Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] Android issues

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Android issues


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Vicente Frutos <vfrutos AT soporte.cti.csic.es>, "Winders, Timothy A" <twinders AT southplainscollege.edu>, "Ayres G.J." <g.j.ayres AT swansea.ac.uk>, "'cat-users AT geant.net'" <cat-users AT geant.net>
  • Cc: "'wifi AT csic.es'" <wifi AT csic.es>
  • Subject: Re: [cat-users] Android issues
  • Date: Tue, 02 Jun 2015 11:01:40 +0200
  • List-archive: <http://mail.geant.net/pipermail/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hello,

both specimen have a CA chain with intermediate CAs, and we had one
person report earlier that certificate ordering seemed to be important
while it should not. I suspected that the app might load only the first
it sees.

I now see that the profiles contain all CAs in both recent cases.

For SPC, the first CA in the list is an intermediate. If the app loads
only that one, verification against the root will of course be impossible.

For CSIC, the first CA is the root - so verification should still work
*if* the RADIUS server sends the intermediate CA(s) during the EAP
handshake. If it does not, there is again no complete chain to the trust
root.

So:

1) Gareth, could you verify what happens if more than one CA is in a
eap-config profile? The app should iterate over all CAs and install all
of them, but maybe it does not?

2) Vicente, could you run the realm check and see if you get a warning
about intermediate CA not being sent in the EAP exchange?

Greetings,

Stefan Winter

On 02.06.2015 10:41, Vicente Frutos wrote:
>
> Hi all,
>
> I have been testing our installers in other devices and I don't have any
> problem with iPhone or Mac OS Yosemite. Related to android devices, the
> behaviour is strange because I can't connect most of them.
> The profile installation is fine, but the device does not connect to the
> network.
> In some cases, also the "outer identity" is empty.
> I am attaching one of our installers to compare.
>
> Thanks a lot,
> Tito
>
>
> El 01/06/15 a las 17:49, Winders, Timothy A escribió:
>> XML file as just downloaded from CAT attached.
>>
>> Thanks!
>>
>> --
>> Tim Winders
>> Associate Dean of Information Technology
>> South Plains College
>> (806) 716-2369
>>
>> From: "Ayres G.J."
>> <g.j.ayres AT swansea.ac.uk
>> <mailto:g.j.ayres AT swansea.ac.uk>>
>> Date: Monday, June 1, 2015 at 10:39 AM
>> To: Timothy Winders
>> <twinders AT southplainscollege.edu
>> <mailto:twinders AT southplainscollege.edu>>,
>> 'Vicente Frutos'
>> <vfrutos AT soporte.cti.csic.es
>>
>> <mailto:vfrutos AT soporte.cti.csic.es>>,
>> "'cat-users AT geant.net
>>
>> <mailto:%27cat-users AT geant.net>'"
>> <cat-users AT geant.net
>>
>> <mailto:cat-users AT geant.net>>
>> Cc:
>> "'wifi AT csic.es
>>
>> <mailto:%27wifi AT csic.es>'"
>>
>> <wifi AT csic.es
>> <mailto:wifi AT csic.es>>
>> Subject: RE: [cat-users] Android issues
>>
>> Hi,
>>
>>
>>
>> Can you send me the eap-config file you are using?
>>
>>
>>
>> I will test it out then on some of my android devices, to see if I can
>> replicate the problem.
>>
>>
>>
>> Screen lock with a pin/pattern is an important requirement for the app
>> to work, but it should prompt the user if there is none set.
>>
>>
>>
>> Thanks,
>>
>> Gareth.
>>
>>
>>
>> *From:*Winders, Timothy A
>> [mailto:twinders AT southplainscollege.edu]
>> *Sent:* 01 June 2015 14:14
>> *To:* Ayres G.J.; 'Vicente Frutos';
>> 'cat-users AT geant.net
>> <mailto:%27cat-users AT geant.net>'
>> *Cc:*
>> 'wifi AT csic.es
>>
>> <mailto:%27wifi AT csic.es>'
>> *Subject:* Re: [cat-users] Android issues
>>
>>
>>
>> We have seen similar issues with some Android phones here as well,
>> with the CAT 1.1 tool. This doesn’t happen with all the Android
>> phones. I have not been able to pinpoint a commonality. I have not
>> tried to uncheck the validate CA cert to see if it works.
>>
>>
>>
>> free radius reports this error in the log:
>>
>>
>>
>> Fri May 29 08:44:35 2015 : Auth: (827270) Login incorrect (eap_peap:
>> TLS Alert read:fatal:unknown CA): [XXXXX] (from client lev-wireless1
>> port 13 cli c0-bd-d1-7e-39-a9)
>>
>>
>>
>> I sanitized the username in the above log entry. The correct, valid,
>> username is displayed in the log file.
>>
>>
>>
>> The user does have the CAT configuration tool from the Google Play
>> store installed and does have the XML configuration downloaded and
>> installed from the CAT site. This particular user is on 5.0 lolipop,
>> but I do have another user on 4.4 kitkat. Old devices are not having
>> a problem and I don’t believe all 4.x+ devices are having problems.
>>
>>
>>
>> --
>>
>> Tim Winders
>>
>> Associate Dean of Information Technology
>>
>> South Plains College
>>
>> (806) 716-2369
>>
>>
>>
>> *From: *"Ayres G.J."
>> <g.j.ayres AT swansea.ac.uk
>> <mailto:g.j.ayres AT swansea.ac.uk>>
>> *Date: *Monday, June 1, 2015 at 5:56 AM
>> *To: *'Vicente Frutos'
>> <vfrutos AT soporte.cti.csic.es
>> <mailto:vfrutos AT soporte.cti.csic.es>>,
>>
>> "'cat-users AT geant.net
>> <mailto:%27cat-users AT geant.net>'"
>>
>> <cat-users AT geant.net
>> <mailto:cat-users AT geant.net>>
>> *Cc:
>> *"'wifi AT csic.es
>>
>> <mailto:%27wifi AT csic.es>'"
>>
>> <wifi AT csic.es
>> <mailto:wifi AT csic.es>>
>> *Subject: *Re: [cat-users] Android issues
>>
>>
>>
>> Hi,
>>
>>
>>
>> Ive not had any issues reported yet, so its great to get feedback.
>>
>>
>>
>> Which device type and android version are you having trouble with?
>>
>>
>>
>> So the app parses the eap-config file and installs a profile
>> correctly, but then fails to connect?
>>
>>
>>
>> When you view the profile in androids wifi settings app, what does it
>> have set for the CA cert?
>>
>>
>>
>> Does it work with a CA cert if you install the cert manually?
>>
>>
>>
>> Do you have the server subject name set for CA Cert? If so, what does
>> the eduroamCAT app say it has set it to?
>>
>> And what is it set to in the cert?
>>
>>
>>
>> Thanks,
>>
>> Gareth Ayres.
>>
>>
>>
>>
>>
>> *From:*Vicente Frutos
>> [mailto:vfrutos AT soporte.cti.csic.es]
>> *Sent:* 01 June 2015 11:43
>> *To:*
>> cat-users AT geant.net
>>
>> <mailto:cat-users AT geant.net>
>> *Cc:*
>> wifi AT csic.es
>>
>> <mailto:wifi AT csic.es>
>> *Subject:* [cat-users] Android issues
>>
>>
>>
>>
>> Hello,
>>
>> My name is Tito and I am the wireless network administrator for CSIC
>> in Spain.
>> I am new in this mail list and I must catch up with the emails received.
>> In our case, we are having some problems with android devices.
>> Basically, the installer does not work correctly and I have to uncheck
>> the CA verification to work.
>> Obviously, this is not an option.
>> I am not sure if there is any reported issue related to this.
>> I have tested other installers like W8, iPhone or Mac OS Yosemite and
>> they work correctly.
>> Any ideas?
>>
>> Thanks in advance,
>> Tito
>>
>>
>>
>>
>>
>>
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page