Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] CAT with iPhone/iPad and older Macs

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] CAT with iPhone/iPad and older Macs


Chronological Thread 
    < Chronological >      < Thread >
  • From: Brian Epstein <bepstein AT ias.edu>
  • To: Stefan Winter <stefan.winter AT restena.lu>
  • Cc: cat-users AT geant.net
  • Subject: Re: [cat-users] CAT with iPhone/iPad and older Macs
  • Date: Wed, 09 Oct 2013 09:18:54 -0400
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Stefan,

I have recreated the radius certificates and installed with a
CN=radius.ias.edu. I regenerated the CAT installers and the iPad
installer works flawlessly now.

Thanks again for your help, I'm now going to retest the other
installers for the other OSs.

Thanks!
ep

On 10/09/2013 09:00 AM, Stefan Winter wrote:
> Hi,
>
>> When comparing the two files, I realized I had forgotten the
>> "TLSTrustedServerNames" section in my file. I added it to the
>> iPhone configuration utility "IAS Radius Server Certificate" and
>> it is now failing. I'm going to try to play around with this to
>> see if I can figure out why this is failing.
>
> Ah! It's indeed slightly unusual to have an end entity certificate
> which does not have in its CN a fully-qualified domain name. Don't
> get me wrong - this is perfectly fine PKI-wise and a bug-free
> supplicant would not have issues with this at all.
>
> That said, I'm not really sure if iOS is a bug-free supplicant :-)
>
> Is it possible for you to test with a new certificate which has a
> CN which is/looks like a valid fully-qualified domain name?
>
> If it works at that point, then we have a pretty good indication
> that there is indeed an issue with iOS and the names it allows in
> the CN.
>
> This is then not strictly a CAT issue though; but we can update our
> list of caveats on the "EAP Server Certificate Considerations" page
> for everybody's benefit. The list is getting rather long as of
> recent :-/
>
> Greetings,
>
> Stefan Winter
>



- --
Brian Epstein
<bepstein AT ias.edu>
+1 609-734-8179
Manager, Network and Security Institute for Advanced Study
Key fingerprint = 128A 38F4 4CFA 5EDB 99CE 4734 6117 4C25 0371 C12A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJVV74ACgkQYRdMJQNxwSqxoQCgtd5Ep98yrc/eVrxPiSGcfxkB
8u4AniI6Ha4fLRtG4p1yR9jiJu0bU8NV
=bTq1
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Archive powered by MHonArc 2.6.19.

Top of Page