The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

okay... the mere fact that Windows presents the chain as it does -
placing a root cert as an intermediate under another, unrelated root,
means that something is very odd with the GoDaddy chain.

I'm still investigating why cat.eduroam.org did not warn you about the
chain mismatch. My development machine which runs almost exactly the
same code does warn me.

I'm thinking it may have to with very subtle version differences of
openssl on my dev vs. the production machine, but I'm still
investigating together with the OT.

Greetings,

Stefan Winter

Am 30.11.2015 um 15:44 schrieb Sverrir Davíðsson:
> Yes, I was getting buffeld.
> 
>  
> 
> Well, it seams that the Root it self was not working, as soon as I
> imported the G2 intermedia Root SSL, it started to work.
> 
>  
> 
> See attachement.
> 
>  
> 
> All is well now J
> 
>  
> 
> Best regards
> 
> Sverrir Davíðsson
> 
>  
> 
>  
> 
> -----Original Message-----
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
> Sent: mánudagur, 30. nóvember 2015 14:00
> To: Sverrir Davíðsson 
> <sverrir AT thekking.is>;
>  eduroam CAT Feedback
> <cat-users AT lists.geant.org>
> Subject: Re: Trooble using Eduroam Installer, help needed
> 
>  
> 
> Hi,
> 
>  
> 
> ugh. Now this *is* turning into a nicely debug-worthy problem.
> 
>  
> 
> Indeed, I can reproduce that CAT thinks the chain is intact. While it's not.
> 
>  
> 
> I am still reasonably sure you should exchange the G1 root with the
> correct G2.
> 
>  
> 
> What I'm puzzled about is only why CAT did not tell you about this. I
> have just run an almost identical check on my command-line, and it
> rejects the wrong root as it should.
> 
>  
> 
> I need to investigate this a bit more...
> 
>  
> 
> Greetings,
> 
>  
> 
> Stefan
> 
>  
> 
>  
> 
> Am 30.11.2015 um 14:29 schrieb Sverrir Davíðsson:
> 
>> Hi Stefan
> 
>> 
> 
>> That is the problem, all the realm checks are green !
> 
>> 
> 
>> DNS Checks
> 
>> 
> 
>>                 Realm is STATIC with no DNS errors encountered.
> 
>> Congratulations!
> 
>> 
> 
>> Testing from: *eduroamTL dk*
> 
>> 
> 
>> https://cat.eduroam.org/resources/images/icons/Quetto/check-icon.png
> 
>> 
> 
>>             
> 
>> 
> 
>> *Connected to lhi-dc01.lhi.is.*
> 
>> elapsed time: 1579 ms.
> 
>> 
> 
>> *Test successful*: a bidirectional RADIUS conversation with multiple
> 
>> round-trips was carried out, and ended in an Access-Reject as planned.
> 
>> 
> 
>>  
> 
>> 
> 
>>             
> 
>> 
> 
>> *Subject:*
> 
>> 
> 
>> /CN=lhi-dc01.lhi.is,OU=Domain Control Validated/
> 
>> 
> 
>> *Issuer:***
> 
>> 
> 
>> /CN=Go Daddy Secure Certificate Authority -
> 
>> G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com,
> 
>> Inc.,L=Scottsdale,ST=Arizona,C=US/
> 
>> 
> 
>> *Valid from:***
> 
>> 
> 
>> /Wednesday, 11-Nov-2015 15:56:40 GMT/
> 
>> 
> 
>> *Valid to:***
> 
>> 
> 
>> /Sunday, 11-Nov-2018 15:56:40 GMT/
> 
>> 
> 
>> *Serial number:***
> 
>> 
> 
>> /6576733775903857949 (0x5B4540862F101D1D)/
> 
>> 
> 
>> *SHA1 fingerprint:***
> 
>> 
> 
>> /143b37fbbcb865a5410ce7c0b27eaa7b9dc95ca7/
> 
>> 
> 
>> *Extensions***
> 
>> 
> 
>> */basicConstraints: /*/CA:FALSE
> 
>> *extendedKeyUsage: *TLS Web Server Authentication, TLS Web Client
> 
>> Authentication
> 
>> *keyUsage: *Digital Signature, Key Encipherment
> 
>> *crlDistributionPoints: *Full Name:
> 
>> URI:http://crl.godaddy.com/gdig2s1-152.crl
> 
>> *certificatePolicies: *Policy: 2.16.840.1.114413.1.7.23.1 CPS:
> 
>> http://certificates.godaddy.com/repository/
> 
>> *authorityInfoAccess: *OCSP - URI:http://ocsp.godaddy.com/ CA Issuers
> 
>> - URI:http://certificates.godaddy.com/repository/gdig2.crt
> 
>> *authorityKeyIdentifier:
> 
>> *keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
> 
>> *subjectAltName: *DNS:lhi-dc01.lhi.is, DNS:www.lhi-dc01.lhi.is
> 
>> *subjectKeyIdentifier:
> 
>> *32:AC:33:B8:C5:FF:AE:44:36:24:5F:48:51:A7:41:8B:A4:B5:F7:0D/
> 
>> 
> 
>> */show server certificate details»/*
> 
>> 
> 
>> ----------------------------------------------------------------------
> 
>> --
> 
>> 
> 
>> Testing from: *eduroamTL nl*
> 
>> 
> 
>> https://cat.eduroam.org/resources/images/icons/Quetto/check-icon.png
> 
>> 
> 
>>             
> 
>> 
> 
>> *Connected to lhi-dc01.lhi.is.*
> 
>> elapsed time: 1895 ms.
> 
>> 
> 
>> *Test successful*: a bidirectional RADIUS conversation with multiple
> 
>> round-trips was carried out, and ended in an Access-Reject as planned.
> 
>> 
> 
>>  
> 
>> 
> 
>>             
> 
>> 
> 
>> *Subject:*
> 
>> 
> 
>> /CN=lhi-dc01.lhi.is,OU=Domain Control Validated/
> 
>> 
> 
>> *Issuer:***
> 
>> 
> 
>> /CN=Go Daddy Secure Certificate Authority -
> 
>> G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com,
> 
>> Inc.,L=Scottsdale,ST=Arizona,C=US/
> 
>> 
> 
>> *Valid from:***
> 
>> 
> 
>> /Wednesday, 11-Nov-2015 15:56:40 GMT/
> 
>> 
> 
>> *Valid to:***
> 
>> 
> 
>> /Sunday, 11-Nov-2018 15:56:40 GMT/
> 
>> 
> 
>> *Serial number:***
> 
>> 
> 
>> /6576733775903857949 (0x5B4540862F101D1D)/
> 
>> 
> 
>> *SHA1 fingerprint:***
> 
>> 
> 
>> /143b37fbbcb865a5410ce7c0b27eaa7b9dc95ca7/
> 
>> 
> 
>> *Extensions***
> 
>> 
> 
>> */basicConstraints: /*/CA:FALSE
> 
>> *extendedKeyUsage: *TLS Web Server Authentication, TLS Web Client
> 
>> Authentication
> 
>> *keyUsage: *Digital Signature, Key Encipherment
> 
>> *crlDistributionPoints: *Full Name:
> 
>> URI:http://crl.godaddy.com/gdig2s1-152.crl
> 
>> *certificatePolicies: *Policy: 2.16.840.1.114413.1.7.23.1 CPS:
> 
>> http://certificates.godaddy.com/repository/
> 
>> *authorityInfoAccess: *OCSP - URI:http://ocsp.godaddy.com/ CA Issuers
> 
>> - URI:http://certificates.godaddy.com/repository/gdig2.crt
> 
>> *authorityKeyIdentifier:
> 
>> *keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
> 
>> *subjectAltName: *DNS:lhi-dc01.lhi.is, DNS:www.lhi-dc01.lhi.is
> 
>> *subjectKeyIdentifier:
> 
>> *32:AC:33:B8:C5:FF:AE:44:36:24:5F:48:51:A7:41:8B:A4:B5:F7:0D/
> 
>> 
> 
>> */show server certificate details»/*
> 
>> 
> 
>>  
> 
>> 
> 
>>  
> 
>> 
> 
>> Testing from: eduroamTL dk
> 
>> 
> 
>> PEAP-MSCHAPv2 – elapsed time: 812 ms.
> 
>> 
> 
>>  
> 
>> 
> 
>> Testing from: eduroamTL nl
> 
>> 
> 
>> PEAP-MSCHAPv2 – elapsed time: 924 ms.
> 
>> 
> 
>>  
> 
>> 
> 
>> Every check on the cat. Eduroam.org has been green, my only problem
> 
>> seems to be the installer, can´t get it to work.
> 
>> 
> 
>>  
> 
>> 
> 
>> I will take a better look, at the Root CA in the profile.
> 
>> 
> 
>> Another thing I notice was that the field: “Name of authentication
> 
>> Server” has to be in lower case. I was getting a server name mismatch
> 
>> if I used uppercase in the name. (Fixed)
> 
>> 
> 
>>  
> 
>> 
> 
>> Best regards
> 
>> 
> 
>> Sverrir Davíðsson
> 
>> 
> 
>>  
> 
>> 
> 
>>  
> 
>> 
> 
>> -----Original Message-----
> 
>> 
> 
>> From: Stefan Winter 
>> [mailto:stefan.winter AT restena.lu]
> 
>> 
> 
>> Sent: mánudagur, 30. nóvember 2015 13:15
> 
>> 
> 
>> To: Sverrir Davíðsson 
>> <sverrir AT thekking.is
>>  
>> <mailto:sverrir AT thekking.is>>;
>>  eduroam CAT Feedback
> 
>> <cat-users AT lists.geant.org
>>  
>> <mailto:cat-users AT lists.geant.org>>
> 
>> 
> 
>> Subject: Re: Trooble using Eduroam Installer, help needed
> 
>> 
> 
>>  
> 
>> 
> 
>> Hi,
> 
>> 
> 
>>  
> 
>> 
> 
>> now I missed my main point. :-/
> 
>> 
> 
>>  
> 
>> 
> 
>> I spent some amount of time debugging this for you. I like debugging
> 
>> difficult cases, so that's not usually a problem.
> 
>> 
> 
>>  
> 
>> 
> 
>> This one however has been turned into automatic check code a long time
> 
>> ago. There is a button "realm check" in CAT, and it should yield in
> 
>> bright red "X" button style the error that the configured CA does not
> 
>> match the server certificate during the actual authentication.
> 
>> 
> 
>>  
> 
>> 
> 
>> I'd appreciate if folks could actually use the on-board debugging
> 
>> facilities. My bad probably, next time I will bounce problem reports
> 
>> with a "have you tried the Check Realm feature" immediately.
> 
>> 
> 
>>  
> 
>> 
> 
>> Greetings,
> 
>> 
> 
>>  
> 
>> 
> 
>> Stefan Winter
> 
>> 
> 
>>  
> 
>> 
> 
>> Am 30.11.2015 um 13:35 schrieb Sverrir Davíðsson:
> 
>> 
> 
>>> Ho Stefan
> 
>> 
> 
>>> Sorry, I must have pressed send to quickly :)
> 
>> 
> 
>>> 
> 
>> 
> 
>>> Here are the logs, see attachments
> 
>> 
> 
>>> 
> 
>> 
> 
>>> Best regards
> 
>> 
> 
>>> Sverrir Davíðsson
> 
>> 
> 
>>> 
> 
>> 
> 
>>> -----Original Message-----
> 
>> 
> 
>>> From: Stefan Winter 
>>> [mailto:stefan.winter AT restena.lu]
> 
>> 
> 
>>> Sent: mánudagur, 30. nóvember 2015 11:48
> 
>> 
> 
>>> To: Sverrir Davíðsson 
>>> <sverrir AT thekking.is
>>>  
>>> <mailto:sverrir AT thekking.is>>;
>>>  eduroam CAT Feedback
> 
>> 
> 
>>> <cat-users AT lists.geant.org
>>>  
>>> <mailto:cat-users AT lists.geant.org>>
> 
>> 
> 
>>> Subject: Re: Trooble using Eduroam Installer, help needed
> 
>> 
> 
>>> 
> 
>> 
> 
>>> Hello,
> 
>> 
> 
>>> 
> 
>> 
> 
>>>> Hi my name is Sverrir,
> 
>> 
> 
>>>> I have been setting up a IdP for the Iceland Academy of the Arts.
> 
>> 
> 
>>> 
> 
>> 
> 
>>> thanks for contacting the list and not me directly.
> 
>> 
> 
>>> 
> 
>> 
> 
>>>> Radius Authentication works, but we are unable to us the Installer.
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> I´m having trouble getting the Installer (EXE) setup to work against
> 
>> 
> 
>>>> our SSID.
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> We are able to connect directly to "eduroam" SSID without the use of
> 
>> 
> 
>>>> the Installer, user gets authenticated and connected no problem.
> 
>> 
> 
>>> 
> 
>> 
> 
>>> "Connected" is easy. Getting connected *securely*, i.e. with all security 
>>> checks client-side enabled, is harder.
> 
>> 
> 
>>> 
> 
>> 
> 
>>> The installers set all the security parameters. Only once those checks 
>>> are actually enabled, subtle misconfigurations on the server side will 
>>> have consequences.
> 
>> 
> 
>>> 
> 
>> 
> 
>>>> But when we try to use the Installer, there is something of with the
> 
>> 
> 
>>>> creation of the wifi Profile, users will not get connected and my
> 
>> 
> 
>>>> RADIUS complains about user mismatch.
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> I see that the User Security ID is NULL when using the Installer.
> 
>> 
> 
>>> 
> 
>> 
> 
>>> I have no idea what the "User Security ID" is supposed to be?
> 
>> 
> 
>>> 
> 
>> 
> 
>>>> I have tested this on both windows 10 and 8,1.
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> I see at the top of the page that CAT vas recently updraded to
> 
>> 
> 
>>>> versions 1.1.1, could that be the root of my problems?
> 
>> 
> 
>>> 
> 
>> 
> 
>>> No. We should really remove the MOTD. This version is up since over a 
>>> month now.
> 
>> 
> 
>>> 
> 
>> 
> 
>>>> All attach some more info regarding our Wifi troubles.
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>>  
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> Radius: Windows Server 2012R2
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> Microsoft: Protected EAP (PEAP)
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>>                 Secure Password (EAP-MSCHAP v2)
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> Cert: Public SSL from GoDaddy
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> AP: Cisco
> 
>> 
> 
>>> 
> 
>> 
> 
>>> This setup is as standard as can be and as such is probably not the 
>>> source of any problem.
> 
>> 
> 
>>> 
> 
>> 
> 
>>>> Logs from Radius and Client when Connecting to eduroam
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> Connecting directly to eduroam (Without Installer), See attachement :
> 
>> 
> 
>>>> Eduroam-NonInstaller.txt
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> Connecting to eduroam (With Installer), See attachement :
> 
>> 
> 
>>>> Eduroam-Installer.txt
> 
>> 
> 
>>> 
> 
>> 
> 
>>> If you'd attach the log files, we could actually look at them ;-)
> 
>> 
> 
>>> 
> 
>> 
> 
>>> Greetings,
> 
>> 
> 
>>> 
> 
>> 
> 
>>> Stefan Winter
> 
>> 
> 
>>> 
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>>  
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>>  
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> Best Regards
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> Sverrir Davíðsson
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>>  
> 
>> 
> 
>>>> 
> 
>> 
> 
>>>> --------------------------------------------------------------------
> 
>>>> -
> 
>> 
> 
>>>> -
> 
>> 
> 
>>>> -- Skilmálar / Disclaimer <https://www.thekking.is/is/skilmalar>
> 
>> 
> 
>>> 
> 
>> 
> 
>>> 
> 
>> 
> 
>>> --
> 
>> 
> 
>>> Stefan WINTER
> 
>> 
> 
>>> Ingenieur de Recherche
> 
>> 
> 
>>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
> 
>> 
> 
>>> et de la Recherche 2, avenue de l'Université
> 
>> 
> 
>>> L-4365 Esch-sur-Alzette
> 
>> 
> 
>>> 
> 
>> 
> 
>>> Tel: +352 424409 1
> 
>> 
> 
>>> Fax: +352 422473
> 
>> 
> 
>>> 
> 
>> 
> 
>>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> 
>> 
> 
>>> recipient's key is known to me
> 
>> 
> 
>>> 
> 
>> 
> 
>>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 
>> 
> 
>>> 
> 
>> 
> 
>>  
> 
>> 
> 
>>  
> 
>> 
> 
>> --
> 
>> 
> 
>> Stefan WINTER
> 
>> 
> 
>> Ingenieur de Recherche
> 
>> 
> 
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
> 
>> et de la Recherche 2, avenue de l'Université
> 
>> 
> 
>> L-4365 Esch-sur-Alzette
> 
>> 
> 
>>  
> 
>> 
> 
>> Tel: +352 424409 1
> 
>> 
> 
>> Fax: +352 422473
> 
>> 
> 
>>  
> 
>> 
> 
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> 
>> recipient's key is known to me
> 
>> 
> 
>>  
> 
>> 
> 
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 
>> 
> 
>  
> 
>  
> 
> --
> 
> Stefan WINTER
> 
> Ingenieur de Recherche
> 
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche 2, avenue de l'Université
> 
> L-4365 Esch-sur-Alzette
> 
>  
> 
> Tel: +352 424409 1
> 
> Fax: +352 422473
> 
>  
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
> 
>  
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature