Skip to Content.
Sympa Menu

cat-users - RE: [[cat-users]] CAT admin login through social networks

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] CAT admin login through social networks


Chronological Thread 
  • From: "Hadlow, Tim" <Tim.Hadlow AT bl.uk>
  • To: 'Stefan Winter' <stefan.winter AT restena.lu>, "'cat-users AT lists.geant.org'" <cat-users AT lists.geant.org>
  • Subject: RE: [[cat-users]] CAT admin login through social networks
  • Date: Fri, 29 Apr 2016 09:50:00 +0000
  • Accept-language: en-GB, en-US

Thanks Stefan,

Using the 'Check realm reachability' feature and Live login tests with the
'Real (inner) username' and password completed with valid credentials and the
' Anonymous outer ID (optional)' left blank the test apparently succeeds and
the NPS logs show PEAP in phase 1 and 'Microsoft: Secured password
(EAP-MSCHAP v2)' in phase 2. The test does note that we are using a wildcard
server certificate and "This can be problematic on some supplicants" so I did
a bit more Googling and found a reference stating "The downside of wildcard
certificate is that they are not currently supported by Microsoft Windows
802.1X supplicants", I haven't yet been able to verify that but it would fit
with your idea that it is actually the phase 1 server certificate validation
that is the problem. I'll try to get the server manager to replace the
certificate and have another go then.

Thanks,

Tim
-----Original Message-----
From: Stefan Winter
[mailto:stefan.winter AT restena.lu]
Sent: 29 April 2016 10:03
To: Hadlow, Tim;
'cat-users AT lists.geant.org'
Subject: Re: [[cat-users]] CAT admin login through social networks

Hi,

> Using a CAT installer eduroam profile for Windows 8 against our ORPS
> authentication fails. Our ORPS is Microsoft NPS so local
> authentications require what on Android is described as “EAP method:
> PEAP” and “Phase 2
> authentication: MSCHAPV2”. When successful authentications go through
> they how in the event logs as “Authentication Type: PEAP” and “EAP Type:
> Microsoft Secured Password (EAP-MSCHAP v2)”
>
> Using CAT with the profile setting “Supported EAP types for this
> profile” set to only “PEAP-MSCHAPv2”, the Windows 8 and Windows 10
> installers it generated run quite happily but eduroam connections fail
> with the NPS event log messages showing “Authentication Type: PEAP”
> and “EAP Type: - ”, i.e. the Phase 2 authentication method appears not
> to be being configured.
>
> Can anyone who uses or knows about NPS offer guidance or suggestions
> on the CAT configuration of a profile to work with a Microsoft NPS
> Radius server?

I am by no means a NPS user, for from it. But I think I recall something on
the list in that direction.

I believe the trick is to understand that the log message is quite
misleadingly formulated: the "EAP Type: - " does not mean that a second phase
is not configured; it's rather that the EAP conversation never proceeded to
phase 2, so EAP didn't take place at all.

And that would mean the authentication attempt was aborted in phase 1 - which
is server certificate validation and TLS tunnel setup.

Did you run the "Check realm reachability" with a valid outer ID yet (Profile
-> Realm and Profile -> anonymous outer ID set)? It would fetch the server
certificate and tell you if there's something odd in the certificate; that
would be the most likely reason for failures at that stage.

Or, I'm completely wrong and am sending you onto the wrong track :-)

Greetings,

Stefan

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66


******************************************************************************************************************
Experience the British Library online at www.bl.uk<http://www.bl.uk/>
The British Library’s latest Annual Report and Accounts :
www.bl.uk/aboutus/annrep/index.html<http://www.bl.uk/aboutus/annrep/index.html>
Help the British Library conserve the world's knowledge. Adopt a Book.
www.bl.uk/adoptabook<http://www.bl.uk/adoptabook>
The Library's St Pancras site is WiFi - enabled
*****************************************************************************************************************
The information contained in this e-mail is confidential and may be legally
privileged. It is intended for the addressee(s) only. If you are not the
intended recipient, please delete this e-mail and notify the
postmaster AT bl.uk<mailto:postmaster AT bl.uk>
: The contents of this e-mail must not be disclosed or copied without the
sender's consent.
The statements and opinions expressed in this message are those of the author
and do not necessarily reflect those of the British Library. The British
Library does not take any responsibility for the views of the author.
*****************************************************************************************************************
Think before you print



Archive powered by MHonArc 2.6.19.

Top of Page