cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Problem with Linux Configuration Script

From: Stefan Winter <stefan.winter AT restena.lu>
To: Michele de Varda <michele.devarda AT unimi.it>, cat-users AT geant.net
Subject: Re: [cat-users] Problem with Linux Configuration Script
Date: Fri, 14 Mar 2014 19:38:59 +0100
List-archive: <http://mail.geant.net/pipermail/cat-users/>
List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Hello,

this ca.pem is a root CA from a commercial vendor; and I guess there are intermediate CA certs in between before the actual server cert is reached.

If you only upload the root CA to CAT, then you must be sure to include all the intermediate CA certificates *in the EAP exchange*, i.e. you need to tell FreeRADIUS that it should send these CAs along with the server cert.

My guess is that the other operating systems by default ship with these intermediates and can fill the gap between root and server cert themselves; but for Linux, NetworkManager doesn't consult any of the system stores - it only uses exactly the CAs which were configured. So if it has the root CA in local config, and only the server cert in EAP, t can't complete the chain and will fail to validate the certificate.

CAT trunk (1.1-to-be) already has an in-depth chain check which would tell you about this lack of intermediates during the admin upload / realm check.

Of course, I could be wrong in my assumption and maybe you do include all the intermediates in EAP (not at my dev box right now, so can't do in-depth debugging)? In that case, we would have to look further.

Greetings,

Stefan Winter

On 14.03.2014 16:28, Michele de Varda wrote:

Hello,

I inserted into the CAT system the configuration for the Università degli Studi di Milano.
I tried all the configurations generated by CAT system and most of them (Microsoft and Apple) work fine.
We have an issue with the linux configuration script (in attach), we tested it with Ubuntu 12.10 and doesn't work.

The problem is with the certificate file ca.pem (Verisign Class 3 - G5) , below the freeradius log:

Wed Mar 12 11:03:52 2014 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [noc AT unimi.it] (from client IAM2 port 109 cli 74:e5:43:a3:a9:5a)
Wed Mar 12 11:04:00 2014 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [noc AT unimi.it] (from client IAM1 port 109 cli 74:e5:43:a3:a9:5a)
Wed Mar 12 11:04:05 2014 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [noc AT unimi.it] (from client IAM2 port 109 cli 74:e5:43:a3:a9:5a)
Wed Mar 12 11:04:13 2014 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [noc AT unimi.it] (from client IAM1 port 109 cli 74:e5:43:a3:a9:5a)

Why Linux configuration doesn't work? The ca certificate is the same of Microsoft/Apple configuration?

Thank you for your great job!

Regards,

Michele de Varda

PS: When an Android client will be available?
-- 
Michele de Varda
Divisione Telecomunicazioni
tel. 02 503 15306
fax. 02 503 15211
via G. Colombo 46
20133 Milano

[cat-users] Problem with Linux Configuration Script, Michele de Varda, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script, Stefan Winter, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script, A . L . M . Buxey, 03/14/2014
  - Re: [cat-users] Problem with Linux Configuration Script, Tomasz Wolniewicz, 03/14/2014
    - Re: [cat-users] Problem with Linux Configuration Script - correction, Tomasz Wolniewicz, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script, Tomasz Wolniewicz, 03/15/2014
  - Re: [cat-users] Problem with Linux Configuration Script, Michele de Varda, 03/18/2014
    - Re: [cat-users] Problem with Linux Configuration Script, Stefan Winter, 03/18/2014