The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

I have just tested your realm against the Verisign root and everything
works just fine.

There is not a single warning or error in the realm checks.

Could you verify if you still have an issue?

Greetings,

Stefan Winter

On 25.06.2015 15:44, Michele de Varda wrote:
> Hi Gareth,
> thank you for your answer.
> 
> In the Radius server we installed  both server certificate (in attach
> our eap.conf file):
> /[root@nekkar Verisign-Cert]# openssl x509  -noout -text -in 
> eduroam_unimi_it.crt //
> //Certificate://
> //    Data://
> //        Version: 3 (0x2)//
> //        Serial Number://
> //            35:b3:75:3d:94:03:f3:cb:e6:44:a1:bc:9d:bb:1a:ed//
> //        Signature Algorithm: sha256WithRSAEncryption//
> //        Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust
> Network, CN=Symantec Class 3 Secure Server CA - G4//
> //        Validity//
> //            Not Before: Mar  2 00:00:00 2015 GMT//
> //            Not After : Mar  2 23:59:59 2017 GMT//
> //        Subject: C=IT, ST=Milano, L=Milano, O=Universita' degli Studi
> di Milano, OU=Div. Telecomunicazioni, CN=eduroam.unimi.it//
> //        Subject Public Key Info://
> //            Public Key Algorithm: rsaEncryption//
> //            RSA Public Key: (2048 bit)//.........
> 
> /and chain file certificate:/
> 
> [root@nekkar Verisign-Cert]# openssl x509  -noout -text -in 
> eduroam_chain.crt
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             51:3f:b9:74:38:70:b7:34:40:41:8d:30:93:06:99:ff
>         Signature Algorithm: sha256WithRSAEncryption
>         Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
> OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class
> 3 Public Primary Certification Authority - G5
>         Validity
>             Not Before: Oct 31 00:00:00 2013 GMT
>             Not After : Oct 30 23:59:59 2023 GMT
>         Subject: C=US, O=Symantec Corporation, OU=Symantec Trust
> Network, CN=Symantec Class 3 Secure Server CA - G4
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (2048 bit).......
> 
> Also in the CAT configuration we put root certificate and chain file
> (see attached screenshot). Initially in the cat conf we put only the
> root certificate and it worked fine only with Windows and iOS, but
> didn't work with MAC OS X, so we put the chain ca file./
> //Do you have any suggestions/?
> 
> Thank you again,
> 
> Michele
> 
> /
> 
> 
> On 06/25/2015 02:41 PM, Ayres G.J. wrote:
>>
>> Hi,
>>
>>  
>>
>> I have tested your eap-config and it looks like it parses OK, and
>> installs a Verisign CA Cert:
>>
>> CERT Subject=CN=VeriSign Class 3 Public Primary Certification
>> Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use
>> only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
>>
>> Is this the correct CA cert you have configured in your radius setup?
>>
>>  
>>
>> You have a certificate chain present, so you need to ensure your
>> radius server is sending the intermediates.
>>
>> I think you can test this via cat.eduroam.org site using the realm check.
>>
>> Can you test this please?
>>
>>  
>>
>> Thanks,
>>
>> Gareth Ayres.
>>
>>  
>>
>> *From:*Michele de Varda 
>> [mailto:michele.devarda AT unimi.it]
>> *Sent:* 25 June 2015 12:56
>> *To:* 
>> cat-users AT geant.net
>> *Cc:* Claudio Lori
>> *Subject:* Re: [cat-users] Impossible to download Windows client
>>
>>  
>>
>> Today the Windows CAT download for Univ. degli Studi di Milano seems ok.
>>
>> The configuration for Android is still not working: we tested
>> eduroamCAT app 1.0.16 only with 2 kitkat 4.4 devices and we obtain the
>> RADIUS  TLS error (unknown CA):
>> /Thu Jun 25 13:44:10 2015 : Auth: Login incorrect (TLS Alert
>> read:fatal:unknown CA): 
>> [//michele.devarda AT unimi.it/
>> <mailto:michele.devarda AT unimi.it>/]
>>  (from client IAM2 port 109 cli
>> b4:30:52:28:38:d2)/
>>
>> The CA config. works fine with WIndows, Mac and iOS systems.
>> I attached an app screenshot, I don't know if is it possible copy and
>> past the complete WiFi Logs from EduroamCAT App.
>>
>>
>> Thank you for your support,
>>
>> Michele de Varda
>>
>> On 06/24/2015 05:12 PM, Michele de Varda wrote:
>>
>>     Dear CAT developers,
>>
>>     I'm the CAT admin for Univ. of Milan.
>>     Today I did some tests changing our CA chain because the CAT
>>     Android client doesn't work for our university, this is the RADIUS
>>     log:
>>     /Wed Jun 24 11:33:02 2015 : Auth: Login incorrect (TLS Alert
>>     read:fatal:unknown CA): 
>> [//michele.devarda AT unimi.it/
>>     
>> <mailto:michele.devarda AT unimi.it>/]/
>>
>>     Now we can not download Windows configuration, we receive this
>>     message:
>>     /"This is embarrassing. Generation of your installer failed.
>>     System admins have been notified. We will try to take care of the
>>     problem as soon as possible."/
>>
>>     Can you help us?
>>
>>     Thank you for your great job
>>
>>
>>     Michele de Varda
>>
>>      
>>
>>     Università degli Studi di Milano
>>
>>     Divisione Telecomunicazioni
>>
>>     via G. Colombo 46
>>
>>     20133 Milano
>>
>>     Tel. 02 50315306
>>
> 
> -- 
> Michele de Varda
> 
> Università degli Studi di Milano
> Divisione Telecomunicazioni
> via G. Colombo 46
> 20133 Milano
> Tel. 02 50315306
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature