The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

thanks. It looks like the client very rightfully rejects to talk to your
server.

The incoming server certificate in the eduroam production network is:

Subject: OU=Domain Control Validated, CN=lhi-dc01.lhi.is
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate
Authority - G2

But the CA certificate you have uploaded to CAT is:

Subject: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2
Certification Authority

Note how the CAT-configured CA misses the "G2" suffix and is generally
just totally different.

So, you configure devices to trust only CA A, but then during the
authentication you send a certificate issued by CA B.

That's exactly what I meant in my original post - the client-side
security checks are there for a reason, and a failing authentication is
a GoodThing in such cases :-)

You should delete the old CA (no suffix a.k.a. "G1") from the CAT config
and upload the correct one (G2).

Greetings,

Stefan Winter

Am 30.11.2015 um 13:35 schrieb Sverrir Davíðsson:
> Ho Stefan
> Sorry, I must have pressed send to quickly :)
> 
> Here are the logs, see attachments
> 
> Best regards
> Sverrir Davíðsson
> 
> -----Original Message-----
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
>  
> Sent: mánudagur, 30. nóvember 2015 11:48
> To: Sverrir Davíðsson 
> <sverrir AT thekking.is>;
>  eduroam CAT Feedback 
> <cat-users AT lists.geant.org>
> Subject: Re: Trooble using Eduroam Installer, help needed
> 
> Hello,
> 
>> Hi my name is Sverrir,
>> I have been setting up a IdP for the Iceland Academy of the Arts.
> 
> thanks for contacting the list and not me directly.
> 
>> Radius Authentication works, but we are unable to us the Installer.
>>
>> I´m having trouble getting the Installer (EXE) setup to work against 
>> our SSID.
>>
>> We are able to connect directly to "eduroam" SSID without the use of 
>> the Installer, user gets authenticated and connected no problem.
> 
> "Connected" is easy. Getting connected *securely*, i.e. with all security 
> checks client-side enabled, is harder.
> 
> The installers set all the security parameters. Only once those checks are 
> actually enabled, subtle misconfigurations on the server side will have 
> consequences.
> 
>> But when we try to use the Installer, there is something of with the 
>> creation of the wifi Profile, users will not get connected and my 
>> RADIUS complains about user mismatch.
>>
>> I see that the User Security ID is NULL when using the Installer.
> 
> I have no idea what the "User Security ID" is supposed to be?
> 
>> I have tested this on both windows 10 and 8,1.
>>
>> I see at the top of the page that CAT vas recently updraded to 
>> versions 1.1.1, could that be the root of my problems?
> 
> No. We should really remove the MOTD. This version is up since over a month 
> now.
> 
>> All attach some more info regarding our Wifi troubles.
>>
>>  
>>
>> Radius: Windows Server 2012R2
>>
>> Microsoft: Protected EAP (PEAP)
>>
>>                 Secure Password (EAP-MSCHAP v2)
>>
>> Cert: Public SSL from GoDaddy
>>
>> AP: Cisco
> 
> This setup is as standard as can be and as such is probably not the source 
> of any problem.
> 
>> Logs from Radius and Client when Connecting to eduroam
>>
>> Connecting directly to eduroam (Without Installer), See attachement : 
>> Eduroam-NonInstaller.txt
>>
>> Connecting to eduroam (With Installer), See attachement :
>> Eduroam-Installer.txt
> 
> If you'd attach the log files, we could actually look at them ;-)
> 
> Greetings,
> 
> Stefan Winter
> 
>>
>>  
>>
>>  
>>
>> Best Regards
>>
>> Sverrir Davíðsson
>>
>>  
>>
>> ----------------------------------------------------------------------
>> -- Skilmálar / Disclaimer <https://www.thekking.is/is/skilmalar>
> 
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
> la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the 
> recipient's key is known to me
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature