cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Jacques ROGNIN <rognin AT essec.edu>
- To: Tomasz Wolniewicz <twoln AT umk.pl>
- Cc: cat-users AT geant.net
- Subject: Re: [cat-users] CAT 1.1 Issues
- Date: Thu, 28 May 2015 14:41:50 +0200
- List-archive: <http://mail.geant.net/pipermail/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
Hmm,
are these screen dumps form cat.eduroam.org? They should not look like that.
Could you send me the whole window dump?
Tomasz
W dniu 2015-05-28 o 13:34, Jacques ROGNIN pisze:
Hello Stephan,thanks a lot for your help.I loaded The Root CA cert and the ICA cert to my profile and it works .
But something else happened during the CAT realm check :I got a warning message saying :Testing from: eduroamTL dk
elapsed time: 1081 ms.Test FAILED: the request was rejected immediately, without EAP conversation. This is not necessarily an error: if the RADIUS server enforces that outer identities correspond to an existing username, then this result is expected (Note: you could configure a valid outer identity in your profile settings to get past this hurdle). In all other cases, the server appears misconfigured or it is unreachable.
So I removed the anonymous user check in my radius configuration to accept the test with cat-connectivity-test AT essec.fr as the outer identity.
I don't really understand what I have to do.The next check gave me :
Testing from: eduroamTL dk
Connected to frad01.essec.fr.
elapsed time: 3056 ms.Test partially successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned. Some properties of the connection attempt were sub-optimal; the list is below.
The certificate chain as received in EAP was not sufficient to verify the certificate to the root CA in your profile. It was verified using the intermediate CAs in your profile though. You should consider sending the required intermediate CAs inside the EAP conversation. show server certificate details»
I tried to change the server cert , putting the ICA cert and the server cert in the same file but the radiusd doesn't accept this.
Do you have an idea ?
Thanks for your help.Jacques
2015-05-27 20:48 GMT+02:00 Stefan Winter <stefan.winter AT restena.lu>:
Hello,
Hello,I am new in this list and in the CAT users community.I just tried to generate my installers in differents modes ( PEAP-MSCHAPV2, TTLS-MSCHAPV2) I support on my radius server.However I get an error with Iphones , Ipad and OS/X Yosemite.It seems that I have a problem with the certificate.We use a Symantec cetificate and it works correctly if I configure the profile using my own Apple configurator.
I think I don't fill the certificate information correctly in the CAT portal.
What have I to do ?
- To upload the Root CA
- To upload the ICA
- To upload the server certificate
- Several of them ?
You MUST upload the root CA. You MAY upload the intermediate CA(s) - if you don't, your RADIUS server needs to send them during the authentication. There is no reason at all to upload the server certificate; it is presented during the authentication.
When using Apple configurator, you need to be cautious. IIRC it doesn't warn you if you add the wrong type of certificate - and the iOS device will simply not check the chain because of missing information, and fall back to "the cert's fingerprint". This "works" in a suboptimal way - but is not proper pre-configuration.
Is it a CAT 1.1 bug ?
Please check the cert chain configuration first.
Greetings,
Stefan Winter
Thanks for your help
Jacques ROGNIN
FOR INFORMATION :Freeradius says :
# Executing section authorize from file /etc/raddb/sites-enabled/default+- entering group authorize {...}++[request] returns notfound++[preprocess] returns ok[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.155.0.230/auth-detail-20150527[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.155.0.230/auth-detail-20150527[auth_log] expand: %t -> Wed May 27 16:34:31 2015++[auth_log] returns ok++[mschap] returns noop[suffix] Looking up realm "essec.fr" for User-Name = "anonymous AT essec.fr"[suffix] Found realm "essec.fr"[suffix] Adding Realm = "essec.fr"[suffix] Authentication realm is LOCAL.++[suffix] returns ok[eap] EAP packet type response id 11 length 17[eap] Continuing tunnel setup.++[eap] returns okFound Auth-Type = EAP# Executing group from file /etc/raddb/sites-enabled/default+- entering group authenticate {...}[eap] Request found, released from the list[eap] EAP/ttls[eap] processing type ttls[ttls] Authenticate[ttls] processing EAP-TLSTLS Length 7[ttls] Length Included[ttls] eaptls_verify returned 11[ttls] <<< TLS 1.0 Alert [length 0002], warning close_notifyTLS Alert read:warning:close notifyTLS_accept: failed in SSLv3 read client certificate Arlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failureSSL: SSL_read failed in a system call (-1), TLS session fails.TLS receive handshake failed during operation[ttls] eaptls_process returned 4[eap] Handler failed in EAP/ttls[eap] Failed in EAP select++[eap] returns invalidFailed to authenticate the user.
--
Jacques ROGNIN
--
Jacques ROGNIN
-- Tomasz Wolniewicz twoln AT umk.pl http://www.home.umk.pl/~twoln Uczelniane Centrum Informatyczne Information&Communication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
- [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/27/2015
- Re: [cat-users] CAT 1.1 Issues, Stefan Winter, 05/27/2015
- Re: [cat-users] CAT 1.1 Issues, Stefan Winter, 05/27/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Stefan Winter, 05/29/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
Archive powered by MHonArc 2.6.19.