The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Sverrir Davíðsson <sverrir AT thekking.is>]

Hi Stefan

That is the problem, all the realm checks are green !

DNS Checks

                Realm is STATIC with no DNS errors encountered. Congratulations!

Testing from: eduroamTL dk

Connected to lhi-dc01.lhi.is. elapsed time: 1579 ms. Test successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned.

Subject: CN=lhi-dc01.lhi.is,OU=Domain Control Validated Issuer: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US Valid from: Wednesday, 11-Nov-2015 15:56:40 GMT Valid to: Sunday, 11-Nov-2018 15:56:40 GMT Serial number: 6576733775903857949 (0x5B4540862F101D1D) SHA1 fingerprint: 143b37fbbcb865a5410ce7c0b27eaa7b9dc95ca7 Extensions basicConstraints: CA:FALSE extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication keyUsage: Digital Signature, Key Encipherment crlDistributionPoints: Full Name: URI:http://crl.godaddy.com/gdig2s1-152.crl certificatePolicies: Policy: 2.16.840.1.114413.1.7.23.1 CPS: http://certificates.godaddy.com/repository/ authorityInfoAccess: OCSP - URI:http://ocsp.godaddy.com/ CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt authorityKeyIdentifier: keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE subjectAltName: DNS:lhi-dc01.lhi.is, DNS:www.lhi-dc01.lhi.is subjectKeyIdentifier: 32:AC:33:B8:C5:FF:AE:44:36:24:5F:48:51:A7:41:8B:A4:B5:F7:0D show server certificate details»

---

Testing from: eduroamTL nl

Connected to lhi-dc01.lhi.is. elapsed time: 1895 ms. Test successful: a bidirectional RADIUS conversation with multiple round-trips was carried out, and ended in an Access-Reject as planned.

Subject: CN=lhi-dc01.lhi.is,OU=Domain Control Validated Issuer: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US Valid from: Wednesday, 11-Nov-2015 15:56:40 GMT Valid to: Sunday, 11-Nov-2018 15:56:40 GMT Serial number: 6576733775903857949 (0x5B4540862F101D1D) SHA1 fingerprint: 143b37fbbcb865a5410ce7c0b27eaa7b9dc95ca7 Extensions basicConstraints: CA:FALSE extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication keyUsage: Digital Signature, Key Encipherment crlDistributionPoints: Full Name: URI:http://crl.godaddy.com/gdig2s1-152.crl certificatePolicies: Policy: 2.16.840.1.114413.1.7.23.1 CPS: http://certificates.godaddy.com/repository/ authorityInfoAccess: OCSP - URI:http://ocsp.godaddy.com/ CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt authorityKeyIdentifier: keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE subjectAltName: DNS:lhi-dc01.lhi.is, DNS:www.lhi-dc01.lhi.is subjectKeyIdentifier: 32:AC:33:B8:C5:FF:AE:44:36:24:5F:48:51:A7:41:8B:A4:B5:F7:0D show server certificate details»

 

 

Testing from: eduroamTL dk

PEAP-MSCHAPv2 – elapsed time: 812 ms.

 

Testing from: eduroamTL nl

PEAP-MSCHAPv2 – elapsed time: 924 ms.

 

Every check on the cat. Eduroam.org has been green, my only problem seems to be the installer, can´t get it to work.

 

I will take a better look, at the Root CA in the profile.

Another thing I notice was that the field: “Name of authentication Server” has to be in lower case. I was getting a server name mismatch if I used uppercase in the name. (Fixed)

 

Best regards

Sverrir Davíðsson

 

 

-----Original Message-----

From: Stefan Winter [mailto:stefan.winter AT restena.lu]

Sent: mánudagur, 30. nóvember 2015 13:15

To: Sverrir Davíðsson <sverrir AT thekking.is>; eduroam CAT Feedback <cat-users AT lists.geant.org>

Subject: Re: Trooble using Eduroam Installer, help needed

 

Hi,

 

now I missed my main point. :-/

 

I spent some amount of time debugging this for you. I like debugging difficult cases, so that's not usually a problem.

 

This one however has been turned into automatic check code a long time ago. There is a button "realm check" in CAT, and it should yield in bright red "X" button style the error that the configured CA does not match the server certificate during the actual authentication.

 

I'd appreciate if folks could actually use the on-board debugging facilities. My bad probably, next time I will bounce problem reports with a "have you tried the Check Realm feature" immediately.

 

Greetings,

 

Stefan Winter

 

Am 30.11.2015 um 13:35 schrieb Sverrir Davíðsson:

> Ho Stefan

> Sorry, I must have pressed send to quickly :)

>

> Here are the logs, see attachments

>

> Best regards

> Sverrir Davíðsson

>

> -----Original Message-----

> From: Stefan Winter [mailto:stefan.winter AT restena.lu]

> Sent: mánudagur, 30. nóvember 2015 11:48

> To: Sverrir Davíðsson <sverrir AT thekking.is>; eduroam CAT Feedback

> <cat-users AT lists.geant.org>

> Subject: Re: Trooble using Eduroam Installer, help needed

>

> Hello,

>

>> Hi my name is Sverrir,

>> I have been setting up a IdP for the Iceland Academy of the Arts.

>

> thanks for contacting the list and not me directly.

>

>> Radius Authentication works, but we are unable to us the Installer.

>> 

>> I´m having trouble getting the Installer (EXE) setup to work against

>> our SSID.

>> 

>> We are able to connect directly to "eduroam" SSID without the use of

>> the Installer, user gets authenticated and connected no problem.

>

> "Connected" is easy. Getting connected *securely*, i.e. with all security checks client-side enabled, is harder.

>

> The installers set all the security parameters. Only once those checks are actually enabled, subtle misconfigurations on the server side will have consequences.

>

>> But when we try to use the Installer, there is something of with the

>> creation of the wifi Profile, users will not get connected and my

>> RADIUS complains about user mismatch.

>> 

>> I see that the User Security ID is NULL when using the Installer.

>

> I have no idea what the "User Security ID" is supposed to be?

>

>> I have tested this on both windows 10 and 8,1.

>> 

>> I see at the top of the page that CAT vas recently updraded to

>> versions 1.1.1, could that be the root of my problems?

>

> No. We should really remove the MOTD. This version is up since over a month now.

>

>> All attach some more info regarding our Wifi troubles.

>> 

>> 

>> 

>> Radius: Windows Server 2012R2

>> 

>> Microsoft: Protected EAP (PEAP)

>> 

>>                 Secure Password (EAP-MSCHAP v2)

>> 

>> Cert: Public SSL from GoDaddy

>> 

>> AP: Cisco

>

> This setup is as standard as can be and as such is probably not the source of any problem.

>

>> Logs from Radius and Client when Connecting to eduroam

>> 

>> Connecting directly to eduroam (Without Installer), See attachement :

>> Eduroam-NonInstaller.txt

>> 

>> Connecting to eduroam (With Installer), See attachement :

>> Eduroam-Installer.txt

>

> If you'd attach the log files, we could actually look at them ;-)

>

> Greetings,

>

> Stefan Winter

>

>> 

>> 

>> 

>> 

>> 

>> Best Regards

>> 

>> Sverrir Davíðsson

>> 

>> 

>> 

>> ---------------------------------------------------------------------

>> -

>> -- Skilmálar / Disclaimer <https://www.thekking.is/is/skilmalar>

>

>

> --

> Stefan WINTER

> Ingenieur de Recherche

> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale

> et de la Recherche 2, avenue de l'Université

> L-4365 Esch-sur-Alzette

>

> Tel: +352 424409 1

> Fax: +352 422473

>

> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the

> recipient's key is known to me

>

> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

>

 

 

--

Stefan WINTER

Ingenieur de Recherche

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université

L-4365 Esch-sur-Alzette

 

Tel: +352 424409 1

Fax: +352 422473

 

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me

 

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66