cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Problem with Linux Configuration Script

From: Tomasz Wolniewicz <twoln AT umk.pl>
To: Michele de Varda <michele.devarda AT unimi.it>, cat-users AT geant.net
Subject: Re: [cat-users] Problem with Linux Configuration Script
Date: Sat, 15 Mar 2014 11:51:37 +0100
List-archive: <http://mail.geant.net/pipermail/cat-users/>
List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

One more go at this problem.

Certificates included in the profile define two certification paths.
Server itself is certified by the G3 CA, this CA is certified by G5 CA. For G5 we have two certificates. One issued by G5 itself and another by | "OU=Class 3 Public Primary Certification Authority". The profile does not contain a certificate for OU=Class 3 Public Primary Certification Authority, therefore one of the certification paths is properly terminated while the other is not.

For Windows, CAT picks the only self-signed CA in the profile and and sets it as trusted. This makes one of the certification paths trusted.
On Linux, it looks like the verification gets confused.

I suppose leaving just one certification path would cure the situation.

Tomasz

W dniu 14.03.2014, 16:28, Michele de Varda pisze:

Hello,

I inserted into the CAT system the configuration for the Università degli Studi di Milano.
I tried all the configurations generated by CAT system and most of them (Microsoft and Apple) work fine.
We have an issue with the linux configuration script (in attach), we tested it with Ubuntu 12.10 and doesn't work.

The problem is with the certificate file ca.pem (Verisign Class 3 - G5) , below the freeradius log:

Wed Mar 12 11:03:52 2014 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [noc AT unimi.it] (from client IAM2 port 109 cli 74:e5:43:a3:a9:5a)
Wed Mar 12 11:04:00 2014 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [noc AT unimi.it] (from client IAM1 port 109 cli 74:e5:43:a3:a9:5a)
Wed Mar 12 11:04:05 2014 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [noc AT unimi.it] (from client IAM2 port 109 cli 74:e5:43:a3:a9:5a)
Wed Mar 12 11:04:13 2014 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [noc AT unimi.it] (from client IAM1 port 109 cli 74:e5:43:a3:a9:5a)

Why Linux configuration doesn't work? The ca certificate is the same of Microsoft/Apple configuration?

Thank you for your great job!

Regards,

Michele de Varda

PS: When an Android client will be available?
-- 
Michele de Varda
Divisione Telecomunicazioni
tel. 02 503 15306
fax. 02 503 15211
via G. Colombo 46
20133 Milano

-- 
Tomasz Wolniewicz    
  twoln AT umk.pl     http://www.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication
                                      Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750  fax: +48-56-622-1850 tel kom.: +48-693-032-576

[cat-users] Problem with Linux Configuration Script, Michele de Varda, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script, Stefan Winter, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script, A . L . M . Buxey, 03/14/2014
  - Re: [cat-users] Problem with Linux Configuration Script, Tomasz Wolniewicz, 03/14/2014
    - Re: [cat-users] Problem with Linux Configuration Script - correction, Tomasz Wolniewicz, 03/14/2014
- Re: [cat-users] Problem with Linux Configuration Script, Tomasz Wolniewicz, 03/15/2014
  - Re: [cat-users] Problem with Linux Configuration Script, Michele de Varda, 03/18/2014
    - Re: [cat-users] Problem with Linux Configuration Script, Stefan Winter, 03/18/2014