The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

I have taken a look at your server cert in the EAP conversation.

Your server cert:

Subject: C=IT, ST=Milano, L=Milano, O=Universita' degli Studi di Milano, 
OU=Div. Telecomunicazioni, CN=eduroam.unimi.it
Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec 
Class 3 Secure Server CA - G4

Intermediate:

Subject: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec 
Class 3 Secure Server CA - G4
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 
VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary 
Certification Authority - G5

And another intermediate:

Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 
VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary 
Certification Authority - G5
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 
Authority

That's what I got from openssl. It means that the *ROOT CA* which you need to 
upload to CAT is the one with 

Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 
Authority

But you don't have that one in your CAT config! So, the correct root does not 
get installed, and Android rightfully rejects the server cert.

You can get your correct root CA file from here it seems:

https://www.symantec.com/page.jsp?id=roots

Specifically: 
https://www.symantec.com/content/en/us/enterprise/verisign/roots/Class-3-Public-Primary-Certification-Authority.pem

You should delete the blue circle "R" marked certificate from your CAT 
config, and replace it with the real root.

I admit that this makes me a bit confused. First of all, CAT interprets the 
last intermediate ("... G5") both as a root and an intermediate certificate. 
Did you upload two different PEM files for the same CA? Can you send me the 
PEM files? The version that is coming in with EAP is clearly an intermediate, 
and lacks the root as can be seen above.

My (currently wild) guess is that most devices consider the ... G5 thing a 
root and can then make a chain from that "root" via the G4 cert to your 
server cert. Android though considers the G5 one an intermediate, and lacks 
the root.

Greetings,

Stefan Winter

On 07.08.2015 12:02, Michele de Varda wrote:
> Dear cat-users support,
> 
> I did other tests with CAT on Android systems.
> Currently on the RADIUS server we have a certificate chain like this
> (attached file RADIUS_certificate):
> 
> /RADIUS server certificate//
> //intermediate chain/
> 
> On the CAT configuration we put (attached file CAT_certificate_conf.jpg) :
> 
> /ROOT_CA//
> //intermediate chain/
> 
> With this configuration all platforms are working fine (Windows, IOS,
> Mac OS X) but Android still doesn't work. The only way to make Android
> CAT configuration working is modifying the /CA certificate/ field on
> "not specified" option.
> Are there other institutions with the same issue? Is it possible to show
> on CAT download page only working configuration and hiding others?
> 
> Thank you so much,
> 
> Michele de Varda
> 
> Università degli Studi di Milano
> Divisione Telecomunicazioni
> via G. Colombo 46
> 20133 Milano
> Tel. 02 50315306
> 
> 
> 
>  
>  
> 
> 
> 
> On 06/26/2015 05:57 PM, Stefan Winter wrote:
>> Hello,
>>
>>> thank you for your good suggestion.
>>> I commented in the eap.conf the  ca_file directive, you have right:
>>> we don't use client certificates.
>>> I appended the chain certificate to the server certificate as you
>>> suggested but unfortunately Android systems don't complete the auth.
>>> transaction and I have the same error:
>>>
>>> /Fri Jun 26 15:57:15 2015 : Auth: Login incorrect (TLS Alert
>>> read:fatal:unknown CA): 
>>> [michele.devarda AT unimi.it]
>>>  (from client IAM4
>>> port 109 cli b4:30:52:28:38:d2)/
>>>
>>> Do I have to put only root CA in the cat configuration?
>>
>> The root is sufficient, so long as you send the intermediate CA in the
>> EAP conversation (which is obviously not happening, and is the problem
>> here).
>>
>>> There may be another configuration problem in our RADIUS conf?
>>
>> Well there is always a chance that I got it wrong and you have to put
>> intermediate *first* in the file, and server cert second. :-)
>>
>> Does the realm check say anything about intermediate certs not
>> available in the EAP conversation?
>>
>>> The next two weeks I will be on holiday :-) We'll be in touch on the
>>> next month.
>>
>> Have fun :-)
>>
>> Stefan
>>
>>>
>>> Thank you so much,
>>>
>>> Michele
>>>
>>>
>>>
>>>
>>> On 06/26/2015 02:37 PM, Stefan Winter wrote:
>>>> Hi again,
>>>>
>>>>>> This is NOT the case for other users of the app. Something must be 
>>>>>> wrong
>>>>>> here.
>>>>> the APP configure correctly PEAP as EAP method and MSCHAPv2 as Phase 2
>>>>> Authentication.
>>>>> In the CA certificate field of my device I found this certificate name
>>>>> (see screenshot):
>>>>>
>>>>> eduroam_WPA_EAP_PEAP_auth=MSCHAPV2
>>>>>
>>>>> It is correct? The certificate name should be "VeriSign Class 3 Public
>>>>> Primary Certification Authority - G5"?
>>>> That is correct. The "name" is just a handle for the CA inside the
>>>> device, it has nothing to do with the CN. Welcome to the wonderful world
>>>> of Android :-)
>>>>
>>>>>>> In the EduroamCAT debug window I see only the root certificate with
>>>>>>> CN=VeriSign Class 3 Public Primary Certification Authority - G5
>>>>>>> Is it possible that Android needs to install also the intermediate
>>>>>>> cert?  The Intermediate cert is present in our CAT config.
>>>>>> The intermediate needs to be present in the EAP conversation. That is,
>>>>>> your RADIUS server needs to send it along with the server certificate.
>>>>>>
>>>>>> Where in the FreeRADIUS config did you put the intermediate 
>>>>>> certificate?
>>>>> In eap.conf (see attached file)
>>>>> The name of the intermediate certificate is eduroam_chain.crt
>>>> There's your problem. ca_file is the wrong parameter. As the FreeRADIUS
>>>> documentation right above that parameter states:
>>>>
>>>> # ALL of the CA's in this list will be trusted
>>>> # to issue client certificates for authentication.
>>>>
>>>> So this is exclusively about EAP-TLS *client* certificates, and has no
>>>> effect for other EAP types like PEAP.
>>>>
>>>> To construct the chain, you need to append the intermediate CA's PEM in
>>>> the same file of your server certificate. I.e. eduroam_unimi_it.crt
>>>>
>>>> -----BEGIN CERTIFICATE-----
>>>> (server cert)
>>>> -----END CERTIFICATE-----
>>>> -----BEGIN CERTIFICATE-----
>>>> (intermediate CA cert)
>>>> -----END CERTIFICATE-----
>>>>
>>>> And then reload FreeRADIUS. This should cure the problem.
>>>>
>>>> BTW, the realm checks are supposed to detect this condition in UI (so I
>>>> should not need to write lengthy emails). Did you not get a
>>>> warning-level information of sorts "Chain only works when considering
>>>> the CAT config, but not with EAP conversation information. Consider
>>>> adding intermediates in EAP"?
>>>>
>>>> Greetings,
>>>>
>>>> Stefan Winter
>>>>
>>>>> Regards,
>>>>>
>>>>> Michele
>>>>>
>>>>>> Greetings,
>>>>>>
>>>>>> Stefan Winter
>>>>>>
>>>>>>> Thanks a lot,
>>>>>>>
>>>>>>> Michele
>>>>>>>
>>>>>>>
>>>>>>> On 06/26/2015 11:17 AM, Stefan Winter wrote:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I have just tested your realm against the Verisign root and 
>>>>>>>> everything
>>>>>>>> works just fine.
>>>>>>>>
>>>>>>>> There is not a single warning or error in the realm checks.
>>>>>>>>
>>>>>>>> Could you verify if you still have an issue?
>>>>>>>>
>>>>>>>> Greetings,
>>>>>>>>
>>>>>>>> Stefan Winter
>>>>>>>>
>>>>>>>> On 25.06.2015 15:44, Michele de Varda wrote:
>>>>>>>>> Hi Gareth,
>>>>>>>>> thank you for your answer.
>>>>>>>>>
>>>>>>>>> In the Radius server we installed  both server certificate (in 
>>>>>>>>> attach
>>>>>>>>> our eap.conf file):
>>>>>>>>> /[root@nekkar Verisign-Cert]# openssl x509  -noout -text -in
>>>>>>>>> eduroam_unimi_it.crt //
>>>>>>>>> //Certificate://
>>>>>>>>> //    Data://
>>>>>>>>> //        Version: 3 (0x2)//
>>>>>>>>> //        Serial Number://
>>>>>>>>> //            35:b3:75:3d:94:03:f3:cb:e6:44:a1:bc:9d:bb:1a:ed//
>>>>>>>>> //        Signature Algorithm: sha256WithRSAEncryption//
>>>>>>>>> //        Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust
>>>>>>>>> Network, CN=Symantec Class 3 Secure Server CA - G4//
>>>>>>>>> //        Validity//
>>>>>>>>> //            Not Before: Mar  2 00:00:00 2015 GMT//
>>>>>>>>> //            Not After : Mar  2 23:59:59 2017 GMT//
>>>>>>>>> //        Subject: C=IT, ST=Milano, L=Milano, O=Universita' degli
>>>>>>>>> Studi
>>>>>>>>> di Milano, OU=Div. Telecomunicazioni, CN=eduroam.unimi.it//
>>>>>>>>> //        Subject Public Key Info://
>>>>>>>>> //            Public Key Algorithm: rsaEncryption//
>>>>>>>>> //            RSA Public Key: (2048 bit)//.........
>>>>>>>>>
>>>>>>>>> /and chain file certificate:/
>>>>>>>>>
>>>>>>>>> [root@nekkar Verisign-Cert]# openssl x509  -noout -text -in
>>>>>>>>> eduroam_chain.crt
>>>>>>>>> Certificate:
>>>>>>>>>      Data:
>>>>>>>>>          Version: 3 (0x2)
>>>>>>>>>          Serial Number:
>>>>>>>>>              51:3f:b9:74:38:70:b7:34:40:41:8d:30:93:06:99:ff
>>>>>>>>>          Signature Algorithm: sha256WithRSAEncryption
>>>>>>>>>          Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
>>>>>>>>> OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign
>>>>>>>>> Class
>>>>>>>>> 3 Public Primary Certification Authority - G5
>>>>>>>>>          Validity
>>>>>>>>>              Not Before: Oct 31 00:00:00 2013 GMT
>>>>>>>>>              Not After : Oct 30 23:59:59 2023 GMT
>>>>>>>>>          Subject: C=US, O=Symantec Corporation, OU=Symantec Trust
>>>>>>>>> Network, CN=Symantec Class 3 Secure Server CA - G4
>>>>>>>>>          Subject Public Key Info:
>>>>>>>>>              Public Key Algorithm: rsaEncryption
>>>>>>>>>              RSA Public Key: (2048 bit).......
>>>>>>>>>
>>>>>>>>> Also in the CAT configuration we put root certificate and chain file
>>>>>>>>> (see attached screenshot). Initially in the cat conf we put only the
>>>>>>>>> root certificate and it worked fine only with Windows and iOS, but
>>>>>>>>> didn't work with MAC OS X, so we put the chain ca file./
>>>>>>>>> //Do you have any suggestions/?
>>>>>>>>>
>>>>>>>>> Thank you again,
>>>>>>>>>
>>>>>>>>> Michele
>>>>>>>>>
>>>>>>>>> /
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 06/25/2015 02:41 PM, Ayres G.J. wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>>  
>>>>>>>>>> I have tested your eap-config and it looks like it parses OK, and
>>>>>>>>>> installs a Verisign CA Cert:
>>>>>>>>>>
>>>>>>>>>> CERT Subject=CN=VeriSign Class 3 Public Primary Certification
>>>>>>>>>> Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use
>>>>>>>>>> only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
>>>>>>>>>>
>>>>>>>>>> Is this the correct CA cert you have configured in your radius
>>>>>>>>>> setup?
>>>>>>>>>>
>>>>>>>>>>  
>>>>>>>>>> You have a certificate chain present, so you need to ensure your
>>>>>>>>>> radius server is sending the intermediates.
>>>>>>>>>>
>>>>>>>>>> I think you can test this via cat.eduroam.org site using the
>>>>>>>>>> realm check.
>>>>>>>>>>
>>>>>>>>>> Can you test this please?
>>>>>>>>>>
>>>>>>>>>>  
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Gareth Ayres.
>>>>>>>>>>
>>>>>>>>>>  
>>>>>>>>>> *From:*Michele de Varda 
>>>>>>>>>> [mailto:michele.devarda AT unimi.it]
>>>>>>>>>> *Sent:* 25 June 2015 12:56
>>>>>>>>>> *To:* 
>>>>>>>>>> cat-users AT geant.net
>>>>>>>>>> *Cc:* Claudio Lori
>>>>>>>>>> *Subject:* Re: [cat-users] Impossible to download Windows client
>>>>>>>>>>
>>>>>>>>>>  
>>>>>>>>>> Today the Windows CAT download for Univ. degli Studi di Milano
>>>>>>>>>> seems ok.
>>>>>>>>>>
>>>>>>>>>> The configuration for Android is still not working: we tested
>>>>>>>>>> eduroamCAT app 1.0.16 only with 2 kitkat 4.4 devices and we
>>>>>>>>>> obtain the
>>>>>>>>>> RADIUS  TLS error (unknown CA):
>>>>>>>>>> /Thu Jun 25 13:44:10 2015 : Auth: Login incorrect (TLS Alert
>>>>>>>>>> read:fatal:unknown CA): 
>>>>>>>>>> [//michele.devarda AT unimi.it/
>>>>>>>>>> <mailto:michele.devarda AT unimi.it>/]
>>>>>>>>>>  (from client IAM2 port 109 cli
>>>>>>>>>> b4:30:52:28:38:d2)/
>>>>>>>>>>
>>>>>>>>>> The CA config. works fine with WIndows, Mac and iOS systems.
>>>>>>>>>> I attached an app screenshot, I don't know if is it possible copy
>>>>>>>>>> and
>>>>>>>>>> past the complete WiFi Logs from EduroamCAT App.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thank you for your support,
>>>>>>>>>>
>>>>>>>>>> Michele de Varda
>>>>>>>>>>
>>>>>>>>>> On 06/24/2015 05:12 PM, Michele de Varda wrote:
>>>>>>>>>>
>>>>>>>>>>      Dear CAT developers,
>>>>>>>>>>
>>>>>>>>>>      I'm the CAT admin for Univ. of Milan.
>>>>>>>>>>      Today I did some tests changing our CA chain because the CAT
>>>>>>>>>>      Android client doesn't work for our university, this is the
>>>>>>>>>> RADIUS
>>>>>>>>>>      log:
>>>>>>>>>>      /Wed Jun 24 11:33:02 2015 : Auth: Login incorrect (TLS Alert
>>>>>>>>>>      read:fatal:unknown CA): 
>>>>>>>>>> [//michele.devarda AT unimi.it/
>>>>>>>>>>      
>>>>>>>>>> <mailto:michele.devarda AT unimi.it>/]/
>>>>>>>>>>
>>>>>>>>>>      Now we can not download Windows configuration, we receive this
>>>>>>>>>>      message:
>>>>>>>>>>      /"This is embarrassing. Generation of your installer failed.
>>>>>>>>>>      System admins have been notified. We will try to take care
>>>>>>>>>> of the
>>>>>>>>>>      problem as soon as possible."/
>>>>>>>>>>
>>>>>>>>>>      Can you help us?
>>>>>>>>>>
>>>>>>>>>>      Thank you for your great job
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>      Michele de Varda
>>>>>>>>>>
>>>>>>>>>>      
>>>>>>>>>>      Università degli Studi di Milano
>>>>>>>>>>
>>>>>>>>>>      Divisione Telecomunicazioni
>>>>>>>>>>
>>>>>>>>>>      via G. Colombo 46
>>>>>>>>>>
>>>>>>>>>>      20133 Milano
>>>>>>>>>>
>>>>>>>>>>      Tel. 02 50315306
>>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Michele de Varda
>>>>>>>>>
>>>>>>>>> Università degli Studi di Milano
>>>>>>>>> Divisione Telecomunicazioni
>>>>>>>>> via G. Colombo 46
>>>>>>>>> 20133 Milano
>>>>>>>>> Tel. 02 50315306
>>>>>>>>>
>>>>>>> -- 
>>>>>>> Michele de Varda
>>>>>>>
>>>>>>> Università degli Studi di Milano
>>>>>>> Divisione Telecomunicazioni
>>>>>>> via G. Colombo 46
>>>>>>> 20133 Milano
>>>>>>> Tel. 02 50315306
>>>>>>>
>>>
>>> -- 
>>> Michele de Varda
>>>
>>> Università degli Studi di Milano
>>> Divisione Telecomunicazioni
>>> via G. Colombo 46
>>> 20133 Milano
>>> Tel. 02 50315306
>>
> 
> -- 
> Michele de Varda
> 
> Università degli Studi di Milano
> Divisione Telecomunicazioni
> via G. Colombo 46
> 20133 Milano
> Tel. 02 50315306
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature