The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Marcin Balcerzyk" <mbalcerzyk AT us.es>]

Dear Stefan 

I attach the original of the explanation of why I cannot authenticate to 
Eduroam via University of Seville. It is in Spanish, and I include the 
corrected automatic translation:

" Although WP 10 says that it supports EAP-TTLS-PAP to authenticate, i.e. 
when the user enters their credentials so that access point starts the 
authentication process, WP10 send them in a format that is not understood by 
the server that has to make the verification, radius server, so it does not 
work, this has nothing to do with the certificate, therefore the problem is 
that your device sends a format that, in theory, should be EAP-TTLS-PAP but 
in reality it is not, we have other devices that send the data correctly and 
that there are no problems. What is the possible solution? Apparently it is 
enough to add PEAP as the authentication protocol, but this solution neither 
is immediate nor easy, because it implies among other things the LDAP 
directory store keys in a different format to which it does it now, what we 
do not know if it is possible; We will investigate it and try if it is 
possible to implement it"

" Estimado Sr., soy Gustavo Rodríguez, responsable del Área de Comunicaciones 
en la que está integrado Daniel Daza con el que ha estado en contacto por los 
problemas de conexión que tiene para acceder a eduroam desde el dispositivo 
que menciona en su correo, voy a intentar resumirle de manera breve las 
razones de esa imposibilidad desde nuestra institución.
Aunque WP 10 dice que soporta EAP-TTLS-PAP para autenticarse, es decir cuando 
el usuario introduce sus credenciales para que el punto de acceso inicie el 
proceso de autenticación, las envía en un formato que no entiende el servidor 
que ha de hacer la verificación, servidor radius, por lo tanto no funciona, 
esto no tiene nada que ver con el certificado, por lo tanto el problema 
radica en que su dispositivo envía un formato que en teoría debería de ser 
EAP-TTLS-PAP pero que en realidad no lo es, tenemos otros dispositivos que lo 
envían correctamente y con los que no hay problemas.
¿Cuál es la posible solución? Aparentemente bastaría con añadir PEAP como 
protocolo de autenticación, pero esta solución ni es inmediata ni es fácil, 
porque implica entre otras cosas que el directorio, LDAP, almacene las claves 
en un formato distinto al que ahora tiene, lo que no sabemos si es posible; 
vamos a investigarlo e intentar si fuera posible su puesta en marcha.

Atentamente.

Gustavo A. Rodríguez.
Dtor. Técnico Área de omunicaciones.
Servicio de Informática y Comunicaciones.
Universidad de Sevilla."


Stefan, I hope the explanation is now much more clear. I am not sure if 
cat.eduroam.org can implement WP10 solution for just several institutions, 
but I assure you that Univesity of Alicante in Spain did it somehow: 
http://si.ua.es/en/wifi/eduroam/peap/eduroam-installation-for-windows-phone-8.html.
 

Waiting for your reply.

Kind regards 

Marcin Balcerzyk, Ph.D.
Unidad Ciclotron,
Centro Nacional de Aceleradores,
Universidad de Sevilla-CSIC-Junta de Andalucia,
Parque Tecnólogico Cartuja 93, 
c/Thomas Alva Edison Nº 7, 
41092 Sevilla (Spain),
Tel.:  (+34)  954 460 553 ext. 226, 
Fax:  (+34)   954 460 145,
mobile:(+34) 697 322 126
Skype: balcerzm



-----Original Message-----
From: Stefan Winter 
[mailto:stefan.winter AT restena.lu]
 
Sent: 22 January 2016 12:52
To: Marcin Balcerzyk 
<mbalcerzyk AT us.es>;
 'Alan Buxey' 
<A.L.M.Buxey AT lboro.ac.uk>;
 
cat-users AT lists.geant.org
Cc: 'Daniel Daza Muñoz' 
<daniel AT us.es>
Subject: Re: [[cat-users]] Installation of Eduroam for Windows Phone 8.1 and 
10

Hello,

> It did not work. This is my local university (University of Seville).  
> I ask IT an person and they said that the way EAP certificate is 
> stored in the directory is incompatible with Windows Phone 10 setting 
> and they do not want to do anything about it (I think that I understood it 
> well).

Well... If they tell you they don't want to make this work for you, then I'm 
not sure how we can be of much help?

I see that their server cert does not contain a Extension CA:FALSE (which 
some OSes seem to like). That would certainly be easy to fix, but only they 
can do that. IF that is the actual issue.

> I tried also logging in with credentials of CSIC.ES and UCM.ES, where 
> I have accounts, hoping for  the authentication slight differences, 
> but non worked. The description of the eduroam settings are here
> 
>  
> 
> UCM.ES: https://www.ucm.es/ssii/eduroam

At least this one has a certificate which is very well-behaved and does not 
raise any warnings. If Windows Phone doesn't like that certificate, then all 
shame is on Windows 10 IMHO.

Your earlier comment on the us.es IT staff seems to indicate that they 
actually know what exactly Windows Phone dislikes about the certificate.
That's great - I don't :-) If you can get the admins to tell us what the 
issue is, we may be able to add checks for that condition in our tools...

> CSIC.ES does not have a clear description of their authentication method.

I have browsed through some documentation on their website and they have 
TTLS-PAP as one supported method; they are using the TCS service for their 
server certificates (just like ucm.es)

> I have found on Spanish Eduroam forum a link to Microsoft that states 
> that EAP-TTLS (PAP) is supported on WP8.1 but it seems it is not:
> https://msdn.microsoft.com/en-us/library/dn643706.aspx.

I don't understand. That article lists TTLS-PAP just fine? But then again, 
why are you now talking about WP 8.1 now? Earlier you say that you have WP 10?

> Any suggestion?

More and clearer information would be nice.

Greetings,

Stefan Winter

> 
>  
> 
> Kind regards
> 
>  
> 
> Marcin Balcerzyk, Ph.D.
> 
> Unidad Ciclotron,
> 
> Centro Nacional de Aceleradores,
> 
> Universidad de Sevilla-CSIC-Junta de Andalucia,
> 
> Parque Tecnólogico Cartuja 93,
> 
> c/Thomas Alva Edison Nº 7,
> 
> 41092 Sevilla (Spain),
> 
> Tel.:  (+34)  954 460 553 ext. 226,
> 
> Fax:  (+34)   954 460 145,
> 
> mobile:(+34) 697 322 126
> 
> Skype: balcerzm
> 
>  
> 
> *From:*Alan Buxey 
> [mailto:A.L.M.Buxey AT lboro.ac.uk]
> *Sent:* sábado, 12 de diciembre de 2015 18:06
> *To:* Marcin Balcerzyk 
> <mbalcerzyk AT us.es>;
>  
> cat-users AT lists.geant.org
> *Subject:* Re: [[cat-users]] Installation of Eduroam for Windows Phone
> 8.1 and 10
> 
>  
> 
> Just install the CA as per your organisation's requirements and then 
> use your username/password as per requirements. It'll work, securely, 
> with no need for CAT App (which is a long long way away)
> 
> alan
> 
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66