Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] Eduroam Cat and IOS7

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Eduroam Cat and IOS7


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: "Galvin, Robert - Technical Officer - Computing Services" <Robert.Galvin AT ittdublin.ie>
  • Cc: "cat-users AT geant.net" <cat-users AT geant.net>
  • Subject: Re: [cat-users] Eduroam Cat and IOS7
  • Date: Fri, 27 Sep 2013 08:44:45 +0200
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
  • Openpgp: id=8A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hi,

> Can you confirm whether the installer for IOS 7 devices is working.
>
> I have tried it on a number of ios7 devices and it doesn’t seem to work.
>
> I have to remove the profile and then connect manually.

The profiles definition did not change between iOS 6 and iOS 7, and many
iOS 7 devices continue to work as before.

We have heard repeated reports that there appears to be one bug in iOS 7
which prevents things from working in one specific condition:

If your server certificate is not directly signed by a root CA, but by a
chain with intermediate CAs in between, then

* if the intermediate CA cert is sent in the EAP exchange, it gets
ignored (this is the bug)
* if the intermediate CA cert is among the CAs that are provisioned with
the profile, things work

This bug particularly hits TERENA TCS certificate customers, because
there is a chain to the root certificate at play here.

CAT can halp you overcome this - simply upload the intermediates along
with the root CA; CAT will then install the entire chain.

However, this is not a CAT problem, it's an iOS oddity. In particular,
it does not only affect institutions using CAT; if you create your own
profiles using the Apple Configurator tool you suffer from the same.

BTW, if you connect manually without profiles, you ruin the entire
authentication security because then no certificates are checked against
the CA chain. This is only a very short-term temporary workaround IMHO.

HTH,

Stefan Winter

>
>
>
> Cheers
>
>
> The contents and any attachment of this e-mail are private and confidential.
> They are intended only for the use of the intended addressee. If you are
> not the intended addressee, or the person responsible for delivering it
> to the intended addressee, you are notified that any copying,
> forwarding, publication, review or delivery of this e-mail or any
> attachments to anyone else or any other use of its contents is strictly
> prohibited. You are prohibited from reading any part of this e-mail or
> any attachments. If you have received this e-mail in error, please
> notify the system manager. Unauthorised disclosure or communication or
> other use of the contents of this e-mail or any part thereof may be
> prohibited by law and may constitute a criminal offence. Internet
> e-mails are not necessarily secure. The Institute does not accept
> responsibility for changes made to this message after it was sent.
> Unless stated to the contrary, any opinions expressed in this message
> are personal to the author and may not be attributed to the Institute.
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page