Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] CAT with iPhone/iPad and older Macs

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] CAT with iPhone/iPad and older Macs


Chronological Thread 
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: Stefan Winter <stefan.winter AT restena.lu>
  • Cc: cat-users AT geant.net
  • Subject: Re: [cat-users] CAT with iPhone/iPad and older Macs
  • Date: Mon, 07 Oct 2013 16:29:26 +0200
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Ther is also one other thing that I find strange.
When I have connected to your server with wpa_supplicant and downloaded the entire certificate load, I found the root certificate plus 3 other certificates instead of an expected one.
Not sure what is causing this or what this can result in, but it is unusual.
Tomasz


W dniu 2013-10-07 16:21, Stefan Winter pisze:
Hi,

I'm attaching my installation process via screenshots. Hopefully all
of them will get sent.

Looking at this PDF, it seems like something is missing during the
installation process.

http://mobile.unibas.ch/manualsEDU/ios_cat_en.pdf
the difference in these two is that the PDF shows a UI request to enter
username and password. In iOS 6, it's a known quirk in iOS that it will
only request these for PEAP during installation time, for TTLS it will
instead ask during the first connection attempt. This is different yet
again in iOS 7; that one will always ask during installation time.

However, that's not a primary reason for failure, it's just a UI
inconsistency.

I have looked at your server certificate. eduroam CAT 1.1 will warn you
about this during the reachability check, but for now here's the manual
warning :-)

Your server certificate does not explicitly set
"X.509 Basic Constraints: CA = FALSE"
in the server certificate. That's very bad behaviour for an end-entity
certificate, and is known to break certificate validation at least in
Mac OS X 10.8.

With iOS and OS X being cousins, I would not be surprised if the failed
connection is due to iOS not liking your certificate when it comes along
in the EAP conversation.

We have documented numerous recent constraints for EAP server
certificates in our eduroam documentation here:

https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations

Your certificate is falling short of several of the recommendations in
that document; you might want to issue a new certificate with
appropriate properties.

We are BTW adding more constraints as we become aware of it. A candidate
right now is that it seems to be problematic to use wildcard
certificates with Windows 8; I'd suggest to avoid those in addition to
what's on that page...

Let us know how it goes!

Greetings,

Stefan Winter


--
Tomasz Wolniewicz

twoln AT umk.pl
http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576






Archive powered by MHonArc 2.6.19.

Top of Page