The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Brian Epstein <bepstein AT ias.edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stefan,

        I created a profile with the iPhone Configuration Utility (IAS
iPhone_iPad Eduroam.mobileconfig).  It seems to be working fine.  I'm
attaching this profile that I created and the one that cat.eduroam.org
created (eduroam-IfAS.mobileconfig).  I'm looking through the XML, but
I'm not sure if I understand why one works and the other does not.

        Do you have any ideas?  I'm going to run freeradius in debugging mode
to see if I can get more information from it.

Thanks,
ep

On 10/08/2013 10:39 AM, Stefan Winter wrote:
> Hi,
> 
>> On 10/07/2013 02:22 PM, Brian Epstein wrote:
>>> X509v3 Basic Constraints: CA:FALSE
>> 
>> I re-read the section and saw that I missed the critical flag.  I
>> set that for CA:FALSE, replaced the certs and restarted radiusd.
>> Same issues occur, though.
> 
> Hm. That's very strange. I am wondering if this has something to do
> with CAT or if it's somewhere outside our control - the iOS is
> usually picky if it gets something malformed and refuses to install
> a profile outright if something's wrong.
> 
> Since the CAT profile gets installed without any error whatsoever,
> I'm tempted to think the problem is "elsewhere".
> 
> I can suggest two paths forward:
> 
> 1) try if generating a profile with the same settings by the
> original "iPhone Configuration Utility" or the "Apple Configurator"
> app will yield a profile which works in practice. If so, looking at
> the diff between what works and what we produce will show where a
> possible bug is.
> 
> 2) When logging in with the not-working profile, put your RADIUS
> server in debug mode and see what error messages you get during the
> login (if any). Finding out *why* the connection fails would yield
> information what's missing or wrong.
> 
> 2 is particularly easy if you are using FreeRADIUS, not sure about
> other server products.
> 
> Greetings,
> 
> Stefan Winter
> 



- -- 
Brian Epstein 
<bepstein AT ias.edu>
                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = 128A 38F4 4CFA 5EDB 99CE  4734 6117 4C25 0371 C12A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJVTxcACgkQYRdMJQNxwSriugCeN4PwEduTFT/5870QhZxba67R
JH4AoLdAmh1WX/7d+AMgJABlrn6GDZbr
=6Mpf
-----END PGP SIGNATURE-----
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>AutoJoin</key>
			<true/>
			<key>EAPClientConfiguration</key>
			<dict>
				<key>AcceptEAPTypes</key>
				<array>
					<integer>21</integer>
				</array>
				<key>EAPFASTProvisionPAC</key>
				<false/>
				<key>EAPFASTProvisionPACAnonymously</key>
				<false/>
				<key>EAPFASTUsePAC</key>
				<false/>
				<key>OuterIdentity</key>
				<string>anonymous AT ias.edu</string>
				<key>PayloadCertificateAnchorUUID</key>
				<array>
					<string>AB5CFEBF-4EC0-4C2A-B7E1-E7592FEA08BF</string>
				</array>
				<key>TTLSInnerAuthentication</key>
				<string>PAP</string>
			</dict>
			<key>EncryptionType</key>
			<string>WPA</string>
			<key>HIDDEN_NETWORK</key>
			<true/>
			<key>PayloadDescription</key>
			<string>Configures wireless connectivity settings.</string>
			<key>PayloadDisplayName</key>
			<string>WiFi (eduroam)</string>
			<key>PayloadIdentifier</key>
			<string>edu.ias.eduroam.ios.wifi1</string>
			<key>PayloadOrganization</key>
			<string>Institute for Advanced Study</string>
			<key>PayloadType</key>
			<string>com.apple.wifi.managed</string>
			<key>PayloadUUID</key>
			<string>127A69D8-B863-4232-ABB4-3756E7AABA28</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>ProxyType</key>
			<string>None</string>
			<key>SSID_STR</key>
			<string>eduroam</string>
		</dict>
		<dict>
			<key>PayloadCertificateFileName</key>
			<string>IAS Certificate Authority</string>
			<key>PayloadContent</key>
			<data>
			MIIG0zCCBLugAwIBAgIJAM9Qi4nawIVLMA0GCSqGSIb3DQEBBQUA
			MIGhMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTES
			MBAGA1UEBxMJUHJpbmNldG9uMSUwIwYDVQQKExxJbnN0aXR1dGUg
			Zm9yIEFkdmFuY2VkIFN0dWR5MR4wHAYJKoZIhvcNAQkBFg9uZXR3
			b3JrQGlhcy5lZHUxIjAgBgNVBAMTGUlBUyBDZXJ0aWZpY2F0ZSBB
			dXRob3JpdHkwHhcNMTMwOTEzMTMyNTIyWhcNMjMwOTExMTMyNTIy
			WjCBoTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkx
			EjAQBgNVBAcTCVByaW5jZXRvbjElMCMGA1UEChMcSW5zdGl0dXRl
			IGZvciBBZHZhbmNlZCBTdHVkeTEeMBwGCSqGSIb3DQEJARYPbmV0
			d29ya0BpYXMuZWR1MSIwIAYDVQQDExlJQVMgQ2VydGlmaWNhdGUg
			QXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
			AgEA5BVBAQDRLPTE2c+pxfWUnMQZZ1WCnWq0ZjO+LdAXqf66wJxR
			Mb1UF29lhXJN/XO1xPwbJvp4YHEktTRvL+219bepLo276FYoNlqa
			RIp5jkBMbL8lwxntRfDo2Tg60b+SO2AnE5pAIQW1aHBHS0ejgFwo
			30eEMm5grpJSFeaK5XxDOKp0TgnX18+ItFtxErR+OSVjNJHxJ+hI
			ihD9bEyovvSV2Q0aIijDh/Idh4/CrSBrc4LWfOxkmq/JCXgza/96
			+Tn59x25rUWHYtRATRvEWzC7wnJ7Pw2JZI8Iw1T0RiE4GbTttGPX
			iwPJuWSUkvlZ9ZmZrwW0IZPSJpzAEuUYfCvaiCISnljEPiglWDEm
			pteLjaxxqaafcMPx1/XqwayDWcrorfaweFVwUXeZ7fWPbHztEsKV
			6GI5U/TLotyjmRpwU4lh3p2UU7l55SKIsd6SzxFHNGcaaJct5AYj
			4P/wUll5S02cqBq/EgushgUcErx2d6Si4agHu37+cwYkUyk0MQFy
			a2hFvA1T926A/v090iU1YP5qIvmukTGEaqQKrd+LHMwHYB4YlaG0
			eCiQ+euDrKgzbR3ZZyJM3qZctAjG4828VEd3w7WMYUvj8/RSaHEa
			DVN3trqge3NlmkGFqBMyx3jszTDYeLSE4e8qjHQTfzBimsM+zjGZ
			j6FrHOnTut8CAwEAAaOCAQowggEGMB0GA1UdDgQWBBROzCsLGwId
			hBLcz2CMnLYFRGzrZjCB1gYDVR0jBIHOMIHLgBROzCsLGwIdhBLc
			z2CMnLYFRGzrZqGBp6SBpDCBoTELMAkGA1UEBhMCVVMxEzARBgNV
			BAgTCk5ldyBKZXJzZXkxEjAQBgNVBAcTCVByaW5jZXRvbjElMCMG
			A1UEChMcSW5zdGl0dXRlIGZvciBBZHZhbmNlZCBTdHVkeTEeMBwG
			CSqGSIb3DQEJARYPbmV0d29ya0BpYXMuZWR1MSIwIAYDVQQDExlJ
			QVMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAz1CLidrAhUswDAYD
			VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAgEAB2wdT8MWJnMH
			LhsgLaVPtaDJ0RPK7xiRI02IwE+IWamOS7EH2AyGzoV26XYd9fyv
			Cc6SSpdNkfTAcAavMuoE/1ALsjY5D2iXXGyqn42QwBUWGaKShnxV
			PKVEhKGE8u6kcXZDPx+dkvPqFi6KA4Dg0N6j70xz6B+KOBqyxOEx
			XGgxFGQEWjn7nKJZ0Uy1s9zrf3/y+hMVyqvnR3Pzqzo2J1JpgK0H
			tpS+/9FjwfqM678zTiXLwN3OX/xIgXZkm2Ap0ySA74n+PpKlRse8
			el0ncx+EK1eux8T9hqeN41QWfitcskeNm16zExzJlgIML75SQ0hy
			f8KOfxZPTkNthJJHzTAXyqezrjt0dEhJqdEkEy8yQYHKYZMkiHpG
			T4NgPB3Di6/n0lSAloM1d5b9yp521QwSFf7qP5UYOd2Ij6hNX7n9
			qItlrTGWgAKibNB4fsVAxI+cREqvyAgpWuXdag+tQHDISztz3fXW
			DqOkhZuIEZgd6ygDVWm4GVZQWuNVlHrqsDY4AXBt97rMyOjagkgq
			VmdKPrIG1hg4r2G7L+RrcfCZGllvjXJEJ5UeiHw9APypo1JOsAFT
			7Pj+DtXKFUlcQ19bpkhoSV0ihGzL7WqXleEN09TwEXA+dnSj4lGp
			WHaeZkerrzp1BGdu6WJWvUQv4uLuGta8uLjww//RgNTIgOQ=
			</data>
			<key>PayloadDescription</key>
			<string>Provides device authentication (certificate or identity).</string>
			<key>PayloadDisplayName</key>
			<string>IAS Certificate Authority</string>
			<key>PayloadIdentifier</key>
			<string>edu.ias.eduroam.ios.credential2</string>
			<key>PayloadOrganization</key>
			<string>Institute for Advanced Study</string>
			<key>PayloadType</key>
			<string>com.apple.security.root</string>
			<key>PayloadUUID</key>
			<string>AB5CFEBF-4EC0-4C2A-B7E1-E7592FEA08BF</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Eduroam setup for iPad/iPhone</string>
	<key>PayloadDisplayName</key>
	<string>IAS iPhone/iPad Eduroam</string>
	<key>PayloadIdentifier</key>
	<string>edu.ias.eduroam.ios</string>
	<key>PayloadOrganization</key>
	<string>Institute for Advanced Study</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>5FAF20EB-BF40-4CD6-ABDB-5627CA7BC26A</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Attachment: eduroam-IfAS.mobileconfig
Description: Binary data

Attachment: IAS iPhone_iPad Eduroam.mobileconfig.sig
Description: PGP signature

Attachment: eduroam-IfAS.mobileconfig.sig
Description: PGP signature

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature