The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Ther is also one other thing that I find strange.
When I have connected to your server with wpa_supplicant and downloaded 
the entire certificate load, I found the root certificate plus 3 other 
certificates instead of an expected one.
Not sure what is causing this or what this can result in, but it is unusual.
Tomasz


W dniu 2013-10-07 16:21, Stefan Winter pisze:
> Hi,
>
> >         I'm attaching my installation process via screenshots.  Hopefully all
> > of them will get sent.
> >
> >         Looking at this PDF, it seems like something is missing during the
> > installation process.
> >
> > http://mobile.unibas.ch/manualsEDU/ios_cat_en.pdf
> the difference in these two is that the PDF shows a UI request to enter
> username and password. In iOS 6, it's a known quirk in iOS that it will
> only request these for PEAP during installation time, for TTLS it will
> instead ask during the first connection attempt. This is different yet
> again in iOS 7; that one will always ask during installation time.
>
> However, that's not a primary reason for failure, it's just a UI
> inconsistency.
>
> I have looked at your server certificate. eduroam CAT 1.1 will warn you
> about this during the reachability check, but for now here's the manual
> warning :-)
>
> Your server certificate does not explicitly set
> "X.509 Basic Constraints: CA = FALSE"
> in the server certificate. That's very bad behaviour for an end-entity
> certificate, and is known to break certificate validation at least in
> Mac OS X 10.8.
>
> With iOS and OS X being cousins, I would not be surprised if the failed
> connection is due to iOS not liking your certificate when it comes along
> in the EAP conversation.
>
> We have documented numerous recent constraints for EAP server
> certificates in our eduroam documentation here:
>
> https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations
>
> Your certificate is falling short of several of the recommendations in
> that document; you might want to issue a new certificate with
> appropriate properties.
>
> We are BTW adding more constraints as we become aware of it. A candidate
> right now is that it seems to be problematic to use wildcard
> certificates with Windows 8; I'd suggest to avoid those in addition to
> what's on that page...
>
> Let us know how it goes!
>
> Greetings,
>
> Stefan Winter

--
Tomasz Wolniewicz
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576