cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] CAT admin login through social networks

From: Stefan Winter <stefan.winter AT restena.lu>
To: "Hadlow, Tim" <Tim.Hadlow AT bl.uk>, "'cat-users AT lists.geant.org'" <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] CAT admin login through social networks
Date: Fri, 29 Apr 2016 11:02:50 +0200
Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hi,

> Using a CAT installer eduroam profile for Windows 8 against our ORPS
> authentication fails. Our ORPS is Microsoft NPS so local authentications
> require what on Android is described as “EAP method: PEAP” and “Phase 2
> authentication: MSCHAPV2”. When successful authentications go through
> they how in the event logs as “Authentication Type: PEAP” and “EAP Type:
> Microsoft Secured Password (EAP-MSCHAP v2)”
>
> Using CAT with the profile setting “Supported EAP types for this
> profile” set to only “PEAP-MSCHAPv2”, the Windows 8 and Windows 10
> installers it generated run quite happily but eduroam connections fail
> with the NPS event log messages showing “Authentication Type: PEAP” and
> “EAP Type: - ”, i.e. the Phase 2 authentication method appears not to be
> being configured.
>
> Can anyone who uses or knows about NPS offer guidance or suggestions on
> the CAT configuration of a profile to work with a Microsoft NPS Radius
> server?

I am by no means a NPS user, for from it. But I think I recall something
on the list in that direction.

I believe the trick is to understand that the log message is quite
misleadingly formulated: the "EAP Type: - " does not mean that a second
phase is not configured; it's rather that the EAP conversation never
proceeded to phase 2, so EAP didn't take place at all.

And that would mean the authentication attempt was aborted in phase 1 -
which is server certificate validation and TLS tunnel setup.

Did you run the "Check realm reachability" with a valid outer ID yet
(Profile -> Realm and Profile -> anonymous outer ID set)? It would fetch
the server certificate and tell you if there's something odd in the
certificate; that would be the most likely reason for failures at that
stage.

Or, I'm completely wrong and am sending you onto the wrong track :-)

Greetings,

Stefan

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

[[cat-users]] CAT admin login through social networks, Hadlow, Tim, 04/26/2016
- Re: [[cat-users]] CAT admin login through social networks, Stefan Winter, 04/26/2016
  - RE: [[cat-users]] CAT admin login through social networks, Hadlow, Tim, 04/26/2016
    - Re: [[cat-users]] CAT admin login through social networks, Stefan Winter, 04/26/2016
  - Re: [[cat-users]] CAT admin login through social networks, A . L . M . Buxey, 04/26/2016
    - Re: [[cat-users]] CAT admin login through social networks, Dubravko Voncina, 04/28/2016
- <Possible follow-up(s)>
- [[cat-users]] CAT admin login through social networks, Hadlow, Tim, 04/29/2016
  - Re: [[cat-users]] CAT admin login through social networks, Stefan Winter, 04/29/2016
    - RE: [[cat-users]] CAT admin login through social networks, Hadlow, Tim, 04/29/2016
      - Re: [[cat-users]] CAT admin login through social networks, Stefan Winter, 04/29/2016
  - Re: [[cat-users]] CAT admin login through social networks, A . L . M . Buxey, 04/29/2016