Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] Eduroam Cat and IOS7

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Eduroam Cat and IOS7


Chronological Thread 
  • From: "Galvin, Robert - Technical Officer - Computing Services" <Robert.Galvin AT ittdublin.ie>
  • To: Stefan Winter <stefan.winter AT restena.lu>
  • Cc: "cat-users AT geant.net" <cat-users AT geant.net>
  • Subject: Re: [cat-users] Eduroam Cat and IOS7
  • Date: Fri, 27 Sep 2013 16:29:54 +0100
  • Accept-language: en-US, en-IE
  • Acceptlanguage: en-US, en-IE
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Hi Stefan,

That did the trick, thanks for the reply.

Cheers

-----Original Message-----
From: Stefan Winter
[mailto:stefan.winter AT restena.lu]

Sent: 27 September 2013 07:45
To: Galvin, Robert - Technical Officer - Computing Services
Cc:
cat-users AT geant.net
Subject: Re: [cat-users] Eduroam Cat and IOS7

Hi,

> Can you confirm whether the installer for IOS 7 devices is working.
>
> I have tried it on a number of ios7 devices and it doesn't seem to work.
>
> I have to remove the profile and then connect manually.

The profiles definition did not change between iOS 6 and iOS 7, and many iOS
7 devices continue to work as before.

We have heard repeated reports that there appears to be one bug in iOS 7
which prevents things from working in one specific condition:

If your server certificate is not directly signed by a root CA, but by a
chain with intermediate CAs in between, then

* if the intermediate CA cert is sent in the EAP exchange, it gets ignored
(this is the bug)
* if the intermediate CA cert is among the CAs that are provisioned with the
profile, things work

This bug particularly hits TERENA TCS certificate customers, because there is
a chain to the root certificate at play here.

CAT can halp you overcome this - simply upload the intermediates along with
the root CA; CAT will then install the entire chain.

However, this is not a CAT problem, it's an iOS oddity. In particular, it
does not only affect institutions using CAT; if you create your own profiles
using the Apple Configurator tool you suffer from the same.

BTW, if you connect manually without profiles, you ruin the entire
authentication security because then no certificates are checked against the
CA chain. This is only a very short-term temporary workaround IMHO.

HTH,

Stefan Winter

>
>
>
> Cheers
>
>
> The contents and any attachment of this e-mail are private and confidential.
> They are intended only for the use of the intended addressee. If you
> are not the intended addressee, or the person responsible for
> delivering it to the intended addressee, you are notified that any
> copying, forwarding, publication, review or delivery of this e-mail or
> any attachments to anyone else or any other use of its contents is
> strictly prohibited. You are prohibited from reading any part of this
> e-mail or any attachments. If you have received this e-mail in error,
> please notify the system manager. Unauthorised disclosure or
> communication or other use of the contents of this e-mail or any part
> thereof may be prohibited by law and may constitute a criminal
> offence. Internet e-mails are not necessarily secure. The Institute
> does not accept responsibility for changes made to this message after it
> was sent.
> Unless stated to the contrary, any opinions expressed in this message
> are personal to the author and may not be attributed to the Institute.
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche 6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

The contents and any attachment of this e-mail are private and confidential.
They are intended only for the use of the intended addressee. If you are not
the intended addressee, or the person responsible for delivering it to the
intended addressee, you are notified that any copying, forwarding,
publication, review or delivery of this e-mail or any attachments to anyone
else or any other use of its contents is strictly prohibited. You are
prohibited from reading any part of this e-mail or any attachments. If you
have received this e-mail in error, please notify the system manager.
Unauthorised disclosure or communication or other use of the contents of this
e-mail or any part thereof may be prohibited by law and may constitute a
criminal offence. Internet e-mails are not necessarily secure. The Institute
does not accept responsibility for changes made to this message after it was
sent. Unless stated to the contrary, any opinions expressed in this message
are personal to the author and may not be attributed to the Institute.






Archive powered by MHonArc 2.6.19.

Top of Page