cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Jacques ROGNIN <rognin AT essec.edu>
- Cc: "cat-users AT geant.net" <cat-users AT geant.net>, "wifi AT csic.es" <wifi AT csic.es>
- Subject: Re: [cat-users] Android issues
- Date: Tue, 02 Jun 2015 13:56:01 +0200
- List-archive: <http://mail.geant.net/pipermail/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
Hello,
indeed, your profile also has more than one CA. We are still investigating. One word though: > Disabling the Cert check by selecting "undefined certificate" on the smartphone is the workaround. This turns off all server-side security checks. It's not a workaround, it's a lobotomisation. You don't need a CAT profile to turn off all security - Android has all security off by default. Greetings, Stefan Winter 2015-06-02 11:01 GMT+02:00 Stefan
Winter <stefan.winter AT restena.lu>:
Hello, both specimen have a CA chain with intermediate CAs, and we had one person report earlier that certificate ordering seemed to be important while it should not. I suspected that the app might load only the first it sees. I now see that the profiles contain all CAs in both recent cases. For SPC, the first CA in the list is an intermediate. If the app loads only that one, verification against the root will of course be impossible. For CSIC, the first CA is the root - so verification should still work *if* the RADIUS server sends the intermediate CA(s) during the EAP handshake. If it does not, there is again no complete chain to the trust root. So: 1) Gareth, could you verify what happens if more than one CA is in a eap-config profile? The app should iterate over all CAs and install all of them, but maybe it does not? 2) Vicente, could you run the realm check and see if you get a warning about intermediate CA not being sent in the EAP exchange? Greetings, Stefan Winter On 02.06.2015 10:41, Vicente Frutos wrote: > > Hi all, > > I have been testing our installers in other devices and I don't have any > problem with iPhone or Mac OS Yosemite. Related to android devices, the > behaviour is strange because I can't connect most of them. > The profile installation is fine, but the device does not connect to the > network. > In some cases, also the "outer identity" is empty. > I am attaching one of our installers to compare. > > Thanks a lot, > Tito > > > El 01/06/15 a las 17:49, Winders, Timothy A escribió: >> XML file as just downloaded from CAT attached. >> >> Thanks! >> >> -- >> Tim Winders >> Associate Dean of Information Technology >> South Plains College >> (806) 716-2369 >> >> From: "Ayres G.J." <g.j.ayres AT swansea.ac.uk >> <mailto:g.j.ayres AT swansea.ac.uk>> >> Date: Monday, June 1, 2015 at 10:39 AM >> To: Timothy Winders <twinders AT southplainscollege.edu >> <mailto:twinders AT southplainscollege.edu>>, 'Vicente Frutos' >> <vfrutos AT soporte.cti.csic.es <mailto:vfrutos AT soporte.cti.csic.es>>, >> "'cat-users AT geant.net <mailto:%27cat-users AT geant.net>'" >> <cat-users AT geant.net <mailto:cat-users AT geant.net>> >> Cc: "'wifi AT csic.es <mailto:%27wifi AT csic.es>'" <wifi AT csic.es >> <mailto:wifi AT csic.es>> >> Subject: RE: [cat-users] Android issues >> >> Hi, >> >> >> >> Can you send me the eap-config file you are using? >> >> >> >> I will test it out then on some of my android devices, to see if I can >> replicate the problem. >> >> >> >> Screen lock with a pin/pattern is an important requirement for the app >> to work, but it should prompt the user if there is none set. >> >> >> >> Thanks, >> >> Gareth. >> >> >> >> *From:*Winders, Timothy A [mailto:twinders AT southplainscollege.edu] >> *Sent:* 01 June 2015 14:14 >> *To:* Ayres G.J.; 'Vicente Frutos'; 'cat-users AT geant.net >> <mailto:%27cat-users AT geant.net>' >> *Cc:* 'wifi AT csic.es <mailto:%27wifi AT csic.es>' >> *Subject:* Re: [cat-users] Android issues >> >> >> >> We have seen similar issues with some Android phones here as well, >> with the CAT 1.1 tool. This doesn’t happen with all the Android >> phones. I have not been able to pinpoint a commonality. I have not >> tried to uncheck the validate CA cert to see if it works. >> >> >> >> free radius reports this error in the log: >> >> >> >> Fri May 29 08:44:35 2015 : Auth: (827270) Login incorrect (eap_peap: >> TLS Alert read:fatal:unknown CA): [XXXXX] (from client lev-wireless1 >> port 13 cli c0-bd-d1-7e-39-a9) >> >> >> >> I sanitized the username in the above log entry. The correct, valid, >> username is displayed in the log file. >> >> >> >> The user does have the CAT configuration tool from the Google Play >> store installed and does have the XML configuration downloaded and >> installed from the CAT site. This particular user is on 5.0 lolipop, >> but I do have another user on 4.4 kitkat. Old devices are not having >> a problem and I don’t believe all 4.x+ devices are having problems. >> >> >> >> -- >> >> Tim Winders >> >> Associate Dean of Information Technology >> >> South Plains College >> >> (806) 716-2369 >> >> >> >> *From: *"Ayres G.J." <g.j.ayres AT swansea.ac.uk >> <mailto:g.j.ayres AT swansea.ac.uk>> >> *Date: *Monday, June 1, 2015 at 5:56 AM >> *To: *'Vicente Frutos' <vfrutos AT soporte.cti.csic.es >> <mailto:vfrutos AT soporte.cti.csic.es>>, "'cat-users AT geant.net >> <mailto:%27cat-users AT geant.net>'" <cat-users AT geant.net >> <mailto:cat-users AT geant.net>> >> *Cc: *"'wifi AT csic.es <mailto:%27wifi AT csic.es>'" <wifi AT csic.es >> <mailto:wifi AT csic.es>> >> *Subject: *Re: [cat-users] Android issues >> >> >> >> Hi, >> >> >> >> Ive not had any issues reported yet, so its great to get feedback. >> >> >> >> Which device type and android version are you having trouble with? >> >> >> >> So the app parses the eap-config file and installs a profile >> correctly, but then fails to connect? >> >> >> >> When you view the profile in androids wifi settings app, what does it >> have set for the CA cert? >> >> >> >> Does it work with a CA cert if you install the cert manually? >> >> >> >> Do you have the server subject name set for CA Cert? If so, what does >> the eduroamCAT app say it has set it to? >> >> And what is it set to in the cert? >> >> >> >> Thanks, >> >> Gareth Ayres. >> >> >> >> >> >> *From:*Vicente Frutos [mailto:vfrutos AT soporte.cti.csic.es] >> *Sent:* 01 June 2015 11:43 >> *To:* cat-users AT geant.net <mailto:cat-users AT geant.net> >> *Cc:* wifi AT csic.es <mailto:wifi AT csic.es> >> *Subject:* [cat-users] Android issues >> >> >> >> >> Hello, >> >> My name is Tito and I am the wireless network administrator for CSIC >> in Spain. >> I am new in this mail list and I must catch up with the emails received. >> In our case, we are having some problems with android devices. >> Basically, the installer does not work correctly and I have to uncheck >> the CA verification to work. >> Obviously, this is not an option. >> I am not sure if there is any reported issue related to this. >> I have tested other installers like W8, iPhone or Mac OS Yosemite and >> they work correctly. >> Any ideas? >> >> Thanks in advance, >> Tito >> >> >> >> >> >> > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66 Jacques ROGNIN
|
Attachment:
signature.asc
Description: OpenPGP digital signature
- Re: [cat-users] Android issues, (continued)
- Re: [cat-users] Android issues, Winders, Timothy A, 06/01/2015
- Re: [cat-users] Android issues, Ayres G . J ., 06/01/2015
- Re: [cat-users] Android issues, Winders, Timothy A, 06/01/2015
- Re: [cat-users] Android issues, Vicente Frutos, 06/02/2015
- Re: [cat-users] Android issues, Stefan Winter, 06/02/2015
- Re: [cat-users] Android issues, Vicente Frutos, 06/02/2015
- Re: [cat-users] Android issues, Stefan Winter, 06/02/2015
- Re: [cat-users] Android issues, Winders, Timothy A, 06/02/2015
- Re: [cat-users] Android issues, Vicente Frutos, 06/03/2015
- Re: [cat-users] Android issues, Stefan Winter, 06/02/2015
- Re: [cat-users] Android issues, Vicente Frutos, 06/02/2015
- Re: [cat-users] Android issues, Jacques ROGNIN, 06/02/2015
- Re: [cat-users] Android issues, Stefan Winter, 06/02/2015
- Re: [cat-users] Android issues, Jacques ROGNIN, 06/02/2015
- Re: [cat-users] Android issues, Winders, Timothy A, 06/01/2015
- Re: [cat-users] Android issues, Ayres G . J ., 06/01/2015
- Re: [cat-users] Android issues, Winders, Timothy A, 06/01/2015
Archive powered by MHonArc 2.6.19.