cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Impossible to download Windows client

From: Michele de Varda <michele.devarda AT unimi.it>
To: Stefan Winter <stefan.winter AT restena.lu>
Cc: "'cat-users AT geant.net'" <cat-users AT geant.net>, "eduroam AT unimi.it" <eduroam AT unimi.it>
Subject: Re: [cat-users] Impossible to download Windows client
Date: Fri, 26 Jun 2015 13:52:36 +0200
List-archive: <http://mail.geant.net/pipermail/cat-users/>
List-id: "The mailing list for users of the eduroam Configuration Assistant Tool $CAT$" <cat-users.geant.net>

Hi,

On 06/26/2015 12:19 PM, Stefan Winter wrote:

Hi,

The only way for authenticating with Android is configuring manually the
Wi-Fi network with PEAP, MSCHAPv2 and without certificate.

This is NOT the case for other users of the app. Something must be wrong
here.

the APP configure correctly PEAP as EAP method and MSCHAPv2 as Phase 2 Authentication.
In the CA certificate field of my device I found this certificate name (see screenshot):

eduroam_WPA_EAP_PEAP_auth=MSCHAPV2

It is correct? The certificate name should be "VeriSign Class 3 Public Primary Certification Authority - G5"?

In the EduroamCAT debug window I see only the root certificate with
CN=VeriSign Class 3 Public Primary Certification Authority - G5
Is it possible that Android needs to install also the intermediate
cert? The Intermediate cert is present in our CAT config.

The intermediate needs to be present in the EAP conversation. That is,
your RADIUS server needs to send it along with the server certificate.

Where in the FreeRADIUS config did you put the intermediate certificate?

In eap.conf (see attached file)
The name of the intermediate certificate is eduroam_chain.crt

Regards,

Michele

Greetings,

Stefan Winter

Thanks a lot,

Michele

On 06/26/2015 11:17 AM, Stefan Winter wrote:

Hello,

I have just tested your realm against the Verisign root and everything
works just fine.

There is not a single warning or error in the realm checks.

Could you verify if you still have an issue?

Greetings,

Stefan Winter

On 25.06.2015 15:44, Michele de Varda wrote:

Hi Gareth,
thank you for your answer.

In the Radius server we installed both server certificate (in attach
our eap.conf file):
/[root@nekkar Verisign-Cert]# openssl x509 -noout -text -in
eduroam_unimi_it.crt //
//Certificate://
// Data://
// Version: 3 (0x2)//
// Serial Number://
// 35:b3:75:3d:94:03:f3:cb:e6:44:a1:bc:9d:bb:1a:ed//
// Signature Algorithm: sha256WithRSAEncryption//
// Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust
Network, CN=Symantec Class 3 Secure Server CA - G4//
// Validity//
// Not Before: Mar 2 00:00:00 2015 GMT//
// Not After : Mar 2 23:59:59 2017 GMT//
// Subject: C=IT, ST=Milano, L=Milano, O=Universita' degli Studi
di Milano, OU=Div. Telecomunicazioni, CN=eduroam.unimi.it//
// Subject Public Key Info://
// Public Key Algorithm: rsaEncryption//
// RSA Public Key: (2048 bit)//.........

/and chain file certificate:/

[root@nekkar Verisign-Cert]# openssl x509 -noout -text -in
eduroam_chain.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
51:3f:b9:74:38:70:b7:34:40:41:8d:30:93:06:99:ff
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class
3 Public Primary Certification Authority - G5
Validity
Not Before: Oct 31 00:00:00 2013 GMT
Not After : Oct 30 23:59:59 2023 GMT
Subject: C=US, O=Symantec Corporation, OU=Symantec Trust
Network, CN=Symantec Class 3 Secure Server CA - G4
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit).......

Also in the CAT configuration we put root certificate and chain file
(see attached screenshot). Initially in the cat conf we put only the
root certificate and it worked fine only with Windows and iOS, but
didn't work with MAC OS X, so we put the chain ca file./
//Do you have any suggestions/?

Thank you again,

Michele

/

On 06/25/2015 02:41 PM, Ayres G.J. wrote:

Hi,

I have tested your eap-config and it looks like it parses OK, and
installs a Verisign CA Cert:

CERT Subject=CN=VeriSign Class 3 Public Primary Certification
Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use
only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Is this the correct CA cert you have configured in your radius setup?

You have a certificate chain present, so you need to ensure your
radius server is sending the intermediates.

I think you can test this via cat.eduroam.org site using the realm check.

Can you test this please?

Thanks,

Gareth Ayres.

*From:*Michele de Varda
[mailto:michele.devarda AT unimi.it]
*Sent:* 25 June 2015 12:56
*To:*
cat-users AT geant.net
*Cc:* Claudio Lori
*Subject:* Re: [cat-users] Impossible to download Windows client

Today the Windows CAT download for Univ. degli Studi di Milano seems ok.

The configuration for Android is still not working: we tested
eduroamCAT app 1.0.16 only with 2 kitkat 4.4 devices and we obtain the
RADIUS TLS error (unknown CA):
/Thu Jun 25 13:44:10 2015 : Auth: Login incorrect (TLS Alert
read:fatal:unknown CA):
[//michele.devarda AT unimi.it/
<mailto:michele.devarda AT unimi.it>/]
(from client IAM2 port 109 cli
b4:30:52:28:38:d2)/

The CA config. works fine with WIndows, Mac and iOS systems.
I attached an app screenshot, I don't know if is it possible copy and
past the complete WiFi Logs from EduroamCAT App.

Thank you for your support,

Michele de Varda

On 06/24/2015 05:12 PM, Michele de Varda wrote:

Dear CAT developers,

I'm the CAT admin for Univ. of Milan.
Today I did some tests changing our CA chain because the CAT
Android client doesn't work for our university, this is the RADIUS
log:
/Wed Jun 24 11:33:02 2015 : Auth: Login incorrect (TLS Alert
read:fatal:unknown CA):
[//michele.devarda AT unimi.it/

<mailto:michele.devarda AT unimi.it>/]/

Now we can not download Windows configuration, we receive this
message:
/"This is embarrassing. Generation of your installer failed.
System admins have been notified. We will try to take care of the
problem as soon as possible."/

Can you help us?

Thank you for your great job

Michele de Varda

Università degli Studi di Milano

Divisione Telecomunicazioni

via G. Colombo 46

20133 Milano

Tel. 02 50315306

--
Michele de Varda

Università degli Studi di Milano
Divisione Telecomunicazioni
via G. Colombo 46
20133 Milano
Tel. 02 50315306

--
Michele de Varda

Università degli Studi di Milano
Divisione Telecomunicazioni
via G. Colombo 46
20133 Milano
Tel. 02 50315306

--
Michele de Varda

Università degli Studi di Milano
Divisione Telecomunicazioni
via G. Colombo 46
20133 Milano
Tel. 02 50315306

Attachment: Screenshot_Android_CA.jpeg
Description: JPEG image

# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id$

eap eap-personale {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048

tls {
certdir = ${confdir}/certs/Verisign-Cert
cadir = ${confdir}/certs/Verisign-Cert
private_key_password = **********
private_key_file = ${certdir}/private.pem
certificate_file = ${certdir}/eduroam_unimi_it.crt
CA_file = ${cadir}/eduroam_chain.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}

ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-personale-inner-tunnel"
}

peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-personale-inner-tunnel"
}

mschapv2 {
}
}

eap eap-unimi {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048

tls {
certdir = ${confdir}/certs/Verisign-Cert
cadir = ${confdir}/certs/Verisign-Cert
private_key_password = *********
private_key_file = ${certdir}/private.pem
certificate_file = ${certdir}/eduroam_unimi_it.crt
CA_file = ${cadir}/eduroam_chain.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}

ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-unimi-inner-tunnel"
}

peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-unimi-inner-tunnel"
}

mschapv2 {
}
}

[cat-users] Impossible to download Windows client, Michele de Varda, 06/24/2015
- Re: [cat-users] Impossible to download Windows client, Michele de Varda, 06/25/2015
  - Re: [cat-users] Impossible to download Windows client, Ayres G . J ., 06/25/2015
    - Re: [cat-users] Impossible to download Windows client, Michele de Varda, 06/25/2015
      - Re: [cat-users] Impossible to download Windows client, Stefan Winter, 06/26/2015
        
        Re: [cat-users] Impossible to download Windows client, Michele de Varda, 06/26/2015
        
        Re: [cat-users] Impossible to download Windows client, Stefan Winter, 06/26/2015
        
        Re: [cat-users] Impossible to download Windows client, Michele de Varda, 06/26/2015
        Re: [cat-users] Impossible to download Windows client, Stefan Winter, 06/26/2015
        Re: [cat-users] Impossible to download Windows client, Michele de Varda, 06/26/2015
        Re: [cat-users] Impossible to download Windows client, Stefan Winter, 06/26/2015