The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

>       I'm attaching my installation process via screenshots.  Hopefully all
> of them will get sent.
> 
>       Looking at this PDF, it seems like something is missing during the
> installation process.
> 
> http://mobile.unibas.ch/manualsEDU/ios_cat_en.pdf

the difference in these two is that the PDF shows a UI request to enter
username and password. In iOS 6, it's a known quirk in iOS that it will
only request these for PEAP during installation time, for TTLS it will
instead ask during the first connection attempt. This is different yet
again in iOS 7; that one will always ask during installation time.

However, that's not a primary reason for failure, it's just a UI
inconsistency.

I have looked at your server certificate. eduroam CAT 1.1 will warn you
about this during the reachability check, but for now here's the manual
warning :-)

Your server certificate does not explicitly set
"X.509 Basic Constraints: CA = FALSE"
in the server certificate. That's very bad behaviour for an end-entity
certificate, and is known to break certificate validation at least in
Mac OS X 10.8.

With iOS and OS X being cousins, I would not be surprised if the failed
connection is due to iOS not liking your certificate when it comes along
in the EAP conversation.

We have documented numerous recent constraints for EAP server
certificates in our eduroam documentation here:

https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations

Your certificate is falling short of several of the recommendations in
that document; you might want to issue a new certificate with
appropriate properties.

We are BTW adding more constraints as we become aware of it. A candidate
right now is that it seems to be problematic to use wildcard
certificates with Windows 8; I'd suggest to avoid those in addition to
what's on that page...

Let us know how it goes!

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature