The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Hadlow, Tim" <Tim.Hadlow AT bl.uk>]

Thanks Stefan,

Using the 'Check realm reachability' feature and Live login tests with the 
'Real (inner) username' and password completed with valid credentials and the 
' Anonymous outer ID (optional)' left blank the test apparently succeeds and 
the NPS logs show PEAP in phase 1 and 'Microsoft: Secured password 
(EAP-MSCHAP v2)' in phase 2.  The test does note that we are using a wildcard 
server certificate and "This can be problematic on some supplicants" so I did 
a bit more Googling and found a reference stating "The downside of wildcard 
certificate is that they are not currently supported by Microsoft Windows 
802.1X supplicants", I haven't yet been able to verify that but it would fit 
with your idea that it is actually the phase 1 server certificate validation 
that is the problem. I'll try to get the server manager to replace the 
certificate and have another go then.

Thanks,

Tim
-----Original Message-----
From: Stefan Winter 
[mailto:stefan.winter AT restena.lu]
Sent: 29 April 2016 10:03
To: Hadlow, Tim; 
'cat-users AT lists.geant.org'
Subject: Re: [[cat-users]] CAT admin login through social networks

Hi,

> Using a CAT installer eduroam profile for Windows 8 against our ORPS
> authentication fails. Our ORPS is Microsoft NPS so local
> authentications require what on Android is described as “EAP method:
> PEAP” and “Phase 2
> authentication: MSCHAPV2”. When successful authentications go through
> they how in the event logs as “Authentication Type: PEAP” and “EAP Type:
> Microsoft Secured Password (EAP-MSCHAP v2)”
>
> Using CAT with the profile setting “Supported EAP types for this
> profile” set to only “PEAP-MSCHAPv2”, the Windows 8 and Windows 10
> installers it generated run quite happily but eduroam connections fail
> with the NPS event log messages showing “Authentication Type: PEAP”
> and “EAP Type: - ”, i.e. the Phase 2 authentication method appears not
> to be being configured.
>
> Can anyone who uses or knows about NPS offer guidance or suggestions
> on the CAT configuration of a profile to work with a Microsoft NPS
> Radius server?

I am by no means a NPS user, for from it. But I think I recall something on 
the list in that direction.

I believe the trick is to understand that the log message is quite 
misleadingly formulated: the "EAP Type: - " does not mean that a second phase 
is not configured; it's rather that the EAP conversation never proceeded to 
phase 2, so EAP didn't take place at all.

And that would mean the authentication attempt was aborted in phase 1 - which 
is server certificate validation and TLS tunnel setup.

Did you run the "Check realm reachability" with a valid outer ID yet (Profile 
-> Realm and Profile -> anonymous outer ID set)? It would fetch the server 
certificate and tell you if there's something odd in the certificate; that 
would be the most likely reason for failures at that stage.

Or, I'm completely wrong and am sending you onto the wrong track :-)

Greetings,

Stefan

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66


******************************************************************************************************************
Experience the British Library online at www.bl.uk<http://www.bl.uk/>
The British Library’s latest Annual Report and Accounts : 
www.bl.uk/aboutus/annrep/index.html<http://www.bl.uk/aboutus/annrep/index.html>
Help the British Library conserve the world's knowledge. Adopt a Book. 
www.bl.uk/adoptabook<http://www.bl.uk/adoptabook>
The Library's St Pancras site is WiFi - enabled
*****************************************************************************************************************
The information contained in this e-mail is confidential and may be legally 
privileged. It is intended for the addressee(s) only. If you are not the 
intended recipient, please delete this e-mail and notify the 
postmaster AT bl.uk<mailto:postmaster AT bl.uk>
 : The contents of this e-mail must not be disclosed or copied without the 
sender's consent.
The statements and opinions expressed in this message are those of the author 
and do not necessarily reflect those of the British Library. The British 
Library does not take any responsibility for the views of the author.
*****************************************************************************************************************
Think before you print