Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] CAT 1.1 Issues

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] CAT 1.1 Issues


Chronological Thread 
  • From: Jacques ROGNIN <rognin AT essec.edu>
  • To: Tomasz Wolniewicz <twoln AT umk.pl>
  • Cc: cat-users AT geant.net
  • Subject: Re: [cat-users] CAT 1.1 Issues
  • Date: Thu, 28 May 2015 14:41:50 +0200
  • List-archive: <http://mail.geant.net/pipermail/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Hello Thomaz,
Yes I confirm. It is cat eduroam.org
This is the full screenshot.
Something else is strange and arroneous I think : A clic on the link shown as "Show server certificate detail" launch a new sanity check without showing anything else !


Images intégrées 1

2015-05-28 14:01 GMT+02:00 Tomasz Wolniewicz <twoln AT umk.pl>:
Hmm,
  are these screen dumps form cat.eduroam.org? They should not look like that.
Could you send me the whole window dump?
Tomasz


W dniu 2015-05-28 o 13:34, Jacques ROGNIN pisze:
Hello Stephan,
thanks a lot for your help.
I loaded The Root CA cert and the ICA cert to my profile and it works .

But something else happened during the CAT realm check :
I got a warning message saying : 
Testing from: eduroamTL dk

elapsed time: 1081 ms.

Test FAILED: the request was rejected immediately, without EAP conversation. This is not necessarily an error: if the RADIUS server enforces that outer identities correspond to an existing username, then this result is expected (Note: you could configure a valid outer identity in your profile settings to get past this hurdle). In all other cases, the server appears misconfigured or it is unreachable.


So I removed the anonymous user check in my radius configuration to accept the test with cat-connectivity-test AT essec.fr as the outer identity.

The next check gave me :

Testing from: eduroamTL dk
Connected to frad01.essec.fr.
elapsed time: 3056 ms.

Test partially successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some properties of the connection attempt were sub-optimal; the list is below.

  The certificate chain as received in EAP was not sufficient to verify the certificate to the root CA in your profile. It was verified using the intermediate CAs in your profile though. You should consider sending the required intermediate CAs inside the EAP conversation.
  show server certificate details»




I don't really understand what I have to do.
I tried to change the server cert , putting the ICA cert and the server cert in the same file but the radiusd doesn't accept this.

Do you have an idea ?

Thanks for your help.
Jacques

2015-05-27 20:48 GMT+02:00 Stefan Winter <stefan.winter AT restena.lu>:
Hello,

Hello,
I am new in this list and in the CAT users community.
I just tried to generate my installers in differents modes ( PEAP-MSCHAPV2, TTLS-MSCHAPV2) I support on my radius server.
However I get an error with Iphones , Ipad and OS/X Yosemite.
It seems that I have a problem with the certificate.
We use a Symantec cetificate and it works correctly if I configure the profile using my own Apple configurator.

I think I don't fill the certificate information correctly in the CAT portal.

What have I to do ?
  • To upload the Root CA
  • To upload the ICA
  • To upload the server certificate 
  • Several of them ?

You MUST upload the root CA. You MAY upload the intermediate CA(s) - if you don't, your RADIUS server needs to send them during the authentication. There is no reason at all to upload the server certificate; it is presented during the authentication.

When using Apple configurator, you need to be cautious. IIRC it doesn't warn you if you add the wrong type of certificate - and the iOS device will simply not check the chain because of missing information, and fall back to "the cert's fingerprint". This "works" in a suboptimal way - but is not proper pre-configuration.

Is it a CAT 1.1 bug ?

Please check the cert chain configuration first.

Greetings,

Stefan Winter


Thanks for your help

Jacques ROGNIN


FOR INFORMATION :Freeradius says :

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[request] returns notfound
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.155.0.230/auth-detail-20150527
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.155.0.230/auth-detail-20150527
[auth_log]      expand: %t -> Wed May 27 16:34:31 2015
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "essec.fr" for User-Name = "anonymous AT essec.fr"
[suffix] Found realm "essec.fr"
[suffix] Adding Realm = "essec.fr"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 11 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 7
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls] <<< TLS 1.0 Alert [length 0002], warning close_notify  
TLS Alert read:warning:close notify
    TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[ttls] eaptls_process returned 4 
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.


--
Jacques ROGNIN





--
Jacques ROGNIN


-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576



--
Jacques ROGNIN




Archive powered by MHonArc 2.6.19.

Top of Page