The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Brian Epstein <bepstein AT ias.edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stefan,

        Thanks again for your help.  My certificate now includes the
properties noted here:
https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations

        It still isn't working, though, I'm getting the same behavior as
before.  Perhaps I missed something else?

        Here are my certificate extensions.

        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:https://security.ias.edu/files/ias.crl

            X509v3 Basic Constraints:
                CA:FALSE

Thanks,
Brian

On 10/07/2013 10:21 AM, Stefan Winter wrote:
> Hi,
> 
>> I'm attaching my installation process via screenshots.  Hopefully
>> all of them will get sent.
>> 
>> Looking at this PDF, it seems like something is missing during
>> the installation process.
>> 
>> http://mobile.unibas.ch/manualsEDU/ios_cat_en.pdf
> 
> the difference in these two is that the PDF shows a UI request to
> enter username and password. In iOS 6, it's a known quirk in iOS
> that it will only request these for PEAP during installation time,
> for TTLS it will instead ask during the first connection attempt.
> This is different yet again in iOS 7; that one will always ask
> during installation time.
> 
> However, that's not a primary reason for failure, it's just a UI 
> inconsistency.
> 
> I have looked at your server certificate. eduroam CAT 1.1 will warn
> you about this during the reachability check, but for now here's
> the manual warning :-)
> 
> Your server certificate does not explicitly set "X.509 Basic
> Constraints: CA = FALSE" in the server certificate. That's very bad
> behaviour for an end-entity certificate, and is known to break
> certificate validation at least in Mac OS X 10.8.
> 
> With iOS and OS X being cousins, I would not be surprised if the
> failed connection is due to iOS not liking your certificate when it
> comes along in the EAP conversation.
> 
> We have documented numerous recent constraints for EAP server 
> certificates in our eduroam documentation here:
> 
> https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations
>
>  Your certificate is falling short of several of the
> recommendations in that document; you might want to issue a new
> certificate with appropriate properties.
> 
> We are BTW adding more constraints as we become aware of it. A
> candidate right now is that it seems to be problematic to use
> wildcard certificates with Windows 8; I'd suggest to avoid those in
> addition to what's on that page...
> 
> Let us know how it goes!
> 
> Greetings,
> 
> Stefan Winter
> 



- -- 
Brian Epstein 
<bepstein AT ias.edu>
                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = 128A 38F4 4CFA 5EDB 99CE  4734 6117 4C25 0371 C12A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJS+84ACgkQYRdMJQNxwSriEgCfdcZWI0bWZ410YGcrLeqorYC+
4OUAnRrJTI9zEXHG6ewMqo7u056pePTa
=yP9n
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature