cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Sverrir Davíðsson <sverrir AT thekking.is>, eduroam CAT Feedback <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] Trooble using Eduroam Installer, help needed
- Date: Mon, 30 Nov 2015 15:00:28 +0100
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,
ugh. Now this *is* turning into a nicely debug-worthy problem.
Indeed, I can reproduce that CAT thinks the chain is intact. While it's not.
I am still reasonably sure you should exchange the G1 root with the
correct G2.
What I'm puzzled about is only why CAT did not tell you about this. I
have just run an almost identical check on my command-line, and it
rejects the wrong root as it should.
I need to investigate this a bit more...
Greetings,
Stefan
Am 30.11.2015 um 14:29 schrieb Sverrir Davíðsson:
> Hi Stefan
>
> That is the problem, all the realm checks are green !
>
> DNS Checks
>
> Realm is STATIC with no DNS errors encountered.
> Congratulations!
>
> Testing from: *eduroamTL dk*
>
> https://cat.eduroam.org/resources/images/icons/Quetto/check-icon.png
>
>
>
> *Connected to lhi-dc01.lhi.is.*
> elapsed time: 1579 ms.
>
> *Test successful*: a bidirectional RADIUS conversation with multiple
> round-trips was carried out, and ended in an Access-Reject as planned.
>
>
>
>
>
> *Subject:*
>
> /CN=lhi-dc01.lhi.is,OU=Domain Control Validated/
>
> *Issuer:***
>
> /CN=Go Daddy Secure Certificate Authority -
> G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com,
> Inc.,L=Scottsdale,ST=Arizona,C=US/
>
> *Valid from:***
>
> /Wednesday, 11-Nov-2015 15:56:40 GMT/
>
> *Valid to:***
>
> /Sunday, 11-Nov-2018 15:56:40 GMT/
>
> *Serial number:***
>
> /6576733775903857949 (0x5B4540862F101D1D)/
>
> *SHA1 fingerprint:***
>
> /143b37fbbcb865a5410ce7c0b27eaa7b9dc95ca7/
>
> *Extensions***
>
> */basicConstraints: /*/CA:FALSE
> *extendedKeyUsage: *TLS Web Server Authentication, TLS Web Client
> Authentication
> *keyUsage: *Digital Signature, Key Encipherment
> *crlDistributionPoints: *Full Name:
> URI:http://crl.godaddy.com/gdig2s1-152.crl
> *certificatePolicies: *Policy: 2.16.840.1.114413.1.7.23.1 CPS:
> http://certificates.godaddy.com/repository/
> *authorityInfoAccess: *OCSP - URI:http://ocsp.godaddy.com/ CA Issuers -
> URI:http://certificates.godaddy.com/repository/gdig2.crt
> *authorityKeyIdentifier:
> *keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
> *subjectAltName: *DNS:lhi-dc01.lhi.is, DNS:www.lhi-dc01.lhi.is
> *subjectKeyIdentifier:
> *32:AC:33:B8:C5:FF:AE:44:36:24:5F:48:51:A7:41:8B:A4:B5:F7:0D/
>
> */show server certificate details»/*
>
> ------------------------------------------------------------------------
>
> Testing from: *eduroamTL nl*
>
> https://cat.eduroam.org/resources/images/icons/Quetto/check-icon.png
>
>
>
> *Connected to lhi-dc01.lhi.is.*
> elapsed time: 1895 ms.
>
> *Test successful*: a bidirectional RADIUS conversation with multiple
> round-trips was carried out, and ended in an Access-Reject as planned.
>
>
>
>
>
> *Subject:*
>
> /CN=lhi-dc01.lhi.is,OU=Domain Control Validated/
>
> *Issuer:***
>
> /CN=Go Daddy Secure Certificate Authority -
> G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com,
> Inc.,L=Scottsdale,ST=Arizona,C=US/
>
> *Valid from:***
>
> /Wednesday, 11-Nov-2015 15:56:40 GMT/
>
> *Valid to:***
>
> /Sunday, 11-Nov-2018 15:56:40 GMT/
>
> *Serial number:***
>
> /6576733775903857949 (0x5B4540862F101D1D)/
>
> *SHA1 fingerprint:***
>
> /143b37fbbcb865a5410ce7c0b27eaa7b9dc95ca7/
>
> *Extensions***
>
> */basicConstraints: /*/CA:FALSE
> *extendedKeyUsage: *TLS Web Server Authentication, TLS Web Client
> Authentication
> *keyUsage: *Digital Signature, Key Encipherment
> *crlDistributionPoints: *Full Name:
> URI:http://crl.godaddy.com/gdig2s1-152.crl
> *certificatePolicies: *Policy: 2.16.840.1.114413.1.7.23.1 CPS:
> http://certificates.godaddy.com/repository/
> *authorityInfoAccess: *OCSP - URI:http://ocsp.godaddy.com/ CA Issuers -
> URI:http://certificates.godaddy.com/repository/gdig2.crt
> *authorityKeyIdentifier:
> *keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
> *subjectAltName: *DNS:lhi-dc01.lhi.is, DNS:www.lhi-dc01.lhi.is
> *subjectKeyIdentifier:
> *32:AC:33:B8:C5:FF:AE:44:36:24:5F:48:51:A7:41:8B:A4:B5:F7:0D/
>
> */show server certificate details»/*
>
>
>
>
>
> Testing from: eduroamTL dk
>
> PEAP-MSCHAPv2 – elapsed time: 812 ms.
>
>
>
> Testing from: eduroamTL nl
>
> PEAP-MSCHAPv2 – elapsed time: 924 ms.
>
>
>
> Every check on the cat. Eduroam.org has been green, my only problem
> seems to be the installer, can´t get it to work.
>
>
>
> I will take a better look, at the Root CA in the profile.
>
> Another thing I notice was that the field: “Name of authentication
> Server” has to be in lower case. I was getting a server name mismatch if
> I used uppercase in the name. (Fixed)
>
>
>
> Best regards
>
> Sverrir Davíðsson
>
>
>
>
>
> -----Original Message-----
>
> From: Stefan Winter
> [mailto:stefan.winter AT restena.lu]
>
> Sent: mánudagur, 30. nóvember 2015 13:15
>
> To: Sverrir Davíðsson
> <sverrir AT thekking.is>;
> eduroam CAT Feedback
> <cat-users AT lists.geant.org>
>
> Subject: Re: Trooble using Eduroam Installer, help needed
>
>
>
> Hi,
>
>
>
> now I missed my main point. :-/
>
>
>
> I spent some amount of time debugging this for you. I like debugging
> difficult cases, so that's not usually a problem.
>
>
>
> This one however has been turned into automatic check code a long time
> ago. There is a button "realm check" in CAT, and it should yield in
> bright red "X" button style the error that the configured CA does not
> match the server certificate during the actual authentication.
>
>
>
> I'd appreciate if folks could actually use the on-board debugging
> facilities. My bad probably, next time I will bounce problem reports
> with a "have you tried the Check Realm feature" immediately.
>
>
>
> Greetings,
>
>
>
> Stefan Winter
>
>
>
> Am 30.11.2015 um 13:35 schrieb Sverrir Davíðsson:
>
>> Ho Stefan
>
>> Sorry, I must have pressed send to quickly :)
>
>>
>
>> Here are the logs, see attachments
>
>>
>
>> Best regards
>
>> Sverrir Davíðsson
>
>>
>
>> -----Original Message-----
>
>> From: Stefan Winter
>> [mailto:stefan.winter AT restena.lu]
>
>> Sent: mánudagur, 30. nóvember 2015 11:48
>
>> To: Sverrir Davíðsson
>> <sverrir AT thekking.is>;
>> eduroam CAT Feedback
>
>> <cat-users AT lists.geant.org>
>
>> Subject: Re: Trooble using Eduroam Installer, help needed
>
>>
>
>> Hello,
>
>>
>
>>> Hi my name is Sverrir,
>
>>> I have been setting up a IdP for the Iceland Academy of the Arts.
>
>>
>
>> thanks for contacting the list and not me directly.
>
>>
>
>>> Radius Authentication works, but we are unable to us the Installer.
>
>>>
>
>>> I´m having trouble getting the Installer (EXE) setup to work against
>
>>> our SSID.
>
>>>
>
>>> We are able to connect directly to "eduroam" SSID without the use of
>
>>> the Installer, user gets authenticated and connected no problem.
>
>>
>
>> "Connected" is easy. Getting connected *securely*, i.e. with all security
>> checks client-side enabled, is harder.
>
>>
>
>> The installers set all the security parameters. Only once those checks are
>> actually enabled, subtle misconfigurations on the server side will have
>> consequences.
>
>>
>
>>> But when we try to use the Installer, there is something of with the
>
>>> creation of the wifi Profile, users will not get connected and my
>
>>> RADIUS complains about user mismatch.
>
>>>
>
>>> I see that the User Security ID is NULL when using the Installer.
>
>>
>
>> I have no idea what the "User Security ID" is supposed to be?
>
>>
>
>>> I have tested this on both windows 10 and 8,1.
>
>>>
>
>>> I see at the top of the page that CAT vas recently updraded to
>
>>> versions 1.1.1, could that be the root of my problems?
>
>>
>
>> No. We should really remove the MOTD. This version is up since over a
>> month now.
>
>>
>
>>> All attach some more info regarding our Wifi troubles.
>
>>>
>
>>>
>
>>>
>
>>> Radius: Windows Server 2012R2
>
>>>
>
>>> Microsoft: Protected EAP (PEAP)
>
>>>
>
>>> Secure Password (EAP-MSCHAP v2)
>
>>>
>
>>> Cert: Public SSL from GoDaddy
>
>>>
>
>>> AP: Cisco
>
>>
>
>> This setup is as standard as can be and as such is probably not the source
>> of any problem.
>
>>
>
>>> Logs from Radius and Client when Connecting to eduroam
>
>>>
>
>>> Connecting directly to eduroam (Without Installer), See attachement :
>
>>> Eduroam-NonInstaller.txt
>
>>>
>
>>> Connecting to eduroam (With Installer), See attachement :
>
>>> Eduroam-Installer.txt
>
>>
>
>> If you'd attach the log files, we could actually look at them ;-)
>
>>
>
>> Greetings,
>
>>
>
>> Stefan Winter
>
>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>> Best Regards
>
>>>
>
>>> Sverrir Davíðsson
>
>>>
>
>>>
>
>>>
>
>>> ---------------------------------------------------------------------
>
>>> -
>
>>> -- Skilmálar / Disclaimer <https://www.thekking.is/is/skilmalar>
>
>>
>
>>
>
>> --
>
>> Stefan WINTER
>
>> Ingenieur de Recherche
>
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
>
>> et de la Recherche 2, avenue de l'Université
>
>> L-4365 Esch-sur-Alzette
>
>>
>
>> Tel: +352 424409 1
>
>> Fax: +352 422473
>
>>
>
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>
>> recipient's key is known to me
>
>>
>
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
>>
>
>
>
>
>
> --
>
> Stefan WINTER
>
> Ingenieur de Recherche
>
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche 2, avenue de l'Université
>
> L-4365 Esch-sur-Alzette
>
>
>
> Tel: +352 424409 1
>
> Fax: +352 422473
>
>
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
>
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] Trooble using Eduroam Installer, help needed, Sverrir Davíðsson, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, Stefan Winter, 11/30/2015
- RE: [[cat-users]] Trooble using Eduroam Installer, help needed, Sverrir Davíðsson, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, Stefan Winter, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, Stefan Winter, 11/30/2015
- RE: [[cat-users]] Trooble using Eduroam Installer, help needed, Sverrir Davíðsson, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, Stefan Winter, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, A . L . M . Buxey, 11/30/2015
- RE: [[cat-users]] Trooble using Eduroam Installer, help needed, Sverrir Davíðsson, 11/30/2015
- RE: [[cat-users]] Trooble using Eduroam Installer, help needed, Sverrir Davíðsson, 11/30/2015
- Re: [[cat-users]] Trooble using Eduroam Installer, help needed, Stefan Winter, 11/30/2015
Archive powered by MHonArc 2.6.19.