Skip to Content.
Sympa Menu

cat-users - RE: [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and 10

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and 10


Chronological Thread 
  • From: "Marcin Balcerzyk" <mbalcerzyk AT us.es>
  • To: "'Stefan Winter'" <stefan.winter AT restena.lu>
  • Cc: 'Daniel Daza Muñoz' <daniel AT us.es>, "'Alan Buxey'" <A.L.M.Buxey AT lboro.ac.uk>, <cat-users AT lists.geant.org>, "'Gustavo A. Rodriguez'" <gusrodri AT us.es>, 'Carmen Lopez (Nené)' <carmen AT us.es>
  • Subject: RE: [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and 10
  • Date: Mon, 25 Jan 2016 10:29:48 +0100

Dear Stefan

I attach the original of the explanation of why I cannot authenticate to
Eduroam via University of Seville. It is in Spanish, and I include the
corrected automatic translation:

" Although WP 10 says that it supports EAP-TTLS-PAP to authenticate, i.e.
when the user enters their credentials so that access point starts the
authentication process, WP10 send them in a format that is not understood by
the server that has to make the verification, radius server, so it does not
work, this has nothing to do with the certificate, therefore the problem is
that your device sends a format that, in theory, should be EAP-TTLS-PAP but
in reality it is not, we have other devices that send the data correctly and
that there are no problems. What is the possible solution? Apparently it is
enough to add PEAP as the authentication protocol, but this solution neither
is immediate nor easy, because it implies among other things the LDAP
directory store keys in a different format to which it does it now, what we
do not know if it is possible; We will investigate it and try if it is
possible to implement it"

" Estimado Sr., soy Gustavo Rodríguez, responsable del Área de Comunicaciones
en la que está integrado Daniel Daza con el que ha estado en contacto por los
problemas de conexión que tiene para acceder a eduroam desde el dispositivo
que menciona en su correo, voy a intentar resumirle de manera breve las
razones de esa imposibilidad desde nuestra institución.
Aunque WP 10 dice que soporta EAP-TTLS-PAP para autenticarse, es decir cuando
el usuario introduce sus credenciales para que el punto de acceso inicie el
proceso de autenticación, las envía en un formato que no entiende el servidor
que ha de hacer la verificación, servidor radius, por lo tanto no funciona,
esto no tiene nada que ver con el certificado, por lo tanto el problema
radica en que su dispositivo envía un formato que en teoría debería de ser
EAP-TTLS-PAP pero que en realidad no lo es, tenemos otros dispositivos que lo
envían correctamente y con los que no hay problemas.
¿Cuál es la posible solución? Aparentemente bastaría con añadir PEAP como
protocolo de autenticación, pero esta solución ni es inmediata ni es fácil,
porque implica entre otras cosas que el directorio, LDAP, almacene las claves
en un formato distinto al que ahora tiene, lo que no sabemos si es posible;
vamos a investigarlo e intentar si fuera posible su puesta en marcha.

Atentamente.

Gustavo A. Rodríguez.
Dtor. Técnico Área de omunicaciones.
Servicio de Informática y Comunicaciones.
Universidad de Sevilla."


Stefan, I hope the explanation is now much more clear. I am not sure if
cat.eduroam.org can implement WP10 solution for just several institutions,
but I assure you that Univesity of Alicante in Spain did it somehow:
http://si.ua.es/en/wifi/eduroam/peap/eduroam-installation-for-windows-phone-8.html.


Waiting for your reply.

Kind regards

Marcin Balcerzyk, Ph.D.
Unidad Ciclotron,
Centro Nacional de Aceleradores,
Universidad de Sevilla-CSIC-Junta de Andalucia,
Parque Tecnólogico Cartuja 93,
c/Thomas Alva Edison Nº 7,
41092 Sevilla (Spain),
Tel.: (+34) 954 460 553 ext. 226,
Fax: (+34) 954 460 145,
mobile:(+34) 697 322 126
Skype: balcerzm



-----Original Message-----
From: Stefan Winter
[mailto:stefan.winter AT restena.lu]

Sent: 22 January 2016 12:52
To: Marcin Balcerzyk
<mbalcerzyk AT us.es>;
'Alan Buxey'
<A.L.M.Buxey AT lboro.ac.uk>;

cat-users AT lists.geant.org
Cc: 'Daniel Daza Muñoz'
<daniel AT us.es>
Subject: Re: [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and
10

Hello,

> It did not work. This is my local university (University of Seville).
> I ask IT an person and they said that the way EAP certificate is
> stored in the directory is incompatible with Windows Phone 10 setting
> and they do not want to do anything about it (I think that I understood it
> well).

Well... If they tell you they don't want to make this work for you, then I'm
not sure how we can be of much help?

I see that their server cert does not contain a Extension CA:FALSE (which
some OSes seem to like). That would certainly be easy to fix, but only they
can do that. IF that is the actual issue.

> I tried also logging in with credentials of CSIC.ES and UCM.ES, where
> I have accounts, hoping for the authentication slight differences,
> but non worked. The description of the eduroam settings are here
>
>
>
> UCM.ES: https://www.ucm.es/ssii/eduroam

At least this one has a certificate which is very well-behaved and does not
raise any warnings. If Windows Phone doesn't like that certificate, then all
shame is on Windows 10 IMHO.

Your earlier comment on the us.es IT staff seems to indicate that they
actually know what exactly Windows Phone dislikes about the certificate.
That's great - I don't :-) If you can get the admins to tell us what the
issue is, we may be able to add checks for that condition in our tools...

> CSIC.ES does not have a clear description of their authentication method.

I have browsed through some documentation on their website and they have
TTLS-PAP as one supported method; they are using the TCS service for their
server certificates (just like ucm.es)

> I have found on Spanish Eduroam forum a link to Microsoft that states
> that EAP-TTLS (PAP) is supported on WP8.1 but it seems it is not:
> https://msdn.microsoft.com/en-us/library/dn643706.aspx.

I don't understand. That article lists TTLS-PAP just fine? But then again,
why are you now talking about WP 8.1 now? Earlier you say that you have WP 10?

> Any suggestion?

More and clearer information would be nice.

Greetings,

Stefan Winter

>
>
>
> Kind regards
>
>
>
> Marcin Balcerzyk, Ph.D.
>
> Unidad Ciclotron,
>
> Centro Nacional de Aceleradores,
>
> Universidad de Sevilla-CSIC-Junta de Andalucia,
>
> Parque Tecnólogico Cartuja 93,
>
> c/Thomas Alva Edison Nº 7,
>
> 41092 Sevilla (Spain),
>
> Tel.: (+34) 954 460 553 ext. 226,
>
> Fax: (+34) 954 460 145,
>
> mobile:(+34) 697 322 126
>
> Skype: balcerzm
>
>
>
> *From:*Alan Buxey
> [mailto:A.L.M.Buxey AT lboro.ac.uk]
> *Sent:* sábado, 12 de diciembre de 2015 18:06
> *To:* Marcin Balcerzyk
> <mbalcerzyk AT us.es>;
>
> cat-users AT lists.geant.org
> *Subject:* Re: [[cat-users]] Installation of Eduroam for Windows Phone
> 8.1 and 10
>
>
>
> Just install the CA as per your organisation's requirements and then
> use your username/password as per requirements. It'll work, securely,
> with no need for CAT App (which is a long long way away)
>
> alan
>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66




Archive powered by MHonArc 2.6.19.

Top of Page