cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Jacques ROGNIN <rognin AT essec.edu>, Tomasz Wolniewicz <twoln AT umk.pl>
- Cc: cat-users AT geant.net
- Subject: Re: [cat-users] CAT 1.1 Issues
- Date: Fri, 29 May 2015 08:03:10 +0200
- List-archive: <http://mail.geant.net/pipermail/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello,
from the FreeRADIUS documentation (raddb/mods-enabled/eap):
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
So you need to put both PEM blocks into that single file. I believe the
order IS important there; and I believe you need to put the server cert
first and the intermediate CA after.
You do not have to include the ROOT CA in RADIUS; that one is only
useful on the client side (and that's why we ask for it in CAT).
Greetings,
Stefan Winter
On 28.05.2015 16:04, Jacques ROGNIN wrote:
> OK understood Thomasz.
> Thanks for your preciuos help.
>
> Hope that somebody else will have an idea .
>
> Cheers
>
> 2015-05-28 15:42 GMT+02:00 Tomasz Wolniewicz
> <twoln AT umk.pl
> <mailto:twoln AT umk.pl>>:
>
> Hi Jacques,
>
> W dniu 2015-05-28 o 15:18, Jacques ROGNIN pisze:
> > You are right Thomasz !
> > A reload changes the look ::
> > ...... but doesn't fix my problem :-/
>
> The warning returned states, as you probably realise yourself, that your
> server does not add an intermediate CAs to the EAP exchange.
> The intermediate CAs are loaded into the CAT profile so the validation
> is possible but this setup may be a potential problem for your users,
> for instance for those who configure their devices manually. To make a
> secure configuration they just need to point to the Symantec root CA and
> input the names of your servers, however when they connect to your
> server it will not be possible to verify its certificate since the
> certification chain will not be complete.
>
> Since you have all intermediates in CAT profiles, installations done
> with CAT installers should work properly as they install the
> intermediate CAs, but looking form the point of view of RADIUS setup,
> the current configuration at least requires a warning.
>
> From the CAT side all is fine, the problem you are left with is how to
> push the CAs into the FreeRADIUS configuration, therefore you should
> look up help from FreeRADIUS experts. Many of them are also on this list
> so perhaps someone will suggest a solution.
>
> Cheers
> Tomasz
>
>
> --
> Tomasz Wolniewicz
>
> twoln AT umk.pl
>
> <mailto:twoln AT umk.pl>
>
> http://www.home.umk.pl/~twoln
>
> Uczelniane Centrum Informatyczne Information&Communication
> Technology Centre
> Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
> pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
> tel: +48-56-611-2750 <tel:%2B48-56-611-2750> fax:
> +48-56-622-1850 <tel:%2B48-56-622-1850> tel kom.:
> +48-693-032-576 <tel:%2B48-693-032-576>
>
>
>
>
> --
> Jacques ROGNIN
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- Re: [cat-users] CAT 1.1 Issues, (continued)
- Re: [cat-users] CAT 1.1 Issues, Stefan Winter, 05/27/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Stefan Winter, 05/29/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Tomasz Wolniewicz, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Jacques ROGNIN, 05/28/2015
- Re: [cat-users] CAT 1.1 Issues, Stefan Winter, 05/27/2015
Archive powered by MHonArc 2.6.19.