The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Fabian Mauchle <fabian.mauchle AT switch.ch>]

Hi All,

I got below report from one of our eduroam members about a possible bug in 
Mac OS X El Capitan (and partially Windows 7, but that one is well known). If 
someone of you has contacts at apple, feel free to forward this report.

Best regards,
Fabian

-- 
SWITCH
Fabian Mauchle, Network Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 30, direct +41 44 268 15 39
fabian.mauchle AT switch.ch,
 www.switch.ch

--

You may be interested to know that we have uncovered a bug in Mac OS X 10.11 
"El Capitan" that will prevent its users to connect to eduroam networks 
backed by mutiple RADIUS servers (iow. whith multiple CNs configured in 
https://cat.eduroam.org).

We have stumbled on this issue while updating our certificate chain and 
switching from a single/indentical certificate installed on all servers to 
individual/per-server certificates:

    server A:
    CN: radius01.idiap.ch
    SubjAltName: DNS:radius01.idiap.ch, DNS:radius.idiap.ch

    server B:
    CN: radius02.idiap.ch
    SubjAltName: DNS:radius02.idiap.ch, DNS:radius.idiap.ch

Problem is actually two-fold:
a. Windows 7 does not honor the "SubjAltName" (when specifying 
"radius.idiap.ch" as sole authentication servers; all other OSs work
b. Mac OS X 10.11 does not honor multiple "Trusted Servers" (when specifying 
"radius01.idiap.ch" AND "radius02.idiap.ch" as authentication servers; all 
other OSs and Max OS X versions work
While a. could somehow be expected/accepted, b. is clearly a bug