Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] CAT 1.1 Issues

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] CAT 1.1 Issues


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Jacques ROGNIN <rognin AT essec.edu>, cat-users AT geant.net
  • Subject: Re: [cat-users] CAT 1.1 Issues
  • Date: Wed, 27 May 2015 20:48:35 +0200
  • List-archive: <http://mail.geant.net/pipermail/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Hello,

Hello,
I am new in this list and in the CAT users community.
I just tried to generate my installers in differents modes ( PEAP-MSCHAPV2, TTLS-MSCHAPV2) I support on my radius server.
However I get an error with Iphones , Ipad and OS/X Yosemite.
It seems that I have a problem with the certificate.
We use a Symantec cetificate and it works correctly if I configure the profile using my own Apple configurator.

I think I don't fill the certificate information correctly in the CAT portal.

What have I to do ?
  • To upload the Root CA
  • To upload the ICA
  • To upload the server certificate 
  • Several of them ?

You MUST upload the root CA. You MAY upload the intermediate CA(s) - if you don't, your RADIUS server needs to send them during the authentication. There is no reason at all to upload the server certificate; it is presented during the authentication.

When using Apple configurator, you need to be cautious. IIRC it doesn't warn you if you add the wrong type of certificate - and the iOS device will simply not check the chain because of missing information, and fall back to "the cert's fingerprint". This "works" in a suboptimal way - but is not proper pre-configuration.

Is it a CAT 1.1 bug ?

Please check the cert chain configuration first.

Greetings,

Stefan Winter


Thanks for your help

Jacques ROGNIN


FOR INFORMATION :Freeradius says :

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[request] returns notfound
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.155.0.230/auth-detail-20150527
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.155.0.230/auth-detail-20150527
[auth_log]      expand: %t -> Wed May 27 16:34:31 2015
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "essec.fr" for User-Name = "anonymous AT essec.fr"
[suffix] Found realm "essec.fr"
[suffix] Adding Realm = "essec.fr"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 11 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 7
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls] <<< TLS 1.0 Alert [length 0002], warning close_notify  
TLS Alert read:warning:close notify
    TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[ttls] eaptls_process returned 4 
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.


--
Jacques ROGNIN


Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page