The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Michele de Varda <michele.devarda AT unimi.it>]

Hi Gareth,
thank you for your answer.

In the Radius server we installed  both server certificate (in attach our eap.conf file):
[root@nekkar Verisign-Cert]# openssl x509  -noout -text -in  eduroam_unimi_it.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            35:b3:75:3d:94:03:f3:cb:e6:44:a1:bc:9d:bb:1a:ed
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
        Validity
            Not Before: Mar  2 00:00:00 2015 GMT
            Not After : Mar  2 23:59:59 2017 GMT
        Subject: C=IT, ST=Milano, L=Milano, O=Universita' degli Studi di Milano, OU=Div. Telecomunicazioni, CN=eduroam.unimi.it
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit).........

and chain file certificate:

[root@nekkar Verisign-Cert]# openssl x509  -noout -text -in  eduroam_chain.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            51:3f:b9:74:38:70:b7:34:40:41:8d:30:93:06:99:ff
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Validity
            Not Before: Oct 31 00:00:00 2013 GMT
            Not After : Oct 30 23:59:59 2023 GMT
        Subject: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit).......

Also in the CAT configuration we put root certificate and chain file (see attached screenshot). Initially in the cat conf we put only the root certificate and it worked fine only with Windows and iOS, but didn't work with MAC OS X, so we put the chain ca file.
Do you have any suggestions?

Thank you again,

Michele

On 06/25/2015 02:41 PM, Ayres G.J. wrote:

Hi,

 

I have tested your eap-config and it looks like it parses OK, and installs a Verisign CA Cert:

CERT Subject=CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Is this the correct CA cert you have configured in your radius setup?

 

You have a certificate chain present, so you need to ensure your radius server is sending the intermediates.

I think you can test this via cat.eduroam.org site using the realm check.

Can you test this please?

 

Thanks,

Gareth Ayres.

 

From: Michele de Varda [mailto:michele.devarda AT unimi.it]
Sent: 25 June 2015 12:56
To: cat-users AT geant.net
Cc: Claudio Lori
Subject: Re: [cat-users] Impossible to download Windows client

 

Today the Windows CAT download for Univ. degli Studi di Milano seems ok.

The configuration for Android is still not working: we tested eduroamCAT app 1.0.16 only with 2 kitkat 4.4 devices and we obtain the RADIUS  TLS error (unknown CA):
Thu Jun 25 13:44:10 2015 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [michele.devarda AT unimi.it] (from client IAM2 port 109 cli b4:30:52:28:38:d2)

The CA config. works fine with WIndows, Mac and iOS systems.
I attached an app screenshot, I don't know if is it possible copy and past the complete WiFi Logs from EduroamCAT App.


Thank you for your support,

Michele de Varda

On 06/24/2015 05:12 PM, Michele de Varda wrote:

Dear CAT developers,

I'm the CAT admin for Univ. of Milan.
Today I did some tests changing our CA chain because the CAT Android client doesn't work for our university, this is the RADIUS log:
Wed Jun 24 11:33:02 2015 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [michele.devarda AT unimi.it]

Now we can not download Windows configuration, we receive this message:
"This is embarrassing. Generation of your installer failed. System admins have been notified. We will try to take care of the problem as soon as possible."

Can you help us?

Thank you for your great job

Michele de Varda

Università degli Studi di Milano

Divisione Telecomunicazioni

via G. Colombo 46

20133 Milano

Tel. 02 50315306

-- 
Michele de Varda

Università degli Studi di Milano
Divisione Telecomunicazioni
via G. Colombo 46
20133 Milano
Tel. 02 50315306

# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##      $Id$

        eap eap-personale {
                default_eap_type = peap
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                max_sessions = 2048

                tls {
                        certdir = ${confdir}/certs/Verisign-Cert
                        cadir = ${confdir}/certs/Verisign-Cert
                        private_key_password = **********
                        private_key_file = ${certdir}/private.pem
                        certificate_file = ${certdir}/eduroam_unimi_it.crt
                        CA_file = ${cadir}/eduroam_chain.crt
                        dh_file = ${certdir}/dh
                        random_file = /dev/urandom
                        fragment_size = 1024
                        include_length = yes
                        check_crl = no
                        cipher_list = "DEFAULT"
                }

                ttls {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                        virtual_server = "eduroam-personale-inner-tunnel"
                }

                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                        virtual_server = "eduroam-personale-inner-tunnel"
                }

                mschapv2 {
                }
        }



        eap eap-unimi {
                default_eap_type = peap
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                max_sessions = 2048

                tls {
                        certdir = ${confdir}/certs/Verisign-Cert
                        cadir = ${confdir}/certs/Verisign-Cert
                        private_key_password = *********
                        private_key_file = ${certdir}/private.pem
                        certificate_file = ${certdir}/eduroam_unimi_it.crt
                        CA_file = ${cadir}/eduroam_chain.crt
                        dh_file = ${certdir}/dh
                        random_file = /dev/urandom
                        fragment_size = 1024
                        include_length = yes
                        check_crl = no
                        cipher_list = "DEFAULT"
                }

                ttls {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                        virtual_server = "eduroam-unimi-inner-tunnel"
                }

                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                        virtual_server = "eduroam-unimi-inner-tunnel"
                }

                mschapv2 {
                }
        }

Attachment: CAT_conf.jpg
Description: JPEG image