute is a company limited by guarantee, registered
>
>> in England no. 559784.
>
>> The Institute is also a registered charity.
>
>>
>
>
>
>
>
> --
>
> Stefan WINTER
>
> Ingenieur de Recherche
>
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche 6, rue Richard Coudenhove-Kalergi
>
> L-1359 Luxembourg
>
>
>
> Tel: +352 424409 1
>
> Fax: +352 422473
>
>
>
>
> ------------------------------------------------------------------------
>
> The information contained in this message may be confidential or legally
> privileged and is intended solely for the addressee. If you have
> received this message in error please delete it & notify the originator
> immediately.
> Unauthorised use, disclosure, copying or alteration of this message is
> forbidden & may be unlawful.
> The contents of this e-mail are the views of the sender and do not
> necessarily represent the views of the Institute.
> This email and associated attachments has been checked locally for
> viruses but we can accept no responsibility once it has left our systems.
> Communications on Institute computers are monitored to secure the
> effective operation of the systems and for other lawful purposes.
>
> The Pirbright Institute is a company limited by guarantee, registered in
> England no. 559784.
> The Institute is also a registered charity.
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.19.

Top of Page