Skip to Content.
Sympa Menu

cat-users - RE: [[cat-users]] Trooble using Eduroam Installer, help needed

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] Trooble using Eduroam Installer, help needed


Chronological Thread 
    < Chronological >      < Thread >
  • From: Sverrir Davíðsson <sverrir AT thekking.is>
  • To: Stefan Winter <stefan.winter AT restena.lu>, eduroam CAT Feedback <cat-users AT lists.geant.org>
  • Subject: RE: [[cat-users]] Trooble using Eduroam Installer, help needed
  • Date: Mon, 30 Nov 2015 14:44:52 +0000
  • Accept-language: is-IS, en-US

Yes, I was getting buffeld.

 

Well, it seams that the Root it self was not working, as soon as I imported the G2 intermedia Root SSL, it started to work.

 

See attachement.

 

All is well now J

 

Best regards

Sverrir Davíðsson

 

 

-----Original Message-----
From: Stefan Winter [mailto:stefan.winter AT restena.lu]
Sent: mánudagur, 30. nóvember 2015 14:00
To: Sverrir Davíðsson <sverrir AT thekking.is>; eduroam CAT Feedback <cat-users AT lists.geant.org>
Subject: Re: Trooble using Eduroam Installer, help needed

 

Hi,

 

ugh. Now this *is* turning into a nicely debug-worthy problem.

 

Indeed, I can reproduce that CAT thinks the chain is intact. While it's not.

 

I am still reasonably sure you should exchange the G1 root with the correct G2.

 

What I'm puzzled about is only why CAT did not tell you about this. I have just run an almost identical check on my command-line, and it rejects the wrong root as it should.

 

I need to investigate this a bit more...

 

Greetings,

 

Stefan

 

 

Am 30.11.2015 um 14:29 schrieb Sverrir Davíðsson:

> Hi Stefan

>

> That is the problem, all the realm checks are green !

>

> DNS Checks

>

>                 Realm is STATIC with no DNS errors encountered.

> Congratulations!

>

> Testing from: *eduroamTL dk*

>

> https://cat.eduroam.org/resources/images/icons/Quetto/check-icon.png

>

>            

>

> *Connected to lhi-dc01.lhi.is.*

> elapsed time: 1579 ms.

>

> *Test successful*: a bidirectional RADIUS conversation with multiple

> round-trips was carried out, and ended in an Access-Reject as planned.

>

>

>            

>

> *Subject:*

>

> /CN=lhi-dc01.lhi.is,OU=Domain Control Validated/

>

> *Issuer:***

>

> /CN=Go Daddy Secure Certificate Authority -

> G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com,

> Inc.,L=Scottsdale,ST=Arizona,C=US/

>

> *Valid from:***

>

> /Wednesday, 11-Nov-2015 15:56:40 GMT/

>

> *Valid to:***

>

> /Sunday, 11-Nov-2018 15:56:40 GMT/

>

> *Serial number:***

>

> /6576733775903857949 (0x5B4540862F101D1D)/

>

> *SHA1 fingerprint:***

>

> /143b37fbbcb865a5410ce7c0b27eaa7b9dc95ca7/

>

> *Extensions***

>

> */basicConstraints: /*/CA:FALSE

> *extendedKeyUsage: *TLS Web Server Authentication, TLS Web Client

> Authentication

> *keyUsage: *Digital Signature, Key Encipherment

> *crlDistributionPoints: *Full Name:

> URI:http://crl.godaddy.com/gdig2s1-152.crl

> *certificatePolicies: *Policy: 2.16.840.1.114413.1.7.23.1 CPS:

> http://certificates.godaddy.com/repository/

> *authorityInfoAccess: *OCSP - URI:http://ocsp.godaddy.com/ CA Issuers

> - URI:http://certificates.godaddy.com/repository/gdig2.crt

> *authorityKeyIdentifier:

> *keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

> *subjectAltName: *DNS:lhi-dc01.lhi.is, DNS:www.lhi-dc01.lhi.is

> *subjectKeyIdentifier:

> *32:AC:33:B8:C5:FF:AE:44:36:24:5F:48:51:A7:41:8B:A4:B5:F7:0D/

>

> */show server certificate details»/*

>

> ----------------------------------------------------------------------

> --

>

> Testing from: *eduroamTL nl*

>

> https://cat.eduroam.org/resources/images/icons/Quetto/check-icon.png

>

>            

>

> *Connected to lhi-dc01.lhi.is.*

> elapsed time: 1895 ms.

>

> *Test successful*: a bidirectional RADIUS conversation with multiple

> round-trips was carried out, and ended in an Access-Reject as planned.

>

>

>            

>

> *Subject:*

>

> /CN=lhi-dc01.lhi.is,OU=Domain Control Validated/

>

> *Issuer:***

>

> /CN=Go Daddy Secure Certificate Authority -

> G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com,

> Inc.,L=Scottsdale,ST=Arizona,C=US/

>

> *Valid from:***

>

> /Wednesday, 11-Nov-2015 15:56:40 GMT/

>

> *Valid to:***

>

> /Sunday, 11-Nov-2018 15:56:40 GMT/

>

> *Serial number:***

>

> /6576733775903857949 (0x5B4540862F101D1D)/

>

> *SHA1 fingerprint:***

>

> /143b37fbbcb865a5410ce7c0b27eaa7b9dc95ca7/

>

> *Extensions***

>

> */basicConstraints: /*/CA:FALSE

> *extendedKeyUsage: *TLS Web Server Authentication, TLS Web Client

> Authentication

> *keyUsage: *Digital Signature, Key Encipherment

> *crlDistributionPoints: *Full Name:

> URI:http://crl.godaddy.com/gdig2s1-152.crl

> *certificatePolicies: *Policy: 2.16.840.1.114413.1.7.23.1 CPS:

> http://certificates.godaddy.com/repository/

> *authorityInfoAccess: *OCSP - URI:http://ocsp.godaddy.com/ CA Issuers

> - URI:http://certificates.godaddy.com/repository/gdig2.crt

> *authorityKeyIdentifier:

> *keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

> *subjectAltName: *DNS:lhi-dc01.lhi.is, DNS:www.lhi-dc01.lhi.is

> *subjectKeyIdentifier:

> *32:AC:33:B8:C5:FF:AE:44:36:24:5F:48:51:A7:41:8B:A4:B5:F7:0D/

>

> */show server certificate details»/*

>

>

>

> Testing from: eduroamTL dk

>

> PEAP-MSCHAPv2 – elapsed time: 812 ms.

>

>

> Testing from: eduroamTL nl

>

> PEAP-MSCHAPv2 – elapsed time: 924 ms.

>

>

> Every check on the cat. Eduroam.org has been green, my only problem

> seems to be the installer, can´t get it to work.

>

>

> I will take a better look, at the Root CA in the profile.

>

> Another thing I notice was that the field: “Name of authentication

> Server” has to be in lower case. I was getting a server name mismatch

> if I used uppercase in the name. (Fixed)

>

>

> Best regards

>

> Sverrir Davíðsson

>

>

>

> -----Original Message-----

>

> From: Stefan Winter [mailto:stefan.winter AT restena.lu]

>

> Sent: mánudagur, 30. nóvember 2015 13:15

>

> To: Sverrir Davíðsson <sverrir AT thekking.is>; eduroam CAT Feedback

> <cat-users AT lists.geant.org>

>

> Subject: Re: Trooble using Eduroam Installer, help needed

>

>

> Hi,

>

>

> now I missed my main point. :-/

>

>

> I spent some amount of time debugging this for you. I like debugging

> difficult cases, so that's not usually a problem.

>

>

> This one however has been turned into automatic check code a long time

> ago. There is a button "realm check" in CAT, and it should yield in

> bright red "X" button style the error that the configured CA does not

> match the server certificate during the actual authentication.

>

>

> I'd appreciate if folks could actually use the on-board debugging

> facilities. My bad probably, next time I will bounce problem reports

> with a "have you tried the Check Realm feature" immediately.

>

>

> Greetings,

>

>

> Stefan Winter

>

>

> Am 30.11.2015 um 13:35 schrieb Sverrir Davíðsson:

>

>> Ho Stefan

>

>> Sorry, I must have pressed send to quickly :)

>

>>

>

>> Here are the logs, see attachments

>

>>

>

>> Best regards

>

>> Sverrir Davíðsson

>

>>

>

>> -----Original Message-----

>

>> From: Stefan Winter [mailto:stefan.winter AT restena.lu]

>

>> Sent: mánudagur, 30. nóvember 2015 11:48

>

>> To: Sverrir Davíðsson <sverrir AT thekking.is>; eduroam CAT Feedback

>

>> <cat-users AT lists.geant.org>

>

>> Subject: Re: Trooble using Eduroam Installer, help needed

>

>>

>

>> Hello,

>

>>

>

>>> Hi my name is Sverrir,

>

>>> I have been setting up a IdP for the Iceland Academy of the Arts.

>

>>

>

>> thanks for contacting the list and not me directly.

>

>>

>

>>> Radius Authentication works, but we are unable to us the Installer.

>

>>>

>

>>> I´m having trouble getting the Installer (EXE) setup to work against

>

>>> our SSID.

>

>>>

>

>>> We are able to connect directly to "eduroam" SSID without the use of

>

>>> the Installer, user gets authenticated and connected no problem.

>

>>

>

>> "Connected" is easy. Getting connected *securely*, i.e. with all security checks client-side enabled, is harder.

>

>>

>

>> The installers set all the security parameters. Only once those checks are actually enabled, subtle misconfigurations on the server side will have consequences.

>

>>

>

>>> But when we try to use the Installer, there is something of with the

>

>>> creation of the wifi Profile, users will not get connected and my

>

>>> RADIUS complains about user mismatch.

>

>>>

>

>>> I see that the User Security ID is NULL when using the Installer.

>

>>

>

>> I have no idea what the "User Security ID" is supposed to be?

>

>>

>

>>> I have tested this on both windows 10 and 8,1.

>

>>>

>

>>> I see at the top of the page that CAT vas recently updraded to

>

>>> versions 1.1.1, could that be the root of my problems?

>

>>

>

>> No. We should really remove the MOTD. This version is up since over a month now.

>

>>

>

>>> All attach some more info regarding our Wifi troubles.

>

>>>

>

>>> 

>

>>>

>

>>> Radius: Windows Server 2012R2

>

>>>

>

>>> Microsoft: Protected EAP (PEAP)

>

>>>

>

>>>                 Secure Password (EAP-MSCHAP v2)

>

>>>

>

>>> Cert: Public SSL from GoDaddy

>

>>>

>

>>> AP: Cisco

>

>>

>

>> This setup is as standard as can be and as such is probably not the source of any problem.

>

>>

>

>>> Logs from Radius and Client when Connecting to eduroam

>

>>>

>

>>> Connecting directly to eduroam (Without Installer), See attachement :

>

>>> Eduroam-NonInstaller.txt

>

>>>

>

>>> Connecting to eduroam (With Installer), See attachement :

>

>>> Eduroam-Installer.txt

>

>>

>

>> If you'd attach the log files, we could actually look at them ;-)

>

>>

>

>> Greetings,

>

>>

>

>> Stefan Winter

>

>>

>

>>>

>

>>> 

>

>>>

>

>>> 

>

>>>

>

>>> Best Regards

>

>>>

>

>>> Sverrir Davíðsson

>

>>>

>

>>> 

>

>>>

>

>>> --------------------------------------------------------------------

>>> -

>

>>> -

>

>>> -- Skilmálar / Disclaimer <https://www.thekking.is/is/skilmalar>

>

>>

>

>>

>

>> --

>

>> Stefan WINTER

>

>> Ingenieur de Recherche

>

>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale

>

>> et de la Recherche 2, avenue de l'Université

>

>> L-4365 Esch-sur-Alzette

>

>>

>

>> Tel: +352 424409 1

>

>> Fax: +352 422473

>

>>

>

>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the

>

>> recipient's key is known to me

>

>>

>

>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

>

>>

>

>

>

> --

>

> Stefan WINTER

>

> Ingenieur de Recherche

>

> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale

> et de la Recherche 2, avenue de l'Université

>

> L-4365 Esch-sur-Alzette

>

>

> Tel: +352 424409 1

>

> Fax: +352 422473

>

>

> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the

> recipient's key is known to me

>

>

> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

>

 

 

--

Stefan WINTER

Ingenieur de Recherche

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université

L-4365 Esch-sur-Alzette

 

Tel: +352 424409 1

Fax: +352 422473

 

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me

 

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66


Archive powered by MHonArc 2.6.19.

Top of Page