Skip to Content.

cat-users - Re: [cat-users] Windows 8.1 and cat.eduroam.org SOLVED

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [cat-users] Windows 8.1 and cat.eduroam.org SOLVED


Chronological Thread 
    < Chronological >      < Thread >
  • From: Claudio Chacon <claudio.chacon AT cedia.org.ec>
  • To: Stefan Winter <stefan.winter AT restena.lu>, Alan Buxey <A.L.M.Buxey AT lboro.ac.uk>, <cat-users AT geant.net>
  • Subject: Re: [cat-users] Windows 8.1 and cat.eduroam.org SOLVED
  • Date: Mon, 15 Dec 2014 15:54:21 -0500
  • List-archive: <http://mail.geant.net/pipermail/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
Hi, Today I fix the problem. The problem was just only with windows 8.1 (XP, v7, ios and android worked fine), I use openssl to sign certificates. I made some changes today: Now I use sha256 and the next configuration was added:

crlDistributionPoints = URI:http://www.eduroam.ec/ca_eduroam.crl
subjectAltName = radius.eduroam.cedia.org.ec
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, 1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.14

And now everything is ok, even on windows 8.1


Claudio Chacon A.
On 14/12/14 12:47, Stefan Winter wrote:
Hi,

hm, the most striking thing in the certificate is that it seems to lack the "classic" extension:

Extended Key Usage: TLS Web Server Authentication

You seem to have a rather antiquated(?) "Netscape SSL Server" instead which AFAIK only sounds similar, but is not actually the same and not recognised by Windows.

But this would mean you'd have the same problem on all versions of Windows since XP. Is it really only on Windows 8.1?

Greetings,

Stefan Winter

On 12.12.2014 18:48, Claudio Chacon wrote:
Testing with manually configuration the problem continues, now I changed my certificates to use SHA256, 4096 bit and CRL but the problem with windows 8.1 continues.

This is the public certificate referenced into eap.conf

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 30 (0x1e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=EC, ST=Azuay, L=Cuenca, O=CEDIA, OU=Consorcio Ecuatoriano para el Desarrollo de Internet Avanzado, CN=ca.eduroam.ec/emailAddress=neg AT cedia.org.ec
        Validity
            Not Before: Dec 12 16:13:53 2014 GMT
            Not After : Dec 11 16:13:53 2019 GMT
        Subject: C=EC, ST=Azuay, L=Cuenca, O=CEDIA, OU=Consorcio Ecuatoriano para el Desarrollo de Internet Avanzado, CN=radius.eduroam.cedia.org.ec/emailAddress=neg AT cedia.org.ec
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                TinyCA Generated Certificate
            X509v3 Subject Key Identifier:
                F8:E1:5D:C8:7C:BA:CA:DF:B0:8C:31:DA:D0:BB:42:74:3E:C3:E8:BA
            X509v3 Authority Key Identifier:
                keyid:5E:BE:44:BC:E2:6A:9D:C7:8C:38:45:50:CD:72:98:2C:5F:5C:FE:33
                DirName:/C=EC/ST=Azuay/L=Cuenca/O=CEDIA/OU=Consorcio Ecuatoriano para el Desarrollo de Internet Avanzado/CN=ca.eduroam.ec/emailAddress=neg AT cedia.org.ec
                serial:D4:37:71:16:C6:A8:0A:7A

            X509v3 Issuer Alternative Name:
                email:neg AT cedia.org.ec
            X509v3 CRL Distribution Points:
                URI:http://www.eduroam.ec/ca_eduroam.crl
            X509v3 Subject Alternative Name:
                email:neg AT cedia.org.ec
            X509v3 Extended Key Usage:
                1.3.6.1.5.5.7.3.14
    Signature Algorithm: sha256WithRSAEncryption
Modulus=B932C365B252C6D7FA71CDE0860C6B0D9BAB00E2F5318ED5A3CC234D3D8E79B6D16E71B2C989ACFD78FEC2E0036234D89843DDC2F99B88AB283FFDC4DE4621F89EC70754E3E5CDE234A37054A8AB1D0B54577094B43FAAC5128E2A6E1382ED6E3B9B660FDD930161F092C41E3AE2D8069740A8D19659877B7B225D657531D2704BD91EDDAC379EA3B195FFDDF51F822D6FA8AF0D08B3BC22D8763DC5EB533234AA4E74A5DA498835D8DA0BC5E9A6800795309D1091864F7FD832ECD40ABFD9CCB35E7BFB1DD39242AE2B425D3C6F1A341A34F9632588E3B200687A7BD20B1C0F5E7093DCFF9AC23336C3565B607DD0CB66762E5D4B931979C42BDF64AE152EF28CC4CB655BFAE4FD825AA02A88AA91B43A04DE4E7EB2DF50ABAF2D1F46B1176CB1D080CD3CD454C4577DD0973AE9BDD586AF3DEC0D009E87678A9AE1F4CDE82A9BA0EBFF1D48A0999D409976B29B2EAB75292B8738A38DB4B8C2D08C982A0E1B249489BD82E4EE05FF7E0210A4E89F07983F03B8DE8F9FC38ECA31278994D3C727F2CF5205FC2D2AA634147E3D1358731664B092B87E8FD8AE36FF33B6607A5BBE145C1170838F7EEBD2B883766C390C7BD2296E7B3408A1E1DDC6C7D0CB2BB7D2A21510F80D83D1541FAA1F8EDD2B04EDD1E1414E34FA52F0BE14CECF794AB75FBAC78CDE4397D615E06 34CEFA2643 6C91918E4D7FA83B1C33B71E11B760CB5


Any idea what else I need to configure on the certificate ?

regards


Claudio
On 25/11/14 02:36, Alan Buxey wrote:
Do your certificates work on win8.1 when the client is manually configured correctly (ie with certificate checking, CN defined, CA checked etc)? as that is what eduroam CAT profile does (if this isn't an installer issue). eg the required windows extensions ate present in the cert, the cert matches recent OS requirements SHA256, 2048 bit, has CRLDP defined for the CA etc

alan



Email secured by Check Point





Email secured by Check Point


Archive powered by MHonArc 2.6.19.

Top of Page