Skip to Content.

cat-users - Re: [cat-users] iOS7 problem?

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [cat-users] iOS7 problem?


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Per Lindgren <per.lindgren AT uadm.uu.se>, "cat-users AT geant.net" <cat-users AT geant.net>
  • Subject: Re: [cat-users] iOS7 problem?
  • Date: Fri, 20 Dec 2013 14:19:15 +0100
  • List-archive: <http://mail.geant.net/pipermail/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
  • Openpgp: id=8A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,

> Are there any "known issues" in iOS 7 that makes a profile fail there
> but not under earlier versions of iOS? Or is it our profile that isn't
> 100 % correct?

There is one known incompatibility: if you use a TERENA TCS certificate,
iOS 7 has issues with the intermediate CAs if you send them during the
EAP conversation.

The fix is to add the intermediates to the CAT profile, iOS will
"digest" them properly if they get pre-provisioned with the profile.

> I tried the "Checking realm" test, and the first tests are OK, but the
> last "Live login test" fails. I guess that could be significant?!? I got
> an error code "3", but what that means I don't know.
>
> Our realm is "user.uu.se".

Well... the response code is the RADIUS Packet Code of the last received
datagram (i.e. "the end"):

Packet Code 3 = Access-Reject

So your RADIUS server actually refused to authenticate you (which is
then unrelated to iOS 7). Did you really use a proper, existing
username+password for the test? If so, you should take a close look at
your RADIUS logs to see why your attempt was rejected.

I could imagine (just guessing though) that the EAP types you've claimed
to be supported in the CAT profile do not match those your RADIUS server
actually supports. In that case, our normal tests wouldn't notice (they
expect failure, and they get failure) but the live login test would
expect to "get through with" your configured EAP type, but gets rejected
by the RADIUS server anyway.

HTH,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.19.

Top of Page