The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

ugh. Now this *is* turning into a nicely debug-worthy problem.

Indeed, I can reproduce that CAT thinks the chain is intact. While it's not.

I am still reasonably sure you should exchange the G1 root with the
correct G2.

What I'm puzzled about is only why CAT did not tell you about this. I
have just run an almost identical check on my command-line, and it
rejects the wrong root as it should.

I need to investigate this a bit more...

Greetings,

Stefan


Am 30.11.2015 um 14:29 schrieb Sverrir Davíðsson:
> Hi Stefan
> 
> That is the problem, all the realm checks are green !
> 
> DNS Checks
> 
>                 Realm is STATIC with no DNS errors encountered.
> Congratulations!
> 
> Testing from: *eduroamTL dk*
> 
> https://cat.eduroam.org/resources/images/icons/Quetto/check-icon.png
> 
>       
> 
> *Connected to lhi-dc01.lhi.is.*
> elapsed time: 1579 ms.
> 
> *Test successful*: a bidirectional RADIUS conversation with multiple
> round-trips was carried out, and ended in an Access-Reject as planned.
> 
>  
> 
>       
> 
> *Subject:*
> 
> /CN=lhi-dc01.lhi.is,OU=Domain Control Validated/
> 
> *Issuer:***
> 
> /CN=Go Daddy Secure Certificate Authority -
> G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com,
> Inc.,L=Scottsdale,ST=Arizona,C=US/
> 
> *Valid from:***
> 
> /Wednesday, 11-Nov-2015 15:56:40 GMT/
> 
> *Valid to:***
> 
> /Sunday, 11-Nov-2018 15:56:40 GMT/
> 
> *Serial number:***
> 
> /6576733775903857949 (0x5B4540862F101D1D)/
> 
> *SHA1 fingerprint:***
> 
> /143b37fbbcb865a5410ce7c0b27eaa7b9dc95ca7/
> 
> *Extensions***
> 
> */basicConstraints: /*/CA:FALSE
> *extendedKeyUsage: *TLS Web Server Authentication, TLS Web Client
> Authentication
> *keyUsage: *Digital Signature, Key Encipherment
> *crlDistributionPoints: *Full Name:
> URI:http://crl.godaddy.com/gdig2s1-152.crl
> *certificatePolicies: *Policy: 2.16.840.1.114413.1.7.23.1 CPS:
> http://certificates.godaddy.com/repository/
> *authorityInfoAccess: *OCSP - URI:http://ocsp.godaddy.com/ CA Issuers -
> URI:http://certificates.godaddy.com/repository/gdig2.crt
> *authorityKeyIdentifier:
> *keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
> *subjectAltName: *DNS:lhi-dc01.lhi.is, DNS:www.lhi-dc01.lhi.is
> *subjectKeyIdentifier:
> *32:AC:33:B8:C5:FF:AE:44:36:24:5F:48:51:A7:41:8B:A4:B5:F7:0D/
> 
> */show server certificate details»/*
> 
> ------------------------------------------------------------------------
> 
> Testing from: *eduroamTL nl*
> 
> https://cat.eduroam.org/resources/images/icons/Quetto/check-icon.png
> 
>       
> 
> *Connected to lhi-dc01.lhi.is.*
> elapsed time: 1895 ms.
> 
> *Test successful*: a bidirectional RADIUS conversation with multiple
> round-trips was carried out, and ended in an Access-Reject as planned.
> 
>  
> 
>       
> 
> *Subject:*
> 
> /CN=lhi-dc01.lhi.is,OU=Domain Control Validated/
> 
> *Issuer:***
> 
> /CN=Go Daddy Secure Certificate Authority -
> G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com,
> Inc.,L=Scottsdale,ST=Arizona,C=US/
> 
> *Valid from:***
> 
> /Wednesday, 11-Nov-2015 15:56:40 GMT/
> 
> *Valid to:***
> 
> /Sunday, 11-Nov-2018 15:56:40 GMT/
> 
> *Serial number:***
> 
> /6576733775903857949 (0x5B4540862F101D1D)/
> 
> *SHA1 fingerprint:***
> 
> /143b37fbbcb865a5410ce7c0b27eaa7b9dc95ca7/
> 
> *Extensions***
> 
> */basicConstraints: /*/CA:FALSE
> *extendedKeyUsage: *TLS Web Server Authentication, TLS Web Client
> Authentication
> *keyUsage: *Digital Signature, Key Encipherment
> *crlDistributionPoints: *Full Name:
> URI:http://crl.godaddy.com/gdig2s1-152.crl
> *certificatePolicies: *Policy: 2.16.840.1.114413.1.7.23.1 CPS:
> http://certificates.godaddy.com/repository/
> *authorityInfoAccess: *OCSP - URI:http://ocsp.godaddy.com/ CA Issuers -
> URI:http://certificates.godaddy.com/repository/gdig2.crt
> *authorityKeyIdentifier:
> *keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
> *subjectAltName: *DNS:lhi-dc01.lhi.is, DNS:www.lhi-dc01.lhi.is
> *subjectKeyIdentifier:
> *32:AC:33:B8:C5:FF:AE:44:36:24:5F:48:51:A7:41:8B:A4:B5:F7:0D/
> 
> */show server certificate details»/*
> 
>  
> 
>  
> 
> Testing from: eduroamTL dk
> 
> PEAP-MSCHAPv2 – elapsed time: 812 ms.
> 
>  
> 
> Testing from: eduroamTL nl
> 
> PEAP-MSCHAPv2 – elapsed time: 924 ms.
> 
>  
> 
> Every check on the cat. Eduroam.org has been green, my only problem
> seems to be the installer, can´t get it to work.
> 
>  
> 
> I will take a better look, at the Root CA in the profile.
> 
> Another thing I notice was that the field: “Name of authentication
> Server” has to be in lower case. I was getting a server name mismatch if
> I used uppercase in the name. (Fixed)
> 
>  
> 
> Best regards
> 
> Sverrir Davíðsson
> 
>  
> 
>  
> 
> -----Original Message-----
> 
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
> 
> Sent: mánudagur, 30. nóvember 2015 13:15
> 
> To: Sverrir Davíðsson 
> <sverrir AT thekking.is>;
>  eduroam CAT Feedback
> <cat-users AT lists.geant.org>
> 
> Subject: Re: Trooble using Eduroam Installer, help needed
> 
>  
> 
> Hi,
> 
>  
> 
> now I missed my main point. :-/
> 
>  
> 
> I spent some amount of time debugging this for you. I like debugging
> difficult cases, so that's not usually a problem.
> 
>  
> 
> This one however has been turned into automatic check code a long time
> ago. There is a button "realm check" in CAT, and it should yield in
> bright red "X" button style the error that the configured CA does not
> match the server certificate during the actual authentication.
> 
>  
> 
> I'd appreciate if folks could actually use the on-board debugging
> facilities. My bad probably, next time I will bounce problem reports
> with a "have you tried the Check Realm feature" immediately.
> 
>  
> 
> Greetings,
> 
>  
> 
> Stefan Winter
> 
>  
> 
> Am 30.11.2015 um 13:35 schrieb Sverrir Davíðsson:
> 
>> Ho Stefan
> 
>> Sorry, I must have pressed send to quickly :)
> 
>> 
> 
>> Here are the logs, see attachments
> 
>> 
> 
>> Best regards
> 
>> Sverrir Davíðsson
> 
>> 
> 
>> -----Original Message-----
> 
>> From: Stefan Winter 
>> [mailto:stefan.winter AT restena.lu]
> 
>> Sent: mánudagur, 30. nóvember 2015 11:48
> 
>> To: Sverrir Davíðsson 
>> <sverrir AT thekking.is>;
>>  eduroam CAT Feedback
> 
>> <cat-users AT lists.geant.org>
> 
>> Subject: Re: Trooble using Eduroam Installer, help needed
> 
>> 
> 
>> Hello,
> 
>> 
> 
>>> Hi my name is Sverrir,
> 
>>> I have been setting up a IdP for the Iceland Academy of the Arts.
> 
>> 
> 
>> thanks for contacting the list and not me directly.
> 
>> 
> 
>>> Radius Authentication works, but we are unable to us the Installer.
> 
>>> 
> 
>>> I´m having trouble getting the Installer (EXE) setup to work against
> 
>>> our SSID.
> 
>>> 
> 
>>> We are able to connect directly to "eduroam" SSID without the use of
> 
>>> the Installer, user gets authenticated and connected no problem.
> 
>> 
> 
>> "Connected" is easy. Getting connected *securely*, i.e. with all security 
>> checks client-side enabled, is harder.
> 
>> 
> 
>> The installers set all the security parameters. Only once those checks are 
>> actually enabled, subtle misconfigurations on the server side will have 
>> consequences.
> 
>> 
> 
>>> But when we try to use the Installer, there is something of with the
> 
>>> creation of the wifi Profile, users will not get connected and my
> 
>>> RADIUS complains about user mismatch.
> 
>>> 
> 
>>> I see that the User Security ID is NULL when using the Installer.
> 
>> 
> 
>> I have no idea what the "User Security ID" is supposed to be?
> 
>> 
> 
>>> I have tested this on both windows 10 and 8,1.
> 
>>> 
> 
>>> I see at the top of the page that CAT vas recently updraded to
> 
>>> versions 1.1.1, could that be the root of my problems?
> 
>> 
> 
>> No. We should really remove the MOTD. This version is up since over a 
>> month now.
> 
>> 
> 
>>> All attach some more info regarding our Wifi troubles.
> 
>>> 
> 
>>>  
> 
>>> 
> 
>>> Radius: Windows Server 2012R2
> 
>>> 
> 
>>> Microsoft: Protected EAP (PEAP)
> 
>>> 
> 
>>>                 Secure Password (EAP-MSCHAP v2)
> 
>>> 
> 
>>> Cert: Public SSL from GoDaddy
> 
>>> 
> 
>>> AP: Cisco
> 
>> 
> 
>> This setup is as standard as can be and as such is probably not the source 
>> of any problem.
> 
>> 
> 
>>> Logs from Radius and Client when Connecting to eduroam
> 
>>> 
> 
>>> Connecting directly to eduroam (Without Installer), See attachement :
> 
>>> Eduroam-NonInstaller.txt
> 
>>> 
> 
>>> Connecting to eduroam (With Installer), See attachement :
> 
>>> Eduroam-Installer.txt
> 
>> 
> 
>> If you'd attach the log files, we could actually look at them ;-)
> 
>> 
> 
>> Greetings,
> 
>> 
> 
>> Stefan Winter
> 
>> 
> 
>>> 
> 
>>>  
> 
>>> 
> 
>>>  
> 
>>> 
> 
>>> Best Regards
> 
>>> 
> 
>>> Sverrir Davíðsson
> 
>>> 
> 
>>>  
> 
>>> 
> 
>>> ---------------------------------------------------------------------
> 
>>> -
> 
>>> -- Skilmálar / Disclaimer <https://www.thekking.is/is/skilmalar>
> 
>> 
> 
>> 
> 
>> --
> 
>> Stefan WINTER
> 
>> Ingenieur de Recherche
> 
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
> 
>> et de la Recherche 2, avenue de l'Université
> 
>> L-4365 Esch-sur-Alzette
> 
>> 
> 
>> Tel: +352 424409 1
> 
>> Fax: +352 422473
> 
>> 
> 
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> 
>> recipient's key is known to me
> 
>> 
> 
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 
>> 
> 
>  
> 
>  
> 
> --
> 
> Stefan WINTER
> 
> Ingenieur de Recherche
> 
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche 2, avenue de l'Université
> 
> L-4365 Esch-sur-Alzette
> 
>  
> 
> Tel: +352 424409 1
> 
> Fax: +352 422473
> 
>  
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
> 
>  
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature