The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

Hello,

I am new in this list and in the CAT users community.

I just tried to generate my installers in differents modes ( PEAP-MSCHAPV2, TTLS-MSCHAPV2) I support on my radius server.

However I get an error with Iphones , Ipad and OS/X Yosemite.

It seems that I have a problem with the certificate.

We use a Symantec cetificate and it works correctly if I configure the profile using my own Apple configurator.

I think I don't fill the certificate information correctly in the CAT portal.

What have I to do ?

• To upload the Root CA
• To upload the ICA
• To upload the server certificate 
• Several of them ?

You MUST upload the root CA. You MAY upload the intermediate CA(s) - if you don't, your RADIUS server needs to send them during the authentication. There is no reason at all to upload the server certificate; it is presented during the authentication.

When using Apple configurator, you need to be cautious. IIRC it doesn't warn you if you add the wrong type of certificate - and the iOS device will simply not check the chain because of missing information, and fall back to "the cert's fingerprint". This "works" in a suboptimal way - but is not proper pre-configuration.

Is it a CAT 1.1 bug ?

Please check the cert chain configuration first.

Greetings,

Stefan Winter

Thanks for your help

Jacques ROGNIN

FOR INFORMATION :Freeradius says :

# Executing section authorize from file /etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[request] returns notfound

++[preprocess] returns ok

[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.155.0.230/auth-detail-20150527

[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.155.0.230/auth-detail-20150527

[auth_log]      expand: %t -> Wed May 27 16:34:31 2015

++[auth_log] returns ok

++[mschap] returns noop

[suffix] Looking up realm "essec.fr" for User-Name = "anonymous AT essec.fr"

[suffix] Found realm "essec.fr"

[suffix] Adding Realm = "essec.fr"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

[eap] EAP packet type response id 11 length 17

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/ttls

[eap] processing type ttls

[ttls] Authenticate

[ttls] processing EAP-TLS

  TLS Length 7

[ttls] Length Included

[ttls] eaptls_verify returned 11 

[ttls] <<< TLS 1.0 Alert [length 0002], warning close_notify  

TLS Alert read:warning:close notify

    TLS_accept: failed in SSLv3 read client certificate A

rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

SSL: SSL_read failed in a system call (-1), TLS session fails.

TLS receive handshake failed during operation

[ttls] eaptls_process returned 4 

[eap] Handler failed in EAP/ttls

[eap] Failed in EAP select

++[eap] returns invalid

Failed to authenticate the user.

--

Jacques ROGNIN

Attachment: signature.asc
Description: OpenPGP digital signature