The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Vicente Frutos <vfrutos AT soporte.cti.csic.es>]

Hi all,

I have been testing with affected devices with only the CA certificate and it works.
Then I have added the others certificates and it makes all devices work correctly. I have tested a W8, Mac OS Yosemite, iPhone and Android 4.4.4 .
The only problem that I have seen is that some android devices have the "outer identity" field empty.
I really appreciate your help.

Kind regards,
Tito

 

El 02/06/15 a las 14:16, Winders, Timothy A escribió:

I will try to remove the Intermediate from the CAT configuration and try again with the effected Android device today and let you know. It might be a few hours...

---

Tim Winders

Associate Dean of Information Technology

South Plains College

(806) 716-2369

On Jun 2, 2015, at 6:58 AM, Stefan Winter <stefan.winter AT restena.lu> wrote:

Hi,

  I can't see any warning during the test. Here is the screenshot:

   

 I will folow testing with different configurations.

Ah, that's good. Since your server does send the intermediate CA, you could try removing the intermediates from your CAT settings; leaving only the (one) root CA in which is needed.

At that point, please re-try the Android app with that new profile.

Note: I would not suggest the other affected admins to do that /unless/ they also verify that the intermediate CA(s) are sent in EAP.

Greetings,

Stefan Winter


 Thanks,
 Tito

El 02/06/15 a las 11:01, Stefan Winter escribió:

Hello,

both specimen have a CA chain with intermediate CAs, and we had one
person report earlier that certificate ordering seemed to be important
while it should not. I suspected that the app might load only the first
it sees.

I now see that the profiles contain all CAs in both recent cases.

For SPC, the first CA in the list is an intermediate. If the app loads
only that one, verification against the root will of course be impossible.

For CSIC, the first CA is the root - so verification should still work
*if* the RADIUS server sends the intermediate CA(s) during the EAP
handshake. If it does not, there is again no complete chain to the trust
root.

So:

1) Gareth, could you verify what happens if more than one CA is in a
eap-config profile? The app should iterate over all CAs and install all
of them, but maybe it does not?

2) Vicente, could you run the realm check and see if you get a warning
about intermediate CA not being sent in the EAP exchange?

Greetings,

Stefan Winter

On 02.06.2015 10:41, Vicente Frutos wrote:

Hi all,

I have been testing our installers in other devices and I don't have any
problem with iPhone or Mac OS Yosemite. Related to android devices, the
behaviour is strange because I can't connect most of them.
The profile installation is fine, but the device does not connect to the
network.
In some cases, also the "outer identity" is empty.
I am attaching one of our installers to compare.

Thanks a lot,
Tito


El 01/06/15 a las 17:49, Winders, Timothy A escribió:

XML file as just downloaded from CAT attached.

Thanks!

-- 
Tim Winders
Associate Dean of Information Technology
South Plains College
(806) 716-2369

From: "Ayres G.J." <g.j.ayres AT swansea.ac.uk
<mailto:g.j.ayres AT swansea.ac.uk>>
Date: Monday, June 1, 2015 at 10:39 AM
To: Timothy Winders <twinders AT southplainscollege.edu
<mailto:twinders AT southplainscollege.edu>>, 'Vicente Frutos'
<vfrutos AT soporte.cti.csic.es <mailto:vfrutos AT soporte.cti.csic.es>>,
"'cat-users AT geant.net <mailto:%27cat-users AT geant.net>'"
<cat-users AT geant.net <mailto:cat-users AT geant.net>>
Cc: "'wifi AT csic.es <mailto:%27wifi AT csic.es>'" <wifi AT csic.es
<mailto:wifi AT csic.es>>
Subject: RE: [cat-users] Android issues

Hi,

 

Can you send me the eap-config file you are using?

 

I will test it out then on some of my android devices, to see if I can
replicate the problem.

 

Screen lock with a pin/pattern is an important requirement for the app
to work, but it should prompt the user if there is none set.

 

Thanks,

Gareth.

 

*From:*Winders, Timothy A [mailto:twinders AT southplainscollege.edu]
*Sent:* 01 June 2015 14:14
*To:* Ayres G.J.; 'Vicente Frutos'; 'cat-users AT geant.net
<mailto:%27cat-users AT geant.net>'
*Cc:* 'wifi AT csic.es <mailto:%27wifi AT csic.es>'
*Subject:* Re: [cat-users] Android issues

 

We have seen similar issues with some Android phones here as well,
with the CAT 1.1 tool.  This doesn’t happen with all the Android
phones.  I have not been able to pinpoint a commonality.  I have not
tried to uncheck the validate CA cert to see if it works.

 

free radius reports this error in the log:

 

Fri May 29 08:44:35 2015 : Auth: (827270) Login incorrect (eap_peap:
TLS Alert read:fatal:unknown CA): [XXXXX] (from client lev-wireless1
port 13 cli c0-bd-d1-7e-39-a9)

 

I sanitized the username in the above log entry.  The correct, valid,
username is displayed in the log file.

 

The user does have the CAT configuration tool from the Google Play
store installed and does have the XML configuration downloaded and
installed from the CAT site.  This particular user is on 5.0 lolipop,
but I do have another user on 4.4 kitkat.  Old devices are not having
a problem and I don’t believe all 4.x+ devices are having problems.

 

-- 

Tim Winders

Associate Dean of Information Technology

South Plains College

(806) 716-2369

 

*From: *"Ayres G.J." <g.j.ayres AT swansea.ac.uk
<mailto:g.j.ayres AT swansea.ac.uk>>
*Date: *Monday, June 1, 2015 at 5:56 AM
*To: *'Vicente Frutos' <vfrutos AT soporte.cti.csic.es
<mailto:vfrutos AT soporte.cti.csic.es>>, "'cat-users AT geant.net
<mailto:%27cat-users AT geant.net>'" <cat-users AT geant.net
<mailto:cat-users AT geant.net>>
*Cc: *"'wifi AT csic.es <mailto:%27wifi AT csic.es>'" <wifi AT csic.es
<mailto:wifi AT csic.es>>
*Subject: *Re: [cat-users] Android issues

 

Hi,

 

Ive not had any issues reported yet, so its great to get feedback.

 

Which device type and android version are you having trouble with?

 

So the app parses the eap-config file and installs a profile
correctly, but then fails to connect?

 

When you view the profile in androids wifi settings app, what does it
have set for the CA cert?

 

Does it work with a CA cert if you install the cert manually?

 

Do you have the server subject name set for CA Cert? If so, what does
the eduroamCAT app say it has set it to?

And what is it set to in the cert?

 

Thanks,

Gareth Ayres.

 

 

*From:*Vicente Frutos [mailto:vfrutos AT soporte.cti.csic.es]
*Sent:* 01 June 2015 11:43
*To:* cat-users AT geant.net <mailto:cat-users AT geant.net>
*Cc:* wifi AT csic.es <mailto:wifi AT csic.es>
*Subject:* [cat-users] Android issues

 


Hello,

My name is Tito and I am the wireless network administrator for CSIC
in Spain.
I am new in this mail list and I must catch up with the emails received.
In our case, we are having some problems with android devices.
Basically, the installer does not work correctly and I have to uncheck
the CA verification to work.
Obviously, this is not an option.
I am not sure if there is any reported issue related to this.
I have tested other installers like W8, iPhone or Mac OS Yosemite and
they work correctly.
Any ideas?

Thanks in advance,
Tito




 

Attachment: pngtlwxSgwfx3.png
Description: PNG image