Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Issues with most recent CAT (osx/ios)

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Issues with most recent CAT (osx/ios)


Chronological Thread 
  • From: Marcus Hansson <marcus.hansson AT hkr.se>
  • To: Stefan Winter <stefan.winter AT restena.lu>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>, Pål Axelsson <pal.axelsson AT hkr.se>
  • Subject: Re: [[cat-users]] Issues with most recent CAT (osx/ios)
  • Date: Fri, 1 Apr 2016 13:31:05 +0000
  • Accept-language: sv-SE, en-US
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT hkrse.onmicrosoft.com
  • Authentication-results: restena.lu; dkim=none (message not signed) header.d=none;restena.lu; dmarc=none action=none header.from=hkr.se;


Hi.
Maybe we misunderstood each other, let me clarify...

The certificate that's presented when connecting on an apple device is not a
"bogus" certificate.
Rather, it's the "intermediate" certificate in the chain.
While on a PC, the top level root certificate is correctly presented.

In the attached screenshot, you'll see that the highlighted (2nd in line)
certificate is presented on OSX.
While connecting on a PC, the top certificate (1st in line) is the one being
presented to the user.

With that in mind, any idea what may be causing this issue?

/ Marcus






Den 2016-04-01 15:11 skrev "Stefan Winter"
<stefan.winter AT restena.lu>
följande:

>Hello,
>
>> The problem occurs when the user tries to authenticate on an apple device.
>> For some reason, the user is presented with a different certificate (not
>> the one in the profile) for the authentication server.
>> Thereby the identity of the authentication server can't be verified.
>
>If your devices get to see a bogus certificate then that's really not
>CAT's fault. In fact, the main purpose of the CAT profiles is to ensure
>that the device *won't* connect in presence of such a bogus cert. An
>alert message is absolutely intentional then.
>
>You should investigate where this incorrect certificate comes from.
>Maybe someone is setting up a rogue access point - and then you should
>be happy that proper CAT profiles prevented this from working for the
>attacker.
>
>> Have you guys updated CAT recently?, ´cause it seems that the latest CAT
>> is incompatible with OSX and iOS.
>
>There were no changes in the last few months.
>
>Greetings,
>
>Stefan Winter
>
>--
>Stefan WINTER
>Ingenieur de Recherche
>Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>de la Recherche
>2, avenue de l'Université
>L-4365 Esch-sur-Alzette
>
>Tel: +352 424409 1
>Fax: +352 422473
>
>PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>recipient's key is known to me
>
>http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: CAT_cert.png
Description: CAT_cert.png




Archive powered by MHonArc 2.6.19.

Top of Page