The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jacques ROGNIN <rognin AT essec.edu>]

Hello Stephan,

thanks a lot for your help.

I loaded The Root CA cert and the ICA cert to my profile and it works .

But something else happened during the CAT realm check :

I got a warning message saying : 

Testing from: eduroamTL dk

elapsed time: 1081 ms. Test FAILED: the request was rejected immediately, without EAP conversation. This is not necessarily an error: if the RADIUS server enforces that outer identities correspond to an existing username, then this result is expected (Note: you could configure a valid outer identity in your profile settings to get past this hurdle). In all other cases, the server appears misconfigured or it is unreachable.

So I removed the anonymous user check in my radius configuration to accept the test with cat-connectivity-test AT essec.fr as the outer identity.

The next check gave me :

Testing from: eduroamTL dk

	Connected to frad01.essec.fr. elapsed time: 3056 ms. Test partially successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some properties of the connection attempt were sub-optimal; the list is below.
		The certificate chain as received in EAP was not sufficient to verify the certificate to the root CA in your profile. It was verified using the intermediate CAs in your profile though. You should consider sending the required intermediate CAs inside the EAP conversation.
	show server certificate details»

I don't really understand what I have to do.

I tried to change the server cert , putting the ICA cert and the server cert in the same file but the radiusd doesn't accept this.

Do you have an idea ?

Thanks for your help.

Jacques

2015-05-27 20:48 GMT+02:00 Stefan Winter <stefan.winter AT restena.lu>:

Hello,

Hello,

I am new in this list and in the CAT users community.

I just tried to generate my installers in differents modes ( PEAP-MSCHAPV2, TTLS-MSCHAPV2) I support on my radius server.

However I get an error with Iphones , Ipad and OS/X Yosemite.

It seems that I have a problem with the certificate.

We use a Symantec cetificate and it works correctly if I configure the profile using my own Apple configurator.

I think I don't fill the certificate information correctly in the CAT portal.

What have I to do ?

• To upload the Root CA
• To upload the ICA
• To upload the server certificate 
• Several of them ?

You MUST upload the root CA. You MAY upload the intermediate CA(s) - if you don't, your RADIUS server needs to send them during the authentication. There is no reason at all to upload the server certificate; it is presented during the authentication.

When using Apple configurator, you need to be cautious. IIRC it doesn't warn you if you add the wrong type of certificate - and the iOS device will simply not check the chain because of missing information, and fall back to "the cert's fingerprint". This "works" in a suboptimal way - but is not proper pre-configuration.

Is it a CAT 1.1 bug ?

Please check the cert chain configuration first.

Greetings,

Stefan Winter

Thanks for your help

Jacques ROGNIN

FOR INFORMATION :Freeradius says :

# Executing section authorize from file /etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[request] returns notfound

++[preprocess] returns ok

[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.155.0.230/auth-detail-20150527

[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.155.0.230/auth-detail-20150527

[auth_log]      expand: %t -> Wed May 27 16:34:31 2015

++[auth_log] returns ok

++[mschap] returns noop

[suffix] Looking up realm "essec.fr" for User-Name = "anonymous AT essec.fr"

[suffix] Found realm "essec.fr"

[suffix] Adding Realm = "essec.fr"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

[eap] EAP packet type response id 11 length 17

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/ttls

[eap] processing type ttls

[ttls] Authenticate

[ttls] processing EAP-TLS

  TLS Length 7

[ttls] Length Included

[ttls] eaptls_verify returned 11 

[ttls] <<< TLS 1.0 Alert [length 0002], warning close_notify  

TLS Alert read:warning:close notify

    TLS_accept: failed in SSLv3 read client certificate A

rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

SSL: SSL_read failed in a system call (-1), TLS session fails.

TLS receive handshake failed during operation

[ttls] eaptls_process returned 4 

[eap] Handler failed in EAP/ttls

[eap] Failed in EAP select

++[eap] returns invalid

Failed to authenticate the user.

--

Jacques ROGNIN

--

Jacques ROGNIN