cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] CAT with iPhone/iPad and older Macs

From: Stefan Winter <stefan.winter AT restena.lu>
To: Brian Epstein <bepstein AT ias.edu>
Cc: cat-users AT geant.net
Subject: Re: [cat-users] CAT with iPhone/iPad and older Macs
Date: Wed, 16 Oct 2013 09:53:43 +0200
List-archive: <https://mail.geant.net/mailman/private/cat-users/>
List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
Openpgp: id=8A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hello all,

I've updated the EAP Server Cert considerations page with warnings re

- names with spaces
- CN = DNSName (found on another ML)
- wildcard certs (found on another ML)

https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations

Greetings,

Stefan Winter

On 09.10.2013 15:18, Brian Epstein wrote:
> Hello Stefan,
>
> I have recreated the radius certificates and installed with a
> CN=radius.ias.edu. I regenerated the CAT installers and the iPad
> installer works flawlessly now.
>
> Thanks again for your help, I'm now going to retest the other
> installers for the other OSs.
>
> Thanks!
> ep
>
> On 10/09/2013 09:00 AM, Stefan Winter wrote:
>> Hi,
>
>>> When comparing the two files, I realized I had forgotten the
>>> "TLSTrustedServerNames" section in my file. I added it to the
>>> iPhone configuration utility "IAS Radius Server Certificate" and
>>> it is now failing. I'm going to try to play around with this to
>>> see if I can figure out why this is failing.
>
>> Ah! It's indeed slightly unusual to have an end entity certificate
>> which does not have in its CN a fully-qualified domain name. Don't
>> get me wrong - this is perfectly fine PKI-wise and a bug-free
>> supplicant would not have issues with this at all.
>
>> That said, I'm not really sure if iOS is a bug-free supplicant :-)
>
>> Is it possible for you to test with a new certificate which has a
>> CN which is/looks like a valid fully-qualified domain name?
>
>> If it works at that point, then we have a pretty good indication
>> that there is indeed an issue with iOS and the names it allows in
>> the CN.
>
>> This is then not strictly a CAT issue though; but we can update our
>> list of caveats on the "EAP Server Certificate Considerations" page
>> for everybody's benefit. The list is getting rather long as of
>> recent :-/
>
>> Greetings,
>
>> Stefan Winter
>
>
>
>
>

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Re: [cat-users] CAT with iPhone/iPad and older Macs, (continued)