The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Brian Epstein <bepstein AT ias.edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stefan,

        When comparing the two files, I realized I had forgotten the
"TLSTrustedServerNames" section in my file.  I added it to the iPhone
configuration utility "IAS Radius Server Certificate" and it is now
failing.  I'm going to try to play around with this to see if I can
figure out why this is failing.

Thanks,
ep

On 10/09/2013 08:42 AM, Brian Epstein wrote:
> Hi Stefan,
> 
> I created a profile with the iPhone Configuration Utility (IAS 
> iPhone_iPad Eduroam.mobileconfig).  It seems to be working fine.
> I'm attaching this profile that I created and the one that
> cat.eduroam.org created (eduroam-IfAS.mobileconfig).  I'm looking
> through the XML, but I'm not sure if I understand why one works and
> the other does not.
> 
> Do you have any ideas?  I'm going to run freeradius in debugging
> mode to see if I can get more information from it.
> 
> Thanks, ep
> 
> On 10/08/2013 10:39 AM, Stefan Winter wrote:
>> Hi,
> 
>>> On 10/07/2013 02:22 PM, Brian Epstein wrote:
>>>> X509v3 Basic Constraints: CA:FALSE
>>> 
>>> I re-read the section and saw that I missed the critical flag.
>>> I set that for CA:FALSE, replaced the certs and restarted
>>> radiusd. Same issues occur, though.
> 
>> Hm. That's very strange. I am wondering if this has something to
>> do with CAT or if it's somewhere outside our control - the iOS
>> is usually picky if it gets something malformed and refuses to
>> install a profile outright if something's wrong.
> 
>> Since the CAT profile gets installed without any error
>> whatsoever, I'm tempted to think the problem is "elsewhere".
> 
>> I can suggest two paths forward:
> 
>> 1) try if generating a profile with the same settings by the 
>> original "iPhone Configuration Utility" or the "Apple
>> Configurator" app will yield a profile which works in practice.
>> If so, looking at the diff between what works and what we produce
>> will show where a possible bug is.
> 
>> 2) When logging in with the not-working profile, put your RADIUS 
>> server in debug mode and see what error messages you get during
>> the login (if any). Finding out *why* the connection fails would
>> yield information what's missing or wrong.
> 
>> 2 is particularly easy if you are using FreeRADIUS, not sure
>> about other server products.
> 
>> Greetings,
> 
>> Stefan Winter
> 
> 
> 
> 
> 

- -- 
Brian Epstein 
<bepstein AT ias.edu>
                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = 128A 38F4 4CFA 5EDB 99CE  4734 6117 4C25 0371 C12A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJVUK4ACgkQYRdMJQNxwSo9kACgoaY0t+leIXFEXkg+r7XF5hGt
ZFgAnRF4KFKrl0F5PVMJdAhvgmjV85Rk
=0u3K
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature